How Successful CFOs are Vetting Cybersecurity Protections

When it comes to your business, the value generated for every dollar spent is critical to the success of your organization. When considering how to achieve maximum value from hiring outside expertise, allocating your budget to technology is an investment that supports operational efficiency while cutting costs.

No matter the field or industry, your business depends on technology. This need will only increase as more of your operational processes become digitally transformed. Your strategy for leveraging technology will become critical to staying ahead of your competitors and remaining relevant. Whether you are seeking to ensure business continuity in the face of disaster, enable remote work, or protect company data, the value of your technology investments has the potential to significantly outweigh the costs.

As a CFO, the prospect of evaluating information technology services providers can be slightly intimidating, but you don’t have to be a technology expert to do it well. An experienced IT services provider will be able to give you the confidence and visibility you need to make smart business decisions.

This guide provides 5 best practices every CFO needs to know about investing in cybersecurity controls for their business and how to best evaluate IT service providers.

1. Understand the threats and trends

Cybersecurity protection is not about preventing the single one-time attack—that’s short-sighted. While you are not expected to know how to prevent or solve them, as a financial leader, it’s important that you’re aware of these types of attacks, along with the financial impact they can have on your business. According to Hiscox, a cyberattack costs a business an average of $369,000.¹ With 61% of firms reporting an attack in the past year, it’s not a matter of if your business will suffer an attack, but of when, and how much it will cost your business.

The more common entry points continue to be the most susceptible for businesses today:

• Phishing Attacks that trick an employee into sharing a password or account information
• Lookalike web pages that mimic the login of Office365, your bank, or other services to capture password information
• Poor security provisions in the form of weak or re-used passwords, which are often due to mismanagement or deprioritizing of employee security training
• Open, unsecure network and internet connected devices, such as printers, or the Microsoft Windows 20 year old code that supports them that allow hackers to gain easy access

Although cybersecurity incidents of larger, well-known businesses continue to dominate news headlines, the threat exists as a harsh reality for organizations of all sizes. With the increase in ransomware attacks this year, businesses can’t afford to pull back on cybersecurity spending.

Illustration source: https://www.safetydetectives.com/blog/ransomware-statistics

2. LOOK FOR AN IT SERVICES PROVIDER THAT EMBEDS CYBERSECURITY PROTECTION INTO EVERY PRODUCT OR SERVICE OFFERED AND WILL BE A TRUE IT PARTNER, NOT JUST A RESELLER

Many service providers are only in the business of reselling vendors’ products, unconcerned with how those products are delivered or supported. This means that once you purchase a product, you are on your own. Adopting new technology without support can lead to lost productivity and prevents you from fully optimizing your investment.

As a finance leader, seek out an IT services provider that offers free consulting, during which they will make the effort to learn your specific external requirements whether legal, contractual, or regulatory, your business objectives, internal workflows, and current cybersecurity posture. The provider will then craft a unique solution that addresses your immediate and long-term needs. With a cybersecurity assessment that outlines where you are now and a technical roadmap showing what you should focus on next, you will be in complete control to unload specific areas of concern to your provider as you see fit.

3. Invest in security features relevant to your needs

Your business may have unique security needs to consider. For example, a government municipality that must adhere to compliance regulations will have completely different needs than a business with multiple office locations and remote employees. When evaluating IT service providers, it’s important to determine if they offer enterprise-grade security features that are tailored to your current and future business needs.

The service provider should work with you to define and deliver a cybersecurity posture based on the recommendations and guidelines of the National Institute of Standards and Technology (NIST).³ Expect your provider to determine the specific controls you need for your business—such as active threat hunting or cybersecurity monitoring—and then create a documented process to ensure those controls are implemented and executed as stated in the Service Level Agreement (SLA).

4. Prioritize the value of your cybersecurity investment

Like any technology investment, there is a wide range of cybersecurity solutions and services that all vary wildly in cost. Though some make more financial sense to manage in-house, others are more cost-effective to outsource to an IT services provider.

When comparing your options, consider the value of the solution that is being provided. In addition to establishing a consistent and reliable solution for protecting your data, your IT team can win back time to focus on other business-critical tasks.

The right provider will help you maximize the full potential of the products and services you purchase through training, provisioning, and support. As you assess providers, look for one that offers consolidated billing reports as part of their tailored solution—outlining all monthly and annual cybersecurity costs. This allows you to adequately plan for OpEx and CapEx cybersecurity spend that align with your business goals.

5. Check for qualifications and expertise

When considering IT service providers, there are qualifications and services you can request in writing so that you can make a value comparison, such as:

• Project experience and client referrals 
• Professional certifications and partnerships
• Support, response, and resolution times
• Project accountability metrics
• Contract terms and flexibility
• System and Organization Controls (SOC) 2 Type 2 Audit with Trust Services Criteria

In addition, consider a provider that specializes in working with businesses of similar size and industry as your own. Select a provider that offers the people, processes, and technology you can count on to secure your business while being invested in your business goals and success.