Managing Data Risk in the Finance Function: A Conversation with VERA’s Chief Financial Officer
Managing Data Risk in the Finance Function:
A Conversation with VERA’s Chief Financial Officer
We recently sat down with Bill Gadala, VERA’s Chief Financial Officer, to talk about managing cyber risk, particularly what’s necessary to evaluate and understand, in order to quantify risk. It’s a complex subject, but one that comes up often in our talks with customers and partners. It’s a subject that is often misunderstood, as well as overwhelming to those, especially from a financial perspective.
Consider this: According to Gartner, by 2022, 30% of Chief Data Officers will have enlisted the help of their CFOs to formally value the organization’s data assets for improved data management and benefits. And by 2022, more than 30% of businesses will use financial risk assessments of their data assets to prioritize investment choices for IT, analytics, security and privacy.
As you can see, CFOs and controllers will continue to have a pivotal role in how companies evaluate and manage data risk. See below to learn more about Bill’s background and advice to companies on how to seek help from their finance colleagues.
1. Can you tell us a little about your background?
I have worked for technology companies (mostly software) for 20 years. I started my career in finance with IBM and spent about half of my tenure there integrating the finance function for acquired companies, including one in vulnerability protection. I subsequently helped a Fintech company in New York City go through an IPO and, most recently, re-built backshop processes for another software company in the Bay Area.
I believe that modern-day finance teams wear many hats and can best make a positive impact through value-added partnership. A key obligation of a finance leader is to understand data risk and to help the organization find optimal solutions.
Through my career, it is interesting to see how the avenues for data distribution has amplified, creating a set of challenges that were not there before.
2. What type of data risks do you come across and how do you assess their impact?
Risk can range from things that can cause minor set-backs, to things that can create serious problems and often weaken a company’s viability. In today’s world of prolific ways to share information, one of the more persistently difficult issues that the Finance team faces is how to deal with sensitive data including financial statements, customer information, and personnel data. In certain cases, some of this data is required by constituents outside of the protective bounds of a company’s IT infrastructure, such as banks that are extending credit, vendors that are vetting you, and potential M&A candidates. While laws and policies exist that provide some protection, the truth is that you never really have certainty where the data could end up and you have no ability to control it once it is sent. The information that resides outside of the company’s security perimeter is accessible with equal permissions, meaning access is not restricted once someone gains access.
3. Why is it important for organizations to quantify cyber risk?
Often times, leaders in organizations think that an increase in spend leads to an overall decrease in risk. That’s not necessarily the case. For example, companies could spend millions on a SIEM, DLP and other network controls, and become victims of a breach through an application code vulnerability. Depending on the size and industry of the organization, cybersecurity can be very complex. New attack methods and new technologies to deal with those attack vectors show up all the time. So, to maximize efforts at assessing security risk, resources must be allocated so that the most effective tools and strategies are being used to protect the most important information assets.
4. How do you assess risk?
I tend to think of data risk in three ways: the nature of the information being held, the ability to secure it (probability that it can be exposed), and the potential financial impact on an organization. Sensitive data that comes in the form of personal, business or classified information can put an organization at risk. The second aspect, the ability to secure it, is a function of how the data is stored and distributed. The financial risk is typically the cost of lost revenue, cost of litigation, or reputational damage.
5. Are their risk equations that can help quantify the impact of a data breach?
Generally speaking risk is going to be the probability of an event multiplied by the potential cost (impact). There are a few ways to think formulaically about risk, depending on your situation. I recommend getting started with something simple and straight-forward.
Probability x impact = risk
6. What are some of the biggest challenges with identifying and quantifying data security risk?
Revenue loss risk and litigation costs risk are tangible impacts that can be measured. Having an understanding of how vulnerable your data is important in order to assess risk. If you are SOC2 compliant your risk is going to be mitigated by the controls identified within the internal bounds of your system. The difficulty arises in knowing how data is being accessed once it leaves your repositories. That is something that internal compliance, including SOC2, will not address.
7. Why is it important to have an idea of the cost of a data breach?
I think understanding what the risks and potential costs are is an important component of business planning. How would the company react if information was disseminated to the wrong audience? What could it cost the business? It is human nature to think “it won’t happen to me” or to simply assume that the party will act with integrity and delete the information that erroneously came to them. The news cycle is filled with examples of breaches and often there is a strong correlation between the event and the value of the company following the news.
8. What are some best practices that leaders should follow on managing cyber risk?
Leaders should understand where there are exposures in either tools or processes. As technology now permeates within the Finance organization, a strong partnership with IT is critical. An important practice is to understand where sensitive data is stored and how access is provided to parties that need it, most importantly outside parties. Company policies and practices often overlook, or have no direct control, with data that goes outside of the organization so this awareness is important.
9. Have you seen any organizational and/or cultural misalignments between different parties within a company?
Yes, in one end of the pendulum, we have companies with nascent processes or a cultural tendency to deemphasize security. On the other side of the spectrum you can have companies where security policies overlap each other and create inefficiencies or redundancies. I think it is important to understand what the security goal is and what security gaps are critical to cover.
10. Is risk assessment different if the company has assets in the cloud vs on-premise?
Leveraging a cloud provider can be a risk if that provider’s team (or your internal team) is inexperienced in the cloud. That lack of experience can to misconfiguration, inadvertently exposing data and applications to the public. For both cloud and on-prem – it is always best to secure the data itself and not rely on configurations. Also important is to identify and align with a certification that best fits with the organization’s security requirements. Performing a thorough assessment helps reduce adoption risk, but perform them to deeply evaluate the solution, not to simply complete a compliance exercise.
11. Why is Risk sometimes difficult to quantify?
Risk can be challenging when the organization have information and assets identified or classified properly. Also, the number of methods by which to protect assets can be overwhelming.
12. How can security and business leaders get started assessing the cyber risk of their organization?
It’s first important to get an idea of the company’s risk tolerance. Are you extremely risk averse? The answer may differ depending on what needs to be protected. In other words, what level of risk are you willing to accept and still be able to justify and defend to stakeholders? Identifying what the company views as acceptable risk will move it beyond a culture of fear and into one that can focus on execution.