Kathleen Turco

Kathleen Turco

Director, Consulting

Cybersecurity is a multi-faceted discipline, encompassing technology, policymaking and financial management (FM). The chief financial officer, in fact, is a key player in implementing an effective cybersecurity strategy.

We are long past the time when we could treat security as an afterthought, as just another aspect of managing an organization. Today, we must build cybersecurity into the very fabric of agency operations, especially where sensitive data, including financial data, faces increasing risks.

The chief financial officer (CFO) and chief information officer (CIO) play integral roles as they partner to get resources to protect an organization’s cybersecurity. As the CFO allocates funding within agencies, the CIO must ensure that the CFO understands the budgetary needs for expanding and improving an agency’s cybersecurity measures.

CFOs, however, must go beyond addressing the bottom line; cyber and data security are now paramount to all programs and operations.

Risk, data and the importance of financial management

The CFO and CIO should collaborate on enterprise risk management (ERM), which informs strategic decisions. Risk is unavoidable in financial management and in agency operations, but this collaboration can address it with technology strategies and the funding to carry them out.

Everyone in an agency holds responsibility for keeping information secure. A data breach is more likely to come from a skillful con artist tricking an employee into giving away authentication information than from a sophisticated attack that circumvents security measures to penetrate the network (although those can happen too.)

Assessing and managing risk, a key aspect of cybersecurity, touches on every aspect of an organization. Managers and leaders get a full picture of the agency’s risk only when they can marshal data from multiple sources, including the financial management organization. Integrating and analyzing this data can yield insights that inform sound decision-making about security strategies and technologies.

Making smart technology choices

The CIO and CFO must make technology investments soundly. That starts with gaining a full understanding of the current state.

That analysis should expand beyond looking at security measures already in place, and include the kinds of systems that need protection. For example, outdated legacy systems without vendor support may be less secure without continued vendor support that includes software updates and security patches. Simply replacing them with current technology might be an option, but it isn’t fast or inexpensive.

CFOs and CIOs together can often identify ways to enhance the security of legacy systems before modernization is feasible. The CFO and FM team should also assess financial systems meticulously to discover weaknesses and identify processes or systems that would strengthen the financial management organization’s cybersecurity posture.

Robotic process automation and machine learning can improve cybersecurity protection and ease risk.

RPA is widely used today to handle repetitive tasks, notably in financial management. It carries out those tasks faster and more accurately, while the employees who once spent hours doing them can spend their time on higher value work. RPA can work in cybersecurity in the same way, handling simple, repetitive tasks so that employees can pay more attention to monitoring systems and networks.

Similarly, financial managers use machine learning to help manage their assets, evaluate risk levels, and automatically approve/decline transactions. Applied to cybersecurity, a system built on machine learning can analyze much greater volumes of data than employees can, identifying weaknesses and analyzing breaches that do happen to improve defenses for the future.

Protecting financial data

The CFO also oversees learning and development for the financial management workforce, and should keep security at the top of mind. Cyber criminals often target FM employees for social engineering schemes, because those employees can access valuable data. A successful cybercriminal could steal data that would enable identity theft, or take proprietary information.

A 2020 study by the Ponemon Institute found that insider threats are growing in both the number of incidents and the costs associated with them. Over a two-year span, the study found, the number of incidents rose by 47%, while the cost to address data breaches increased by 31%. The highest overall cost is containment, at an average of $211,533 per year. The fastest-growing cost is investigations, which rose by 88% over three years.

A well-planned training and education program turns employees from risk factors to components of the defense system. Every employee must understand the threats that cyber criminals pose and the common-sense measures employees can take to thwart them.


The CFO office and an agency’s FM professionals have taken on a crucial role in cybersecurity, as the threat environment grows increasingly dangerous. Agency CIOs and technology professionals should develop a good relationship with the financial team in order to understand their risk profile, identify and fill gaps in security and, most critically, have funding allocated to cover the costs.

An earlier version of this article appeared in the AGA Journal of Government Financial Management.

More from this author: Finding the big picture in a sea of data

About this author

Kathleen Turco

Kathleen Turco

Director, Consulting

Kathleen Turco, director, consulting at CGI, brings deep domain knowledge of federal agency financial matters