Good morning. Cybersecurity is top of mind for CFOs, and they’re working with chief information security officers (CISOs) to mitigate risk. Despite these measures, online crooks are still thriving, warns J. Michael Daniel, president and CEO of Cyber Threat Alliance.
Daniel shared his concerns with Diane Brady, Fortune’s executive editorial director and author of CEO Daily, on Sept. 26 during Fortune’s CFO Collaborative dinner in Washington, D.C., held in collaboration with our founding partner Workday and sponsor Deloitte. The topic of the evening was cybersecurity and strengthening the alliance between CFOs and CISOs .
“The criminals have figured out that this is a pretty good business model,” Daniel told a group of prominent CFOs from the D.C. area and beyond.
The cyber threat landscape has a thriving criminal ecosystem that is making a lot of money using “basic flavors” like ransomware, and business email compromise, Daniel said. And catching most of these bad actors may not be likely. In the U.S., the chances of a perpetrator being arrested, convicted, and spending time in jail is about 0.05%, he said.
Daniel has extensive experience in this area as the former cybersecurity coordinator in the White House Executive Office during the Obama administration. He was also an advisor to Bush and Clinton during his years in the Office of Management and Budget.
To address the ongoing cybercrime menace Daniel stressed that CFOs and CISOs must form a tight partnership to identify well-researched and supported practices that will meaningfully reduce cyber risk. AI is proving to be useful in helping companies detect early signs of cyber threats, he said.
At public companies, CFOs and CISOs will also need to speak each other’s languages when it comes to regulatory processes. The U.S. Securities and Exchange Commission’s rule on cybersecurity disclosure went into effect in December. Companies are required to disclose on the Form 8-K any cybersecurity incident within four days of the company determining it to be “material,” such as having a significant impact on the company’s financials, operation, or relationship with its customers.
Since these regulations have been established, Daniel said there are two broad policy efforts that should take place in the U.S. One of them is establishing set standards of care for cybersecurity.
Companies bear a responsibility to protect their networks, customers, and data, Daniel said. But at the same time, there haven’t been clear universal guidelines about the right cybersecurity processes, he said. If there were set guidelines and a company followed them but still faced a cyber incident, then it probably shouldn’t be held liable, he said.
Another policy should be a requirement for software developers to have software that is secure by design, Daniel said. He argued that the software “should come out of the box” already secure, rather than companies having to engage in cybersecurity hardening, a set of processes used to protect sensitive data.
Cybersecurity is an area the CFOs and CISOs need to continually collaborate upon as criminal activity will persist.
“Will you ever be able to drive your cyber risk to zero? No. Not any more than you can drive your natural disaster risk to zero,” Daniel said.
But you can substantially lower it, make your company more resilient against cyber incidents, and transform this threat into something that you can manage over the long term, he said.
Sheryl Estrada
sheryl.estrada@fortune.com
The following sections of CFO Daily were curated by Greg McKenna