Bridging the IT + Finance Divide

How to Best Bridge the IT + Finance Divide

Let's face it, the backgrounds, priorities & approach vary widely from IT to finance. We've all had challenges in communicating across teams from time-to-time. In many areas of the business, distinct priorities are expected. However, in cybersecurity, strong partnership and communication is absolutely critical - if this breaks down the entire business could be at risk.

Here are 4 keys to improving communication and collaboration between IT and Finance from our experience:

1. Build communication in "Plain English" CFO.com published a great piece setting expectations & best practices for communication about cybersecurity. They define a very simple model, intended to ensure alignment across disciplines. To be defined by IT and used consistently in communication:
   • "What" the company has
   • "Where" the company has it
   • "Who" can access it
   • "Why" would someone want it
   • "How" the company is controlling it
2. Get a 3rd party risk assessment

   An independent audit can be incredibly powerful in setting the stage for the current state and potential risk vectors for your cybersecurity. Beyond the principle of not auditing your own team's work, 3rd party/ expert input can carry more weight on a critical topic like risk.

   This has, in our experience, been a solid foundation on which to conduct financial impact analysis

3. Add some macro context

   Part of the challenge of managing, budgeting and communicating cybersecurity is that you're often trying to prepare for issues that have never happened (and hopefully won't). So how can you know the parameters of the right cybersecurity plan.

   One way that we've seen success with in our client relationships is to add some context from the national or global conversation. For example: At the 2023 World Economic Forum's annual meeting, experts warned that "2023 will be a consequential year for cybersecurity."

   • Geo-political instability is expanding the cyberthreat landscape
   • Every business is a potential target (even if exclusively a US company or a regional focus)

   This is never for "shock value" rather to provide the context of macro trends, some which could open up new incentives or motivation for ratcheting up cyber attacks.

4. Cyber is a whole company focus

   Accordingly, cybersecurity has be to considered across every department with the assumption that the existing strategies (or those that have worked in the past) are likely not sufficient.

   Though IT can manage risk, every team in an organization has a role to play. And this includes third party relationships - vendors, partnerships, service providers, even customers.

   Take for example, the ongoing dialogue about remote and hybrid work policies. Obviously the lens of productivity, employee satisfaction is primary here, but the cyberthreats are increased considerably if remote work in any part of the equation.

The front-line experience of the team at L3 Networks can help make sure cybersecurity is effectively prioritized through years of experience in bridging the communication gap from IT to finance and every department in between.