Cybersecurity Today: What’s Important and How to Identify Lapses in Security for CFOs and COOs

It’s not a secret that we’re in an era of vast innovation, digital transformation, AI integrations, and cybersecurity risks that have quickly evolved from mere IT incidents to full-blown worldwide strategic priorities with real implications for executive leaders—particularly CFOs and COOs. The roles of these executives have changed tremendously over just the past decade. They’ve not only faced mounting pressure to provide returns and profitability but also an ever-growing responsibility to safeguard their organizations from ever increasingly sophisticated cyber threats. In light of these threats and given the stakes, understanding the current cybersecurity landscape to effectively and quickly identify potential lapses is no longer optional; it’s critical to the organization.

This blog explores and examines the intricacies and essential cybersecurity priorities for C-suite, management, and operations leaders and provides strategic guidance for identifying and addressing the ever-increasing vulnerabilities companies are facing today.

Why Cybersecurity Matters to CFOs and COOs

Threats today are vastly different from those of just 5-10 years ago. They’re intensifying and increasing in frequency, and bad actors are emboldened to extort companies with significant financial and operational implications. Today, if your C-Suite isn’t well-versed in crisis management, now would be the time to brush up on it. The Ponemon Institute highlights that vulnerabilities within software supply chains have recently impacted a large population, equaling 59% of organizations, resulting in significant financial losses and downtime¹. This role significantly falls to the CFO, who is typically tasked with the oversight of IT and other departments. The CFO role is increasingly facing increased threats from ransomware, cyber extortion, 3^rd party vulnerabilities, and new compliance issues coming from the SEC cybersecurity disclosure mandates².

If you don’t think you’re susceptible to these threats, think again. Don’t put yourself at risk, as Juliette Kayyem emphasizes in the book The Devil Never Sleeps: “left of boom,” whereas she outlines the importance of effective preparedness and not reactive consequences. The financial repercussions of a cyber-attack are substantial. Globally, the average cost of data breaches has reached $4.45 million in 2023³. Mark Jackley states within his content that “nearly 95% of attacks are launched for financial gain,” making the CFO role a critical stakeholder whether you want it or not is the one responsible for cybersecurity strategies⁴.

Top Cybersecurity Risks CFOs Must Prioritize

1. Ransomware and Cyber Extortion – This is one of the most common forms of cyber-attacks and remains a top threat to every organization. When cybercriminals are able to access systems, servers, and applications and encrypt data for a ransom payment, it can affect anyone. However, cyber extortion is significantly rising as these schemes have extended beyond mere ransomware attempts. Attackers are becoming more sophisticated; they threaten public exposure or business disruptions, leveraging the threat of reputational risk to drive payments, and it works- no one wants their dirty laundry out in the open. Addressing this major risk requires robust, layered security measures and a “proactive” (remember, left of boom) comprehensive business continuity plan⁵.
2. Third-Party Vulnerabilities – This is crucial; many, many cyber incidents have occurred not because of your own security vulnerabilities but because of many outside your immediate control. These risks are real, and they’re increasing starkly, emphasizing leaders evaluating all of their vendor relationships critically. You don’t have to look far in recent major incidents to understand that this issue can affect anyone. Third-party breaches such as CrowdStrike dramatically increased organization vulnerabilities⁶. CFOs and COOs need to be vigilant; you need to perform prudent risk assessments, routine audits of processes and security protocols, along with compliance checks regularly as an integral part of your cybersecurity strategy.
3. Internal Business Email Compromise (BEC) – If you’ve never come across one of these, chances are you have and you just didn’t realize it. These attacks are widespread, and one of the most common still used today. Cybercriminals manipulate staff or employees through fake fraudulent emails. These are prevalent, costly when successful, and usually directly target finance teams. Data shows that between 2013-2022, global losses to BEC incidents totaled $51 billion⁷. These attacks exploit human errors, usually posed by a company executive, emphasizing the necessity for vigilance, comprehensive staff training, and consistent and repetitive reminders to be on the lookout for these through strengthened communication protocols to reduce susceptibility.
4. Generative AI and Emerging Technologies – Here is the new player on the block, significant strides in technology innovations and advancements that have caught many industries by storm. These new technologies, specifically Generative AI (i.e., ChatGPT, Cohere, Gemini, etc.), are providing the ability for extremely sophisticated cyber threats, specifically deep fakes and malicious chatbots, which dramatically change the battlefield, complicating attack prevention. This road is paved with lies, deceit, and manipulation, making it extremely difficult to identify such threats. AI has the ability to mimic executives’ voices, significantly enhancing deception capabilities and bringing such attacks to a new level⁸. This is significantly where Kayyems ‘ “left of boom” is highly relevant, increasing proactive strategies that must include adopting strict AI governance frameworks, increasingly 2FA and other advanced authentication measures, and continuous monitoring to detect such synthetic impersonations accurately.

