Cybersecurity lands on the CFO’s desk

Cybersecurity lands on the CFO’s desk

Cybersecurity lands on the CFO’s desk

https://www.manilatimes.net/2026/07/05/business/sunday-business-it/cybersecurity-lands-on-the-cfos-desk/2378378

Publish Date: 2026-07-04 12:04:00

Source Domain: www.manilatimes.net

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.
FOR YEARS, when a cybersecurity question reached the chief financial officer (CFO), the answer was simple: talk to the IT department. That answer is gone. Sunil Golecha, finance chief for Japan and Asia-Pacific at Palo Alto Networks, says nearly every CFO he now meets ranks cybersecurity among the top three issues they bring to the board. It is the shift Bernadette Nacario, the company’s country manager for the Philippines, raised at a recent media briefing. Cybersecurity used to be viewed as a technical cost, she said. Now it sits with the board and the C-suite because a breach affects revenue, customer trust, business continuity and enterprise value.
That framing is no longer just a vendor’s pitch. On June 22, the cybersecurity agencies of Australia, Canada, New Zealand, the United Kingdom and the United States — the group often called the Five Eyes — issued a joint statement warning that frontier artificial intelligence (AI), the most advanced models of their kind, will reshape both attack and defense within months. Their language was blunt. Cyber risk “can no longer be treated as a purely technical issue,” they wrote. “This is a core business risk and leadership responsibility.” The wording closely echoes Nacario’s point, but this time it came from governments rather than a security company.There is already a clock on it. Philippa “Pip” Cogswell, managing partner for Unit 42 in Japan and Asia-Pacific, the threat intelligence arm of Palo Alto Networks, says the fastest intrusions now move from initial compromise to data exfiltration — the point at which stolen data leaves the network — in about 72 minutes. That is faster than most companies can respond, which is why cybersecurity can no longer remain below board level.

So what changes when the CFO joins the conversation? Golecha says the questions come quickly. How do I measure the return on security investment? And how do I tell the board, with a straight face, that the company is secure?His first observation is uncomfortable. Most CFOs cannot say how much their own company spends on security. He cites research showing that the average enterprise uses about 83 security tools from 29 different vendors, leaving spending scattered across budgets that no single person in finance or procurement can fully see. The solution he advocates is consolidation, what Palo Alto calls platformization, reducing dozens of vendors to a handful. Readers should weigh that as a vendor’s prescription. Consolidation also concentrates risk: fewer tools to manage, but greater dependence on a single supplier. Still, the central point stands. The problem is often not too little spending, but too little visibility into where the money goes.

Get the latest news

delivered to your inbox
Sign up for The Manila Times newsletters

By signing up with an email address, I acknowledge that I have read and agree to the Terms of Service and Privacy Policy.

When discussing return on investment, Golecha turns to an established discipline. Insurers price risk through actuarial analysis, assigning a financial value to the likelihood and cost of an event that has not yet occurred. Security can borrow that thinking. He tells CFOs to consider the cost of inaction. If your systems go offline for 30 minutes, what do you lose? A ride-hailing app earns nothing while it is down because the app is the business. A neighborhood store with a little-used website continues selling. The answer depends on how much of the business operates online. It also depends on suppliers because one supplier’s breach can halt operations without attackers ever directly compromising your own systems.He points to listed companies. Large firms, he notes, have lost 15 to 20 percent of their market value within a day or two of a major cyber incident, amounting to billions. In more jurisdictions, directors also face personal accountability when a breach is traced to a failure to meet their fiduciary responsibilities. That is why cybersecurity reaches the board. A breach threatens the very things finance is responsible for protecting: the company’s financial health and its ability to continue operating.

The stakes in the Philippines are even higher for smaller firms, and Golecha does not suggest the platform model fits everyone. Most local businesses are small and medium-sized enterprises and will never operate 83 security tools. He estimates that a defensible cybersecurity budget is less than 7 percent of revenue for a brick-and-mortar business and more than 10 percent for a company that operates primarily online, depending on its level of exposure. For companies adopting AI, his advice is to allocate 8 to 10 percent of the AI budget to securing it, a step many organizations skipped during the rush to cloud adoption in the pandemic.For a small business with no data center and few employees, the checklist is short: control who can log in, protect employee devices, secure the browser and secure the cloud services the business relies on. Identity comes first, he says, so no unauthorized person gets through the door.

The reason to invest is survival. Golecha invokes a phrase familiar to finance professionals: the going concern, the assumption that a company will continue operating indefinitely. A breach can end that. A large bank can absorb weeks of disruption and survive. A small business often cannot. Picture a coffee shop with a customer loyalty database and a payment system, convinced it is too small to attract attackers. Attackers go where the data is. By the time that lesson is learned, the going concern may already be gone.