This article is part of the series "[Podcast] Varonis CFO & COO Guy Melamed: Preventing Data Breaches and Reducing Risk". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
Recently, the SEC issued guidance on cybersecurity disclosures, requesting public companies to report data security risk and incidents that have a “material impact” for which reasonable investors would want to know about.
How does the latest guidance impact a CFO’s responsibility in preventing data breaches? Luckily, I was able to speak with Varonis’ CFO and COO Guy Melamed on his perspective.
In part one of my interview with Guy, we discuss the role a CFO has in preventing insider threats and cyberattacks and why companies might not take action until they see how vulnerable they are with their own data.
An interview well worth your time, by the end of the podcast, you’ll have a better understanding of what IT pros, finance, legal and HR have on their minds.
Data security and the CFO: Risk and Responsibility
My name is Guy Melamed, CFO and COO for Varonis. I have been with the company since 2011. In charge of all the financial statements and execution of strategic operational plans. In charge of the legal department and IR as well and I am enjoying the ride.
Sounds great. So, today we’re gonna be discussing how much it would cost if we don’t invest in data security, and let’s start with the role of a CFO.
Right now, data breaches are one of the biggest threats that all companies face, and companies are realizing this and increasingly, they’re delegating responsibilities to the CFO. According to a survey by the American Institute of CPAs, 72% of companies, they’ve asked the finance department to take on more of a responsibility to deal with data breaches and attacks. Why should the CFO be involved in protecting the organization’s most sensitive data?
I think the answer is comprised of a couple of components. One of them has to do with the fact that CFOs are responsible for the financial statements and with recent events and with the amount of breaches that have taken place, there’s much more emphasis on the type of disclosure the company has to provide as part of the 10-K and as part of the risk factors and even as part of the MD&A. Just to give you an example, in recent months, the SEC has provided guidance on cybersecurity, board consideration, and the amount of disclosure that needs to be provided. And just to give you a sense in the release, that, as a side note, was provided by the SEC chairman, post the breach that took place in the EDGAR system which is a system that you can log in and see all of the financial statements of all companies, and there was a breach in that system and as a result the SEC had to address from a disclosure perspective what was taken and how they’re addressing that event and future events and planning to protect any future event.
So, that kind of created the guidance that was provided to all of the big four accounting firms, and private, and especially public companies have to address that. That release talks about what is company doing from a risk management perspective, how are they protecting against cybersecurity? It talks about the board’s role in overseeing the management and any immaterial cybersecurity risk. And it has a lot of discussion as to what type of disclosure needs to be provided in what event. So, when we received that publication in preparation for our 10-K filing, we had to have a discussion, where to put it, what is the risk, how are we addressing it, and a conversation like that takes place with the legal department. It takes place even with the HR department, with some of the regulation and protecting data. So, there’s a lot of components that relate to the CFO’s role in order to making sure that we address it properly.
I actually wanna go back to all the different departments that are involved in addressing the need for preventing data breaches. How would an organization include that in a conversation if they didn’t have the structure for it?
Well, the organization first has to understand where the data resides and who has access to the data. And in a recent survey that we published, approximately 50% of the companies have more than a thousand sensitive files open to everyone in the company. That’s an unheard of number. Think about it. If you have one sensitive file, one file that has the full payroll information for an organization, and that file gets to the wrong hands, that can destroy a company, you have a little more than a thousand sensitive files. So, the risk is very significant and approximately 20% of the data on average is open to everyone in the company. That’s a risk a company must take action against. So, step number one is realize where your risk resides and if you don’t have access, and you don’t know who has access to what type of folder, who’s opening the folder, who’s deleting the folder, then you’re blindsided.
So, I think that’s step number one. There’s additional risks that take place on a day to day, and if I’ve given you an example from the finance department, if an employee is on warning, goes through a PIP, and he has access to sensitive information, you wanna make sure that that information that he has access to stays within the company, and that an employee isn’t accessing more and more information in preparation for departure. So, that’s a risk that relates to the finance organization, but relates to so many other departments as well. There’s IP that, you know, personnel within the R&D department wanna make sure is protected. There’s obviously information related to customers and payroll information and HR and legal and the list just goes on and on. So, the desire is first of all just to be able to know what you need to protect and then who’s protecting it, who has access to it and being able to see any abnormal behavior that’s taking place within an organization.
Don’t We Have an Audit Trail?
So, you have deep expertise in risk and some technical knowledge. There was a survey among cybersecurity professionals and 41% of them think that their CFOs have a major gap in their technical expertise in risk or they don’t understand their risk at all. You’ve alluded to some of their risk. What is your recommendation to other CFOs or other individuals who wanna improve their knowledge gap? Who should their trusted advisors be?
