10 Questions with VERA’s Chief Financial Officer
We recently sat down with Bill Gadala, VERA’s Chief Financial Officer, to talk about managing cyber risk, particularly what’s necessary to evaluate and understand, in order to quantify risk. It’s a complex subject, but one that comes up often in our talks with customers and partners. It’s a subject that is often misunderstood, as well as overwhelming to those, especially from a financial perspective.
Consider this: According to Gartner, by 2022, 30% of Chief Data Officers will have enlisted the help of their CFOs to formally value the organization’s data assets for improved data management and benefits. And by 2022, more than 30% of businesses will use financial risk assessments of their data assets to prioritize investment choices for IT, analytics, security and privacy.
As you can see, CFOs and controllers will continue to have a pivotal role in how companies evaluate and manage data risk. See below to learn more about Bill’s background and advice to companies on how to seek help from their finance colleagues.
1. Can you tell us a little about your background?
I have worked for technology companies (mostly software) for 20 years. I started my career in finance with IBM and spent about half of my tenure there integrating the finance function for acquired companies, including one in vulnerability protection. Subsequently, I helped a FinTech company in New York City go through an IPO and, most recently, re-built FP&A processes for another software company in the Bay Area.
Modern-day finance teams wear many hats and can best make a positive impact through value-added partnership. One of the key obligations of a finance leader is to understand data risk, and to help the organization find optimal solutions
It is interesting to see how, particularly in recent history, the avenues for data distribution have amplified, creating a set of challenges that were not there before. And, as a result, there are growing needs for privacy regulation which further enhances the need for active participation by the finance team.
2. What type of data risks do you come across and how do you assess their impact?
Risk can range from things that can cause minor set-backs, to things that can create serious problems and often weaken a company’s viability. In today’s world of prolific ways to share information, one of the more persistently difficult issues that the Finance team faces is how to deal with sensitive data including financial statements, customer information, and personnel data. In certain cases, some of this data is required by constituents outside of the protective bounds of a company’s IT infrastructure, such as banks that are extending credit, vendors that are vetting you, and potential M&A candidates. While laws and policies exist that provide some protection, the truth is that you never really have certainty where the data could end up and you have no ability to control it once it is sent. The information that resides outside of the company’s security perimeter is accessible with equal permissions, meaning access is not restricted once someone gains it.
3. How do you assess risk?
I tend to think of data risk in three ways: the nature of the information being held, the ability to secure it (probability that it can be exposed), and the potential financial impact on an organization. Sensitive data that comes in the form of personal, business or classified information can put an organization at risk. The second aspect, the ability to secure it, is a function of how the data is stored and distributed. The financial risk is typically the cost of lost revenue, cost of litigation, privacy regulation penalties, and reputational damage.
4. Are there risk equations that can help quantify the impact of a data breach?
Generally speaking risk is going to consist of two components: the potential cost (impact) of an event and the probability of an event happening.
5. What are some of the biggest challenges with identifying and quantifying data security risk?
Revenue loss risk and litigation costs risk are tangible impacts that can be measured. What is more difficult to do is to quantify the probability. On that front, having an understanding of how vulnerable your data is important. If you are SOC2 compliant your risk is going to be mitigated by the controls identified within the internal bounds of your system. However, it is difficult to assess probability for data that leaves your repositories. That is something that internal compliance, including SOC2, will not address. Another challenge is that there is a multitude of methods by which to protect assets.
6. What are financial considerations that companies should think about when looking at security solutions?
Often times, leaders in organizations think that an increase in spend leads to an overall decrease in risk. That’s not necessarily the case. For example, companies could spend millions on a SIEM, DLP and other network controls, and become victims of a breach through an application code vulnerability. Depending on the size and industry of the organization, cybersecurity can be very complex. New attack methods and new technologies to deal with those attack vectors show up all the time. So, to maximize efforts at assessing security risk, resources must be allocated so that the most effective tools and strategies are being used to protect the most important information assets.
7. Why is it important to have an idea of the cost of a data breach?
I think understanding what the risks and potential costs are is an important component of business planning. How would the company react if information was disseminated to the wrong audience? What could it cost the business? It is human nature to think “it won’t happen to me” or to simply assume that a party erroneously receiving sensitive data will act with integrity and delete the information. The news cycle is filled with examples of breaches and often there is a strong correlation between the event and the value of the company following the news.
8. What are some best practices that leaders should follow on managing cyber risk?
Leaders should understand where there are exposures in either tools or processes. As technology now permeates within the Finance organization, a strong partnership with IT is critical. An important practice is to understand where sensitive data is stored and how access is provided to parties that need it, most importantly outside parties. Company policies and practices often overlook, or have no direct control, with data that goes outside of the organization so this awareness is important.
9. Have you seen any organizational and/or cultural misalignments between different parties within a company
Yes, in one end of the pendulum, we have companies with nascent processes or a cultural tendency to deemphasize security. On the other side of the spectrum you can have companies where security policies overlap each other and create inefficiencies or redundancies. I think it is important to understand what the security goal is and what security gaps are critical to cover.
10. How can security and business leaders get started assessing the cyber risk of their organization?
It’s first important to get an idea of the company’s risk tolerance. Are you extremely risk averse? The answer may differ depending on what needs to be protected. In other words, what level of risk are you willing to accept and still be able to justify and defend to stakeholders? Identifying what the company views as acceptable risk will move it beyond a culture of fear and into one that can focus on execution.