Risk management usually falls in the domain of the CFO. However IT security often stays within the IT silo. This approach will not work long term; the CFO needs to take charge.
The CFO has to own IT security because:
- IT security involves protection of assets, liability exposures and regulatory compliance. This is more than a technical IT matter;
- It involves computer systems outside of the company, over which IT has no control;
- It involves managing the flows of liabilities in contracts;
- Cyber Risk insurance must be negotiated;
- Someone above the IT dept has to be concerned about the insider threat from the IT unit itself (the folks with the most access – often complete and absolute access).