Why CFOs and CIOs Should Work Together

Global advisory services firm Ernst & Young recently issued a report on the growing collaboration between chief financial officers and chief information officers when it comes to handling cyberthreats.

According to the report, titled “Partnering for Performance,” 66 percent of CFOs make cybersecurity a high or very high priority; and 35 percent of CFOs who say cybersecurity is a very high priority report greater collaboration with the CIO.

These numbers are encouraging, as frequent cyber-attacks – such as the Ashley Madison data breach – continue to highlight the mounting threat of cyberthreats against organizations.”

The C-suite, along with the board, needs to take responsibility for cybersecurity, says Siobhan MacDermott, Principal, Cybersecurity, at Ernst & Young. “We’re increasingly seeing boards getting involved in this topic,” MacDermott says. “Cybersecurity breaches used to be ‘somebody has hacked us or defaced our website.’ Today, it’s risk management in the broader sense.”

A Lack of Understanding Prevents Security Capability

While CFOs are recognizing that robust cybersecurity is fundamental, the Ernst & Young survey also shows that a lack of understanding of IT issues can prevent CFOs from recognizing what a mature cybersecurity capability looks like and where they need to invest, according to the report. That’s why those CFOs who collaborate with the CIO and other C-suite executives recognize more fully the scale of cyber risk, the report says.

Key Priorities for Cybersecurity

The report identifies four key priorities for the CFO and CIO as it relates to cybersecurity, including:

  • Treating cyber risks as part of an organization’s enterprise risk management;
  • Prioritizing the assets that need protection;
  • Matching an organization’s cybersecurity to its strategy; and
  • Discussing cyber risks in the language of business, not IT.

CFOs should lead the board-level conversations to identify which assets of the organization need protection, Ernst & Young says. Those assets can include anything from intellectual property to financial data. “CFOs should care about different questions,” says Ken Allan, Global Cybersecurity Leader at Ernst & Young. “What are they trying to protect? What are the impacts of a breach?”

The CIO must then assist in outlining the cybersecurity issues to their CFO in a clear and concise manner. “At least a proportion of our attention should be focused on educating our technologists in how to speak to board members in a way that makes it a conversation in which they can participate,” Allan says.

For the CFO and CIO, these priorities are achievable since the CFO knows the company’s strategy intimately and the CIO is best positioned to identify vulnerabilities, Ernst & Young says. In addition, the collaborative process between CFO and CIO should be seen as an ongoing process, the report explains, as the organization constantly changes and new cyberthreats emerge. “Every new product or service, geographical expansion or M&A transaction creates new cyber risk exposures that must be managed.”


Cybersecurity is now part of the mainstream business conversation. Spending on cybersecurity insurance has soared to new heights, and business leaders are more informed than ever about just how much information is out there for hackers to steal. But threats evolve quickly, and zero-day attacks happen without warning.