Why Finance Needs to Collaborate with Cybersecurity

Even as threats to finance and accounting data grow, cybersecurity remains siloed from the finance and accounting functions in most companies. That’s problematic as organizations work to minimize cyber risks and mitigate the damage from potential attacks.

During a recent webcast, the Deloitte Center for Controllership asked the event’s executive attendees whether they expect the number and size of cyber events targeting their organization’s accounting and finance data to increase over the next year. Nearly half (48.8 percent) said they do. This makes sense, as cybersecurity threats against all areas of the business continue to multiply.

Alarmingly, though, the same webcast also included a poll that asked how much collaboration exists between respondents’ finance and accounting teams, on the one hand, and their cybersecurity group, on the other. Only 20 percent said their finance and accounting teams work closely and consistently with colleagues in cybersecurity. Forty-three percent said their company’s finance and cyber teams work together as needed, but with inconsistent closeness and consistency. And 11 percent of respondents said those teams do not collaborate.

Treasury & Risk sat down with Temano Shurland, a principal in Deloitte Risk & Financial Advisory’s finance transformation group, to discuss the poll results.

Treasury & Risk:  What do you make of the fact that, in 1 in 10 companies, finance and cybersecurity teams don’t collaborate at all?

Temano Shurland:  Historically, cybersecurity and IT have been separate and distinct from the finance organization. Events such as acquisition deep dives or an ERP [enterprise resource planning] implementation might result in collaboration. But this webcast poll focused on consistent interactions between those groups.

T&R:  So, what are best practices in this area? How much interaction should finance and accounting groups have with their security teams?

TS:  What I’ve seen in leading organizations is a constant interaction between finance and accounting and cybersecurity, as the business models in most industries continue to evolve and as financial data becomes more and more valuable. With constant interaction, the collaboration is less about an event and more about having continuous communication back and forth. The accounting and finance teams receive advice and counsel from the cybersecurity group, which helps ensure that data stays secure as it moves through their core systems, as well as when it moves from those systems through some integration layer to another system.

Having regular communication helps finance make the best use of the company’s internal expertise around the steps that are needed to protect financial data. To me, it seems obvious that finance would leverage the expertise of the cybersecurity team, especially if finance and accounting are more focused on helping operate the business and report on transactions in the business. It’s a match made in heaven.

PLEASE NOTE:  Treasury & Risk is currently conducting a survey of our treasury and finance readers on the topic of payment fraud. To participate, click this link. All survey respondents will receive a copy of the survey’s final executive summary, and the first 75 respondents will each receive a $10 Amazon gift card.

T&R:  In the companies that you work with, what does that communication look like? Is it a regularly scheduled meeting between the two groups?

TS:  It’s a combination of regular interactions, such as a standing committee meeting, and having cybersecurity work as an internal consultant, serving as a sounding board anytime finance is deploying new systems, making upgrades, or modifying processes. It’s often beneficial to have someone from the outside take a look, to help finance achieve the best end state that works for both parties.

T&R:  It seems that having close relationships between finance and cybersecurity staff would also be highly beneficial in the event of a security incident.

TS:  Ideally, those relationships would help prevent security incidents from happening, because that constant interaction and advice would lead to constant hardening of the finance group’s defenses. But then secondarily, if there is an incident, there’s a relationship there that helps the company resolve issues much faster. Individuals on both sides of the fence are a lot more astute and knowledgeable about their counterparts who sit in other parts of the organization.