As Seen in CFO Studio Magazine Q2 2017 Issue
-By Michael Rist, Chief Financial Officer, VIP Petcare
ARE YOU ASKING YOUR CIO THE RIGHT QUESTIONS?
As the role of the CFO continues to evolve, finance executives must continually augment their knowledge of technology and how it impacts the continuing operation and strategic direction of the company. This starts with open and ongoing dialog. The CFO needs a good understanding of how the IT department is positioned in the context of the overall strategy of the company. Below are five key questions to ask your CIO regardless of industry or company size.
How is the IT strategy aligned with the corporate strategy?
Asking this question allows you to gauge where resources are being directed within IT and if they are yielding returns that exceed the hurdle rate. You need to make sure there is a viable business case for every material project in the IT portfolio that supports the corporate strategy. It’s important to note that not every project will translate into an easy-to-calculate ROI, and qualitative measures must therefore be in place to ensure that shareholder value is created.
What risks are you already planning for?
The answer should include testing, firewalls, critical system failure, anti-virus, spyware, anti-malware, etc. If you are holding credit card information, you must comply with the Payment Card Industry Data Security Standard (PCI DSS) and keep that compliance up-to-date every day. Not doing so may expose you to hefty fines and the risk of losing the authorization to process payment card transactions. The goal here is not to eliminate or minimize risk but to manage the risk exposure to ensure the right level of risk, in order to effectively pursue the strategic goals of the company.
What scares you? (If he says nothing, that’s a problem!)
There are numerous things every CIO should be scared of, from zero-day vulnerability to social engineering or phishing, which has become more and more sophisticated over the last couple of years. Key here is that the CIO makes you aware of these without all the technical details.
What is the security around our data and systems?
Not all data is equally sensitive. A plan must ensure that the most critical data is safeguarded. This plan should be a collaboration between IT and the rest of senior management.
What is our response plan for an incident?
Not every organization has one of these, and that’s OK, provided there is a clear plan of crisis response. Some organizations have generalized response plans for crises of varying types (critical system failure, natural disaster, power outages, weather, strike, etc.) with cyber incidents just another form of occurrence to be managed under such a plan. Senior management should run a process review on an annual basis.
Being a technology-savvy CFO doesn’t mean simply having the latest and greatest technology or knowing the latest cyber fad. It means being able to advance your organization’s growth or improve its competitive position by asking questions that identify key constraints holding back the organization from pursuing its goals.