While a CFO with some knowledge of the technology involved may be helpful when making spending decisions, Dandini believes the finance involvement must be much deeper. It calls for an approach to security that involves gaining input from across an enterprise, he said, creating a much more holistic security plan, in which every department considers the impact of a data loss on them, and the wider business.
This broader team approach to data protection allows departments to understand the costs to the enterprise. Rather, the individual departments then take responsibility for IT security themselves, so the units "are no longer throwing that moral hazard hot potato" to the CIO, said Gartner's Heiser.
"The CFO has a strategic role in encouraging the policies and processes that enable the business to handle the risk themselves," said Heiser. "It's unrealistic to expect the CFO to understand security completely, as it is for the security professional to understand finance completely."
CFOs should first aid managers in determining the data's sensitivity and defining security goals, he said. This will help enterprises calculate the cost of the security being provided.
For data ranked high, the CFO should help the manager "figure out an economically appropriate set of controls and countermeasures," to protect the sensitive information. Standard security procedures may cover less sensitive data. So, Heiser said, the idea is to keep things simple, he said.
"There don't have to be many goals. Ultimately confidentiality, integrity and availability are goals," he added. "I find that getting anymore granular than three things is hard."
Next, consider security "across the life cycle of IT, from turning things on, to turning things off, to throwing things away." Dated laptops still contain sensitive information unless they are properly managed, he noted.
Managing the process broadly allows individual departments to see "the risk ramifications of their data." This method also creates a framework that should be applied to new IT projects to ensure that security is considered from the planning phase.
"It's not reasonable to expect [IT departments] to a do a good job at that, if they haven't been given a simple but useful framework," said Heiser.
And making data security a priority becomes a wiser decision all the time, since criminals are consistently developing more sophisticated cyberattacks, according to The Hartford's Dandini.
He said that "even as more protections come online, the perpetrators get that much more crafty, and then you have to go and find new solutions to deal with it."
Data-breach threats are here to stay. "They may change slightly," said Dandini, "but by no means will they go away."
Sign up for Computerworld eNewsletters.