Identifying Security Lapses: Practical Guidance for CFOs and COOs

Access Your Real Exposure
Despite high confidence levels for surveyed executives, there’s usually a stark difference between perceived readiness and actual vulnerabilities. The research doesn’t lie, and it does show that although 87% of CFOs believe in their cybersecurity defenses, 61% have experienced some sort of significant incident within 18 months⁹. This clearly shows that overconfidence can and will be costly.

Leaders, whether executives, managers, or engaged shareholders, should be pushing for regular review of actual cybersecurity incidents, scrutinizing response times, and openly discussing security vulnerabilities with internal cyber teams that specialize in accurately gauging organizational readiness and adjusting strategies accordingly.

Strengthen Incident Response and Preparedness
Incident response within organizations just hasn’t been a top priority. Is that due to complacency? Most likely, you should rethink that strategy if you’re not at risk as an organization and think there’s limited risk in your business. Just because you think you’re in a low-risk environment doesn’t mean you’re not truly at risk; everyone is. The Homeland Security Advisory Council underscores that to have an effective cyber response would require a coordinated restoration strategy among interconnected sectors¹⁰. Incorporating regular exercises such as tabletops, cyber simulations, and cross-sector collaborations with others will help you as a CFO and COO fortify your organization’s response capabilities.

Enhance Supply Chain Security
One of the most susceptible sectors that is also one of the most important is our supply chain, where attacks that exploit vulnerabilities within third-party software are wreaking havoc and causing lasting devastating impacts. The Ponemon Institute’s findings highlight these risks that open-source and third-party software are not robust enough and are significant risk vectors¹¹. CFOs and COOs need to be more stringent on their vendor’s security evaluations, ensuring that they adhere to strict protocols such as SOC-II, utilizing automated pro-active monitoring tools, and regular ongoing assessments of software bills of materials (SBOMs).

Focus on Data Security and Remote Work Risks
In response to COVID-19, a lot of the world moved into remote work arrangements, which turned into hybrid work arrangements, and to this stay is still prevalent. The rise of this type of work has significantly expanded organizations’ cyberattack surfaces. Forrester research calls this out: external attacks targeting home and remote work environments accounted for 21% of the breaches identified within the past year¹². CFOs must be the ones championing investments within endpoint security and encryption, rigorous remote-work policies, and comprehensive hands-on training on security hygiene for such teams working remotely. If a company is already paying for your at-home work center setup, there’s no reason why cyber threat training shouldn’t be a condition for obtaining such equipment.

Align Cybersecurity Spending with Risks
It is crucial that cybersecurity investments are strategically aligned. According to the Controllers Council’s CFO Sentiment Study, surveyed CFOs are adopting a conservative spending approach amidst an anticipation of economic uncertainties in the future but remain optimistic regarding strategic cybersecurity investment¹³. As a CFO should budget, effective spending should support and prioritize cybersecurity spending that directly mitigates the most crucial threats identified through thorough, comprehensive risk assessments.

Building an Effective Cybersecurity Culture
Ultimately, today, an effective cybersecurity plan and execution transcends technical measures and requires a robust organizational culture. It’s everyone’s responsibility, not just the CFOs and COOs, but these leaders must foster the climate for it to succeed; it’s not merely the IT departments remit any more. There must be regular, pro-active (think “left-of-boom”) communication and preventive measures about cyber risks. Leaders themselves need to engage in security training and adopt embedded cybersecurity measures within business decisions. These are pivotal steps towards a resilient cyber posture.

Conclusion

These issues are not going to get easier to deal with. Since the evolution of AI, these incidents have been growing in size. Cybersecurity threats will grow more complex and harder to identify. CFOs and COOs play an increasingly important role in safeguarding the organizations’ operational and financial integrity and stability. By identifying and prioritizing the most serious threats that could lead to a substantial impact—ransomware, third-party risks, BEC, and emerging AI threats—and rigorously assessing the vulnerabilities, leaders can dramatically enhance the resilience of their respective organizations.

Now is the moment to act, be proactive, and don’t wait for the crisis to happen so that you’re reactive and it’s too late. Consistently audit your cybersecurity posture, identify gaps, and align strategic investments with the identified risks to help foster a vigilant culture within the organization against cyber threats.

References

1; 11. Ponemon Institute, The State of Software Supply Chain Security Risks
2; 5; 6. Top cybersecurity priorities for CFOs (CFO.com)
3; 4; 7. CFOs and Cybersecurity: Top Threats & How to Prevent Them
8. Cybersecurity Guide for CFOs 2024 (7^th ed.)
9. Cyber Risk and CFOs: Over-Confidence is Costly
10. Homeland Security Advisory Council: Cybersecurity Incident Response
12. Forrester, The State of Data Security, 2024
13. Controllers Council (2024). CFO/Controller Sentiment Study