Well, first of all, I don’t think I have deep expertise on the technological side or in understanding risk, but I have been around enough to understand that the biggest gap between the finance department and the IT or security department has to do with misconceptions. And if you ask, and just to give an example, what we see many times that takes place in our selling process, our selling process, for anyone that doesn’t know, is very visual. So, we can talk about risk with our potential customers but a conversation doesn’t get elevated until customers see how vulnerable they are with their own data, and I guess that’s just human nature. Everyone thinks that they’ll be okay until they see how open and how much data is open to everyone in the company and how many sensitive files could be accessed by people that shouldn’t have access to that.
So, one of the examples that we see during a selling process is that if we sit showing that risk assessment or even having an initial conversation with someone from the IT or a CISO, and also with a legal department member or a finance member, and we ask one simple question, “If today, 10,000 files would have been deleted, would you know about it?” The answer from the CISO or from the IT personnel is, “Absolutely not. We don’t have any ability to know if someone deleted 10,000 files.”
But if you ask a finance person or someone from the legal department or an HR personnel, I think the misconception or their automatic reaction would be that there has to be a way and that it seems unreasonable that a company isn’t tracking if 10,000 files got deleted today. That, I believe is one of the gaps that has to be breached and the education from the finance side is making sure that you know what the company’s tracking and what we’re not tracking and if an employee is about to leave, do we have any type of monitoring to make sure that sensitive files aren’t taken and provided to a competitor or are even used in the future by that, what would be an ex-employee later on.
So, there’s a lot of components on the daily operations. There’s a lot of risks that company has to think about and always kind of go through the process of what can go wrong. Maybe it hasn’t happened and maybe everything is good now and we trust all of our employees, but what if? And I think the notion that when you have organizations with 1,000 employees or 20,000 employees or 50,000 employees, the notion that all of the employees are ethical is a bit scary and you have to think how to protect the company in the best way.
Cost of a Data Breach
What’s most compelling for me is that there’s a disconnect between IT and the rest of the departments, where IT thinks that, “I really wanna protect everyone’s data, but there’s no ability to do so.”
Meanwhile, finance, legal, and HR, they think, “Oh, hasn’t that problem been already solved? It’s a little unreasonable,” as you’ve said, “if we weren’t able to figure that out.”
So, let’s talk about the cost of a breach. So, it’s been said that the average cost of a data breach is about four million, and there are many organizations that have paid tens of millions of dollars. What are some direct costs and indirect costs to businesses associated with data breaches?
So, a data breach, from a quantifiable perspective, depends on what was taken, when it was taken, who was it taken by, and who was it provided to. So, there is a lot of components, and I think it would be very hard for me to throw out a number. But what I would say is that a breach is a disruption to the business in so many levels. It’s a disruption from the sense of finding out what was taken, the risk of that information being provided to your competitors, even the risk of taking financial information and providing it before it was published.
What I would think about is would a CFO, or a COO for that matter, be comfortable with providing their financial statements to a competitor two weeks before they were published? Obviously the answer is, no, and there could be detrimental consequences to that type of breach.
But the breach isn’t just on the financial information. There is customer information, there is payroll information. There’s just so much sensitive file that sits there that people within the organization have access, and it doesn’t necessarily mean that they would break bad. It could be a situation where someone from the outside took control of the credentials of an employee within the organization and starts using that access in the wrong way. So, the notion, and I think what we’ve seen as a company, as one of the most interesting phenomenas, is that some of the breaches that took place in 2014 really generated a knee jerk reaction and there was a significant IT spent during the beginning of 2015. But that spent at the beginning of the year was mostly towards perimeter defense security. The notion was that if you’re protecting the border, you’ll be okay. And I think what’s been proven day in, day out is that perimeter defense security is absolutely important but the notion that that’s the only type of defense that you need has been thrown out the window.
And if you use the same analogy of border patrol or protecting a country, the fact that you have protection on the border doesn’t mean that you don’t have any other measures and any other organizations that protect you from the inside. Because at one point there is gonna be someone that will be able to overcome that border. Not only that, how are you protecting your organization or your country from people from the inside? So, what we’ve seen in the last couple years is that the amount of breaches that have taken place have increased significantly. The magnitude has increased significantly, the implications on those companies has increased significantly.
And I know there was an article a couple years ago that discussed the cost of a breach and how you shouldn’t buy any software and you can just deal with a breach. That notion has been thrown out the window and, you know, it’s obviously that the consequences of a breach that we see it on the news and on the front page of “The Wall Street Journal” and “The Financial Times.” It’s happening in rates that we haven’t seen before and I don’t see that going away.