May 03 2020 17 mins
CyberCecurity, LLC: https://www.cybercecurity.com/
- Video Training by Ray and Mitch: https://www.cybercecurity.com/media-and-speaking/
Mitch's Blog: https://cybercecurity-mitch-tanenbaum-blog.com/ & https://mtanenbaum.us/
Contact Ray Hutchins: https://www.linkedin.com/in/hutchins/
Contact Mitch Tanenbaum: https://www.linkedin.com/in/mitch-tanenbaum-2589663/
FULL EPISODE TRANSCRIPT
Adam: (00:05)
Welcome back to Count Me In, IMA's podcast about all things affecting the accounting and finance world. Cybersecurity is something that truly affects management accountants, but really all individuals and firms. So Mitch spoke with Ray Hutchins and Mitch Tannenbaum about what cybersecurity really means and how to acquire the appropriate knowledge to be of great value to your organization. To hear why you need to understand cybersecurity. Keep listening as we head over to their conversation now.
Mitch R.: (00:40)
All right, so at a high level, how does cyber security really impact the finance department of an organization? You know, why does this stuff really matter?
Ray: (00:50)
Well, from Mitch and my perspective, of course we're cybersecurity guys and we're also business professionals. So we've been in business all of our life we are a couple of boomers. We've got a lot of experience and we know that and we deal with a lot of companies. Where the, all the cybersecurity, the risk questions, the risk questions are dealt with and delegated to many times. The finance department, finance takes control in a lot of organizations. They haven't spent a lot of time setting up their internal, authority around, well, who's gonna be responsible for the risk and compliance for the organization? Who's going to be responsible for cybersecurity and privacy. And so in a lot of organizations that falls naturally right onto the finance department and specifically the CFO. that's been a problem we've dealt with in the past many times in an organization saying really the CFO shouldn't be the one in charge of all of this. You know, there definitely play a role. Of course they're always important on it, but there's, there's more people need to be involved in this, but that's the nature of the beast. The finance department is involved, they pay for it, they're accounting for it, and therefore they need to understand something about it so that they can participate in an intelligent level in conversations around this risk category.
Mitch T.: (02:30)
Let me add something to that. Every organization has a chief risk officer. Now, in many organizations, that person doesn't have that title. But in every organization there is, somebody is responsible for that. Whether that's the CEO, the COO, or more often the CFO. If we assume that cybersecurity is a business risk that needs to be mitigated, just like every other business risk. And if we assume that the CFO, is the chief risk officer, in fact, then it makes perfect sense that the CFO and the finance team needs to understand cyber risk to be able to lead the conversation. They don't need to be the experts, but they need to understand how that ties to business risk.
Mitch R.: (03:19)
So these are all really great points and I really like the idea of, you know, grouping this together as a true business problem. It's not an it problem. And if the CFO is going to act as this chief risk officer, as you said, really manage, you know, the risk initiatives here. What specific type of information do you think the CFO or their finance team needs to acquire in order to effectively lead this risk mitigation and implement these cybersecurity procedures for their organization?
Ray: (03:53)
Good question. And it brings up something, you know, both Mitch and I have, my Mitch, my partner Mitch as opposed to you, Mitch. But, both Mitch and I have of course spoken at multiple IMA meetings at this time and we're familiar with IMA as an organization, as something that we find out there in the IMA organization. You've got a lot of executives and transition from one company to another and within they're moving up in their career and whatnot. And something that I have found to be the case is when I'm talking to these people out there is that, and I make the point that as a financial services professional, no matter what your rank, no matter what your position within the organization you can make yourself much more valuable to the organization if you have a business grasp of cybersecurity and privacy and is in business implications and you can speak the language, you've got some jargon, not technical jargon, just general jargon about it. Perhaps knowing some of the regulatory environment, knowing some of the regulations and the standards that affect all businesses, kind of understanding that and being able to engage on that companies have a terrible shortage of anybody who can talk the talk of cybersecurity and privacy. So if you can demonstrate any level of competency, any level, well that changes your value proposition within the company.
Mitch T.: (05:27)
So I would say that, just like any other risk problem, you want to create a governance risk and compliance framework, a GRC framework. And the good news is the federal government and the guys of the department of commerce, National Institute of Standards and Technology has created a great governance framework, which is the NIST cybersecurity framework. And as of this past January, it's partnered the NIST privacy framework. These are governance frameworks, high level governance frameworks that every organization needs to be looking at. And I will tell you, and we do a lot of work with this, nobody is a hundred percent when it comes to these frameworks, but the framework provides a set of guidance for organizations big and small. So if you go look at policies for example, and it ask questions about policies, well a small organization is gonna need a different set of policies than a big organization, an organization that operates in multiple States and multiple countries might need different policies than one that doesn't. But if you all lay this into that framework and then you can go off and say, as the chief risk officer, okay, you know, this is a network problem or this is an IT problem or this is a, you know, what level of risk are we willing to assume problem? And you can go off and assign different part, different people in the organization to go help you complete this framework and see where you stand. The first thing that I would always do, and we do a lot of these, is a GAAP analysis. Let's go look at where we are versus where we want to be and we have these conversations and we generate a a list of of gaps and then it becomes a business conversation for the C suite and for larger organizations for the board. Very importantly, the board has to provide guidance on this to say what is a level of risk we're willing to take? And the risks could be a compliance risk. It could be a legal risk, it could be a reputation risk, it could be a whole variety of different risks that we could be takin...