Robust cybersecurity at risk as 44% of CFOs say they don’t know enough about IT issues

Toronto, ON (Sept. 18, 2015) – Seventy-one percent of Chief Financial Officers (CFOs) have had increased involvement in the IT agenda in the last three years. But 44% cite insufficient understanding of IT issues as a barrier to collaboration with CIOs.

According to EY’s global survey, Partnering for Performance, Part 3: The CFO and the CIO, the relationship between CFOs and CIOs is becoming more collaborative, with CFOs playing a greater role in vital IT-related activities.

CFOs’ access to all financial data means they can identify signs of a breach. They’re also well-positioned to help identify assets the attackers are trying to obtain, such as intellectual property (IP), financial data or other information about the company that could be used to damage it. CFOs should ask themselves, “What are we trying to protect?” and “What are the impacts of a breach?”

“Today’s attackers have more sophisticated goals as opposed to just stealing classified information. They may be looking to manipulate the company share price, for example,” says Abhay Raman, EY’s Cybersecurity Leader. “Or, they may be looking to devalue the company so it can be acquired at a much lower price. These are issues the CFO must be involved in.”

Sixty-six percent of CFOs say managing cybersecurity is a high or very high priority, but they face a number of challenges in their relationship with CIOs. CFOs view IT as a cost centre, rather than an asset. While most can recognize the scale of a cyber threat, they can’t visualize what a mature cybersecurity capability looks like, in order to invest in the right initiatives. In fact, this lack of understanding was identified as the top obstacle to a closer relationship with the CIO (44% of CFOs say it’s one of the top three barriers). In addition, the tendency for CIOs to discuss cybersecurity issues in technical jargon, rather than plain language, can also hinder meaningful action.

Effective collaboration on cybersecurity starts with treating cyber risk as an enterprise risk management issue, rather than as an IT problem. It should be integrated into the broad set of enterprise-governance functions, such as HR, vendor management and regulatory compliance.

“CFOs can lead board-level conversations to identify which of the organization’s financial, IP and data assets need protection,” says Raman. “Working with the CIO, they should ensure that the whole organization has a tested plan in place to respond when a breach does occur.”

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY is proudly celebrating 150 years in Canada. For more information, please visit

EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit