Many businesses need to expand the number of in-house departments that focus on cybersecurity beyond IT, with an interdisciplinary group led by the chief financial officer dedicated to assessing and reducing cyberrisk, according to a new report released Monday.

While the IT department should remain a major player in cybersecurity efforts, the CFO and the legal, risk management, human resources, public relations and other departments need to be involved in decisions about risk before cybersecurity breaches happen, the report said. It was released by the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI), a nonprofit group focused on setting standards for U.S. industries.

The two trade groups released the report, "The Financial Impact of Cyber Risk," through a series of workshops in which more than 30 organizations participated. Participants represented the perspectives of several corporate departments, and among the organizations involved were IBM, Lockheed Martin, Crimson Security, State Farm Insurance, Carnegie Mellon University's Software Engineering Institute, and the U.S. Departments of Justice, Commerce and Homeland Security.

"The lesson that this workshop learned quickly was that cybersecurity, which has been traditionally viewed by some companies as an IT issue, is not just an IT issue," said Ty Sagalow, president of product development for general insurance at American International Group (AIG) and the workshop leader. "Just like it is not just a legal issue to be solved by the general counsel. Just like it is not just a reputation issue or a communications issue to be solved by the head of public relations."

The report, subtitled "50 Questions Every CFO Should Ask," recommends that business CFOs become heavily involved in focusing on cyberrisk if they aren't already. CFOs are in a position to see the big picture and budget for increased IT spending, if needed, or cybersecurity insurance or more resources in other departments, Sagalow said. In addition, CFOs need to understand the potential financial risks to breaches or leaks, he said.

Asked if some CIOs or IT department heads would see increased involvement from CFOs and other departments as encroaching on their turf, members of the task force that produced the report said they shouldn't. Many IT departments already recognize that they're only part of the solution to cybersecurity issues, said Edward Stull, a software architect for Direct Computer Resources and chairman of an IT security best practices group for the InterNational Committee on Information Technology Standards.

Many IT departments are underfunded, added Larry Clinton, ISA's president. Increased attention from the CFO could result in additional funding and an additional focus on IT needs, he said.