Recently, the SEC issued guidance on cybersecurity disclosures, requesting public companies to report data security risk and incidents that have a “material impact” for which reasonable investors would want to know about. How does the latest guidance impact a CFO’s responsibility in preventing data breaches? Luckily, I was able to speak with Varonis’ CFO and COO Guy Melamed on his perspective. In part one of my interview with Guy, we discuss the role a CFO has in preventing insider threats and cyberattacks and why companies might not take action until they see how vulnerable they are with their own data. An interview well worth your time, by the end of the podcast, you’ll have a better understanding of what IT pros, finance, legal and HR have on their minds.
Recently, the SEC issued guidance on cybersecurity disclosures, requesting public companies to report data security risk and incidents that have a “material impact” for which reasonable investors would want to know about.
How does the latest guidance impact a CFO’s responsibility in preventing data breaches? Luckily, I was able to speak with Varonis’ CFO and COO Guy Melamed on his perspective.
In part one of my interview with Guy, we discuss the role a CFO has in preventing insider threats and cyberattacks and why companies might not take action until they see how vulnerable they are with their own data.
An interview well worth your time, by the end of the podcast, you’ll have a better understanding of what IT pros, finance, legal and HR have on their minds.
Right now, data breaches are one of the biggest threats that all companies face, and companies are realizing this and increasingly, they're delegating responsibilities to the CFO. According to a survey by the American Institute of CPAs, 72% of companies, they've asked the finance department to take on more of a responsibility to deal with data breaches and attacks. Why should the CFO be involved in protecting the organization's most sensitive data?
So, that kind of created the guidance that was provided to all of the big four accounting firms, and private, and especially public companies have to address that. That release talks about what is company doing from a risk management perspective, how are they protecting against cybersecurity? It talks about the board's role in overseeing the management and any immaterial cybersecurity risk. And it has a lot of discussion as to what type of disclosure needs to be provided in what event. So, when we received that publication in preparation for our 10-K filing, we had to have a discussion, where to put it, what is the risk, how are we addressing it, and a conversation like that takes place with the legal department. It takes place even with the HR department, with some of the regulation and protecting data. So, there's a lot of components that relate to the CFO's role in order to making sure that we address it properly.
So, I think that's step number one. There's additional risks that take place on a day to day, and if I've given you an example from the finance department, if an employee is on warning, goes through a PIP, and he has access to sensitive information, you wanna make sure that that information that he has access to stays within the company, and that an employee isn't accessing more and more information in preparation for departure. So, that's a risk that relates to the finance organization, but relates to so many other departments as well. There's IP that, you know, personnel within the R&D department wanna make sure is protected. There's obviously information related to customers and payroll information and HR and legal and the list just goes on and on. So, the desire is first of all just to be able to know what you need to protect and then who's protecting it, who has access to it and being able to see any abnormal behavior that's taking place within an organization.
So, one of the examples that we see during a selling process is that if we sit showing that risk assessment or even having an initial conversation with someone from the IT or a CISO, and also with a legal department member or a finance member, and we ask one simple question, "If today, 10,000 files would have been deleted, would you know about it?" The answer from the CISO or from the IT personnel is, "Absolutely not. We don't have any ability to know if someone deleted 10,000 files."
But if you ask a finance person or someone from the legal department or an HR personnel, I think the misconception or their automatic reaction would be that there has to be a way and that it seems unreasonable that a company isn't tracking if 10,000 files got deleted today. That, I believe is one of the gaps that has to be breached and the education from the finance side is making sure that you know what the company's tracking and what we're not tracking and if an employee is about to leave, do we have any type of monitoring to make sure that sensitive files aren't taken and provided to a competitor or are even used in the future by that, what would be an ex-employee later on.
So, there's a lot of components on the daily operations. There's a lot of risks that company has to think about and always kind of go through the process of what can go wrong. Maybe it hasn't happened and maybe everything is good now and we trust all of our employees, but what if? And I think the notion that when you have organizations with 1,000 employees or 20,000 employees or 50,000 employees, the notion that all of the employees are ethical is a bit scary and you have to think how to protect the company in the best way.
Meanwhile, finance, legal, and HR, they think, "Oh, hasn't that problem been already solved? It's a little unreasonable," as you've said, "if we weren't able to figure that out."
So, let's talk about the cost of a breach. So, it's been said that the average cost of a data breach is about four million, and there are many organizations that have paid tens of millions of dollars. What are some direct costs and indirect costs to businesses associated with data breaches?
What I would think about is would a CFO, or a COO for that matter, be comfortable with providing their financial statements to a competitor two weeks before they were published? Obviously the answer is, no, and there could be detrimental consequences to that type of breach.
But the breach isn't just on the financial information. There is customer information, there is payroll information. There's just so much sensitive file that sits there that people within the organization have access, and it doesn't necessarily mean that they would break bad. It could be a situation where someone from the outside took control of the credentials of an employee within the organization and starts using that access in the wrong way. So, the notion, and I think what we've seen as a company, as one of the most interesting phenomenas, is that some of the breaches that took place in 2014 really generated a knee jerk reaction and there was a significant IT spent during the beginning of 2015. But that spent at the beginning of the year was mostly towards perimeter defense security. The notion was that if you're protecting the border, you'll be okay. And I think what's been proven day in, day out is that perimeter defense security is absolutely important but the notion that that's the only type of defense that you need has been thrown out the window.
And if you use the same analogy of border patrol or protecting a country, the fact that you have protection on the border doesn't mean that you don't have any other measures and any other organizations that protect you from the inside. Because at one point there is gonna be someone that will be able to overcome that border. Not only that, how are you protecting your organization or your country from people from the inside? So, what we've seen in the last couple years is that the amount of breaches that have taken place have increased significantly. The magnitude has increased significantly, the implications on those companies has increased significantly.
And I know there was an article a couple years ago that discussed the cost of a breach and how you shouldn't buy any software and you can just deal with a breach. That notion has been thrown out the window and, you know, it's obviously that the consequences of a breach that we see it on the news and on the front page of "The Wall Street Journal" and "The Financial Times." It's happening in rates that we haven't seen before and I don't see that going away.