SOUTHFIELD – Security is no longer just a function of the IT department. Information Security has become a business enabler; and due to ever increasing compliance requirements and the risk of negative exposure, executives and boards are now considering security a vital aspect of any successful company.

As a member of the organization?s information security team it has become necessary that you understand how to speak the language of your financial officers.

Begin by understanding that a CFO?s primary concern is profitability. Risk has the biggest impact to an organization?s bottom line. What is meant by risk?

From a financial standpoint, the following formula is a very simple example of determining potential loss. Understand the value of an asset (V), and the likelihood of negative asset exposure (L), multiply the two. The result is the annual loss exposure (ALE) — in other words, the potential financial risk.

Threats are increasing and risk is higher than ever. The security market is fragmented, and we are still doing more with less.

Consider the scenario of a manufacturer with a strategy deriving much of their revenues from on-line sales. What happens if there is a breach to their systems? In an example of a leading computer hardware manufacturer, the loss could be as high as 60 million dollars a day. Clearly, this is worth understanding. Without the knowledge of your company?s asset value or exposure risk you are unable to make critical strategic investment decisions. IT systems no longer function as cost minimizers, but increasingly they serve as revenue maximers.

Consider another example impacting your bottom line. Reputation.

A CFO articulated the concern. ?We are in the business of outsourcing. We house sensitive data about our clients and their customers. Much of that data involves financial transactions. Despite our best efforts to secure our data, our systems experienced a major breach a few months ago. While we have resolved the issue, my confidence level in our security is very low. Worse, I fear that the word of the breach will soon go out. If that happens, not only will I lose some of my existing customers, but my competitors will have a field day with this information. I run the risk of losing a major market share in my business. I need to take the action now?

If your business is not secure it can inhibit your ability to meet your critical success factors. Data loss due to privacy violations, theft or disclosure of sensitive information, interruption of service, and legal penalties can dramatically damage your organization?s reputation and ultimately your profit statements.

When approaching the CFO, always remember the key primary areas of concern are cost and return. Be prepared to respond to the question ?How much will this cost?? ?What is the return?? Address the priorities of the organization and the impact of non-action.

Reviewing the two previous examples allows for a clear understanding that an organization must operate with the highest level of efficiency and flexibility in its approach while increasing revenue and decreasing risk.

Would you sleep well knowing that your financial institution is working with outdated systems or old manual processes? Imagine the impact on on-line banking or to the bank?s ATM?s.

In another scenario, would you feel comfortable knowing that your private health information could be leaked? With the establishment of recent regulations, security failure may mean criminal action. Boards are making security a priority and so are an organization?s chief financial teams.

Next time you are in a conversation with a CFO ask the following questions?

What is the impact on your company reputation if a breach occurs?

Other than the assurances of your own IT Dept (which may just tell you want you want to hear), how do you know that the appropriate controls are in place?

Would you allow a year or more to go by without a financial audit?

How do you protect transactions and customer privacy?

How does your company protect its critical assets?

What regulations are you required to comply with?

Does your organization have the appropriate solutions and tools in place?

Implement only those safeguards that are needed to enhance your organization?s business needs. Understand that information resources are essential enterprise assets. Link policies to business risk. Promote awareness and hold people accountable. As you discuss a best practices approach to mitigating risk, a few key strategies may mean the difference between reactive revenue draining or increasing return and enabling the business.

Rachel Kahn is Executive Security Advisor for CA, formerly Computer Associates. She can be contacted through CA?s Midwest Regional Marketing Director Kathleen Norton-Schock. You can email her at [email protected]