Ep. 63: Ray Hutchins & Mitch Tanenbaum - How You Can Leverage Cybersecurity to Increase Your Value to Any Organization

CyberCecurity, LLC:
https://www.cybercecurity.com/



Video Training by Ray and Mitch:
https://www.cybercecurity.com/media-and-speaking/ 



Mitch's Blog: 
https://cybercecurity-mitch-tanenbaum-blog.com/ &
https://mtanenbaum.us/

Contact Ray Hutchins:
https://www.linkedin.com/in/hutchins/
Contact Mitch Tanenbaum:
https://www.linkedin.com/in/mitch-tanenbaum-2589663/


FULL EPISODE TRANSCRIPT
Adam: (00:05)


Welcome back to Count Me In, IMA's podcast about all things
affecting the accounting and finance world. Cybersecurity is
something that truly affects management accountants, but really
all individuals and firms. So Mitch spoke with Ray Hutchins and
Mitch Tannenbaum about what cybersecurity really means and how to
acquire the appropriate knowledge to be of great value to your
organization. To hear why you need to understand cybersecurity.
Keep listening as we head over to their conversation now. 


 


Mitch R.: (00:40)


All right, so at a high level, how does cyber security really
impact the finance department of an organization? You know, why
does this stuff really matter? 


 


Ray: (00:50)


Well, from Mitch and my perspective, of course we're
cybersecurity guys and we're also business professionals. So
we've been in business all of our  life  we are a 
couple of boomers. We've got a lot of experience and we know that
and we deal with a lot of companies. Where the, all the
cybersecurity, the risk questions, the risk questions are dealt
with and delegated to many times. The finance department, finance
takes control in a lot of organizations. They haven't spent a lot
of time setting up their internal, authority around, well, who's
gonna be responsible for the risk and compliance for the
organization? Who's going to be responsible for cybersecurity and
privacy. And so in a lot of organizations that falls naturally
right onto the finance department and specifically the CFO.
that's been a problem we've dealt with in the past many times in
an organization saying really the CFO shouldn't be the one in
charge of all of this. You know, there definitely play a role. Of
course they're always important on it, but there's, there's more
people need to be involved in this, but that's the nature of the
beast. The finance department is involved, they pay for it,
they're accounting for it, and therefore they need to understand
something about it so that they can participate in an intelligent
level in conversations around this risk category. 


 


Mitch T.: (02:30)


Let me add something to that. Every organization has a chief risk
officer. Now, in many organizations, that person doesn't have
that title. But in every organization there is, somebody is
responsible for that. Whether that's the CEO, the COO, or more
often the CFO. If we assume that cybersecurity is a business risk
that needs to be mitigated, just like every other business risk.
And if we assume that the CFO, is the chief risk officer, in
fact, then it makes perfect sense that the CFO and the finance
team needs to understand cyber risk to be able to lead the
conversation. They don't need to be the experts, but they need to
understand how that ties to business risk. 


 


Mitch R.: (03:19)


So these are all really great points and I really like the idea
of, you know, grouping this together as a true business problem.
It's not an it problem. And if the CFO is going to act as this
chief risk officer, as you said, really manage, you know, the
risk initiatives here. What specific type of information do you
think the CFO or their finance team needs to acquire in order to
effectively lead this risk mitigation and implement these
cybersecurity procedures for their organization? 


 


Ray: (03:53)


Good question. And it brings up something, you know, both Mitch
and I have, my Mitch, my partner Mitch as opposed to you, Mitch.
But, both Mitch and I have of course spoken at multiple IMA
meetings at this time and we're familiar with IMA as an
organization, as something that we find out there in the IMA
organization. You've got a lot of executives and transition from
one company to another and within they're moving up in their
career and whatnot. And something that I have found to be the
case is when I'm talking to these people out there is that, and I
make the point that as a financial services professional, no
matter what your rank, no matter what your position within the
organization you can make yourself much more valuable to the
organization if you have a business grasp of cybersecurity and
privacy and is in business implications and you can speak the
language, you've got some jargon, not technical jargon, just
general jargon about it. Perhaps knowing some of the regulatory
environment, knowing some of the regulations and the standards
that affect all businesses, kind of understanding that and being
able to engage on that companies have a terrible shortage of
anybody who can talk the talk of cybersecurity and privacy. So if
you can demonstrate any level of competency, any level, well that
changes your value proposition within the company. 


 


Mitch T.: (05:27)


So I would say that, just like any other risk problem, you want
to create a governance risk and compliance framework, a GRC
framework. And the good news is the federal government and the
guys of the department of commerce, National Institute of
Standards and Technology has created a great governance
framework, which is the NIST cybersecurity framework. And as of
this past January, it's partnered the NIST privacy framework.
These are governance frameworks, high level governance frameworks
that every organization needs to be looking at. And I will tell
you, and we do a lot of work with this, nobody is a hundred
percent when it comes to these frameworks, but the framework
provides a set of guidance for organizations big and small. So if
you go look at policies for example, and it ask questions about
policies, well a small organization is gonna need a different set
of policies than a big organization, an organization that
operates in multiple States and multiple countries might need
different policies than  one that doesn't. But if you all
lay this into that framework and then you can go off and say, as
the chief risk officer, okay, you know, this is a network problem
or this is an IT problem or this is a, you know, what level of
risk are we willing to assume problem? And you can go off and
assign different part, different people in the organization to go
help you complete this framework and see where you stand. The
first thing that I would always do, and we do a lot of these, is
a GAAP analysis. Let's go look at where we are versus where we
want to be and we have these conversations and we generate a a
list of of gaps and then it becomes a business conversation for
the C suite and for larger organizations for the board. Very
importantly, the board has to provide guidance on this to say
what is a level of risk we're willing to take? And the risks
could be a compliance risk. It could be a legal risk, it could be
a reputation risk, it could be a whole variety of different risks
that we could be takin...