A CFO’s Perspective: My 3 Identities of Cybersecurity Leadership


Renowned business guru Peter Drucker had a great quote that has always resonated with me: “Management is doing things right. Leadership is doing the right things.”

When Drucker made that statement decades ago, we didn’t know anything about ransomware, DDoS attacks, digital transformation or cybersecurity threat intelligence. But I think his words are extremely appropriate for any business executive trying to help their organization achieve the highest possible level of cybersecurity.

Even a CFO like me.

Although I work for a leading global provider of cybersecurity solutions, I hardly consider myself the technical equal of many of my CSO colleagues when it comes to the bits, bytes and bots of cybersecurity. But that doesn’t mean I don’t take my cybersecurity leadership role seriously. Every day, I make decisions and take actions designed to help our company—and our customers and business partners—avoid cyber risk and limit its impact.

In fact, there are three essential ways that business executives can take a leading role in ensuring high-quality cyber hygiene and risk management in their organization. The good news for non-techies such as me is that you don’t need to have an advanced degree in computer science or digital forensics, and you don’t have to have logged years of time working in a security operations center or monitoring network traffic anomalies.

Playing on the cybersecurity term “identity management,” I believe that non-technical business executives have three distinct, yet interrelated, identities and responsibilities when it comes to cybersecurity: personal, corporate and functional.

Personal Identity: Do the Right Thing 

At the heart of any business leader’s identity mix is their personal identity—specifically in my case, my identity as an employee of Palo Alto Networks and how I personally use IT services, handle data and protect myself and my employer against cyber threats. Every day, I am a personal user of technology and data, and I must take every step possible to act responsibly when it comes to cybersecurity.

In this role, my employer must have the utmost trust and confidence in my willingness and ability to follow the rules when it comes to how I personally use our systems and data. All employees have ample opportunity to take shortcuts when it comes to doing what we need without complicating how we work with a bunch of policies and procedures on everything from passwords and authentication to using non-sanctioned/unprotected devices, applications and services.

The company assumes I will demonstrate the highest level of personal integrity in doing my job in a way that does not increase cyber risk.  Not all end users have management responsibilities, and yet, all end users must demonstrate a commitment to act as the famed film director Spike Lee might urge us: Do the right thing.

Corporate Identity: Walk the Walk

Then there’s my corporate identity. As a corporate leader, I have to understand that the company’s goals are my top priority. That means I have to know the company’s marketing strategies, product roadmap, competitive threats, regulatory demands and customer expectations—and how those things relate to each and every step we take related to cybersecurity.

I’m seen as a leader by virtue of my title, but that only goes so far. I must also be a leader by helping my team do everything it can to support our cybersecurity initiatives. After all, if I don’t “walk the walk” when it comes to demonstrating good cybersecurity hygiene for our group, why should they be expected to do the same? Otherwise, it would be very easy—and very dangerous—for my team to say, “Hey, she must think it’s OK to download work files to her systems at home, so I guess I don’t need to talk to the IT guys about it.” Whether you head up finance, sales, marketing, manufacturing, distribution, engineering, legal, customer service or any other corporate group, you must demonstrate to your team that you value and respect good cybersecurity policies, and you expect them to, as well.

Functional Identity: Invest in the Future

Finally, I have an essential functional identity—as the head of the company’s financial operations. I’m responsible for the decision-making process in investing financial resources, either on cybersecurity tools and services or on internal cybersecurity defenses. My team and I take that very seriously.

One of my most important functional leadership roles is to help find a way to say “yes” when the leadership group believes a particular policy or program is in the organization’s interest. My role as CFO mandates that I think about making decisions with long-term implications. Specific to cybersecurity, where technology and threats change so rapidly and so profoundly, that can be very challenging at times. But I must evaluate those risks and opportunities with a long-term vision for where our company, our industry and our customers will be going in three, five or even 10 years down the road.

Cybersecurity leadership isn’t about perfection, but business executives must demonstrate all three kinds of leadership identities—personal, corporate and functional—in order to create a culture where cybersecurity is baked into everything you do.

Kathy Bonanno is the chief financial officer and executive vice president at Palo Alto Networks. 

End Points

  • There are three ways that executives can take a leading role in ensuring high quality cyber hygiene in their organization.
  • Playing on the cybersecurity term “identity management,” there are: personal, corporate and functional identities.
  • Are you showing all three kinds of leadership identities to create a culture where cybersecurity is baked into everything you do?