As with CFOs everywhere, I am responsible for our company’s capital structure, investments and how it manages income and expenses. My role as a senior executive is strategic and long term.
As a CFO for an IT infrastructure and cloud services provider, my affinity for and sensitivity to the IT operations of our company are probably more in evidence than at most organizations. Beyond being an internal strategic asset that helps fuel our growth and success as an enterprise, IT is our business.
We deal daily with the impact – positive and negative – that IT can exert on the long-term viability of an organization. Of course, it’s our job to ensure success, steer our customers clear of potential landmines, and be a strategic asset for them as well as their customers.
For the benefit of CIOs at other organizations who may be wondering what’s on the minds of their CFOs — or ought to be on their minds concerning IT, here are a few stark realities and lessons learned from a CFO who sees IT from both sides.
You Have My Attention
IT security, compliance and risk management are on the meeting agendas of every company’s board of directors and audit committee, public or private. Their interests range from fiduciary responsibility and financial regulatory compliance, to employees’ and customers’ data security and protection, to infrastructure integrity and monitoring, to the apportionment of capital resources to competing programs across the organization, among other issues.
In other words, they’re on top of things at a strategic level. A CIO must understand her/his company’s governance practices, the priorities of leadership, and the goals of the organization – not simply from the point of view of IT but organizationally. Only then can the CIO effectively present appropriate analysis and recommendations relating to IT, expressed as business value justification with pertinent measurement metrics.
Ask a CFO to Lunch
To do as suggested above a CIO needs, at the very least, access to information. Better that they aspire to be influencers of and advisors to corporate leadership especially in matters relating to security and compliance. Forging such a strategic working relationship is a shared responsibility with the CFO and others on the executive leadership team. They need to be receptive and willing to discuss long-range business aspirations and engage the expertise of the CIO.
It’s incumbent upon the CIO, however, to think, speak and act in the language of business and not tactical jargon of IT. While essential, IT is but one of many business operations requiring capital investment and management, along with product development, HR, sales and marketing, manufacturing and all the rest. You are running a business, not a data center.
Know Your Costs
With so many high-profile breaches and the alarming financial consequence stemming from stolen personal information, IT security and risk management are priorities of senior management. The advisability of determining what the costs of unauthorized access might be before you actually have to pay out seems to allude many businesses. You can’t make informed or realistic decisions on investments until you know which investments will produce the greatest return (or prevent the greatest loss). Without knowing costs, hedging against risk or buying insurance to protect against losses is a guessing game.
What “hidden” costs might arise from a data theft? If it’s data covered by regulatory compliance, there may be fines; in healthcare, fines easily can reach $1 million or more. What if you have to notify 100,000 customers by registered mail that their data may have been compromised ($3 per letter) and that you’re offering one-year of personal identity protection free of charge ($15 per month per policy)? Beyond that, your reputation is tarnished and sales become harder to come by and slower to close.
It would behoove a CIO proposing an investment in added protection or an independent auditing regime to know this.
Audit and Audit Again
Speaking of audit regimes for security and compliance, the importance of having one cannot be overemphasized. Ours is a business in which logical and physical security and regulatory compliance are of paramount importance … for our customers as well as for ourselves. We understand the cost and complexity of doing it right and keeping it that way.
Holding on to the belief that an internal IT organization can audit its own adequacy, defenses and performance is to place your business at serious risk. From something as simple as two-factor authentication to sophisticated intrusion and penetration monitoring and response systems, the argument for independent third-party security auditing is an argument that the CIO must win.
Consider Disaster Recovery as a Service
Speaking as a CFO and not as the CFO at Peak 10, the financial rationale for outsourcing disaster recovery is compelling. It removes the need for investment capital in infrastructure, IT systems and software, and staffing, leaving it available for revenue-generating activities and programs. It facilitates regular testing of DR plans, which can be costly and disruptive when performed internally; consequently, confidence in the plan being successful when you need it most is justifiably strong. With DRaaS, critical data is replicated and stored away from the primary site, providing added levels of data security as well as recovery. Professional staff monitor and manage the entire DR activity around the clock; they are always at their posts ready to activate your plan.
One caveat. I am seeing DRaaS through the eyes of Peak 10. I know the lengths to which our organization goes to do it right. Not all DRaaS providers are created equal.