What role should CFOs play in mitigating data breaches?

James
Here are a few pointers from my perspective:

If IT reports to the CFO, play an active role. Refer the S. 1408: Data Breach Notification Act of 2011.

If the CFO is responsible for risk management, also play an active role. Loss of reputation, cost of remediation should be of particular interest.

Look at your own customer/prospect and employee data. Look at data released to 3rd parties for processing (e.g. 3rd party CRM/campaign mgmt service providers). How safe is your data in the cloud (e.g. are you using SaaS based CRM and other software?)

Talk to your colleagues in IT, sales, marketing and HR. Most security breaches are shown to come from the inside anyway. Are your HR and IT security policies and controls good?

Regards
Len

In most of the organizations I know, IT reports to the CFO (with or without a CIO/CTO).

As such, and as part of a comprehensive internal audit function, the CFO should be involved in prevention, response, mitigation and recovery.

I've heard the argument many times that the staff is against this and that program which could prevent data breaches.... what is the cost for prevention vs response and recovery?

I think that Len is on the right track. It's not so much what the CFO's responsibility would be ... it's what your responsibility would be. If no one else "owns" data security in your organization and it falls into your lap, then you need to spearhead some type of plan.

The foundation for effective handling of a breach is a data security program. It should incorporate your state's notification laws. The level of detail within that plan can vary according to your needs. But, the important point is that if/when you encounter a data security breach you really don't have the time to start thinking about how you will respond. The basic foundation of a response needs to be ready to go.

If, on the other hand, your question is more about prevention then a risk assessment would appropriate. Where is your data? How does it travel? Is it encrypted during both storage and data transfer? This will give you the potential weak points. From there, you can decide on whether you need to strengthen some IT areas and/or make certain data security demands on third-party providers.

Every position within a company is responsible for a piece of the Risk Management puzzle. But the CFO is essentially the individual that takes a macro perspective of a company. Whether it is related to ensuring every department has risk mitigation activities within their policy and procedures or working with auditors to discuss perceived deficiencies, the CFO is key to ensuring all identified risks are addressed.