Partnering with IT


As Seen in CFO Studio Magazine Q2 2017 Issue

-By Michael Rist, Chief Financial Officer, VIP Petcare


As the role of the CFO continues to evolve, finance executives must continually augment their knowledge of technology and how it impacts the continuing operation and strategic direction of the company. This starts with open and ongoing dialog. The CFO needs a good understanding of how the IT department is positioned in the context of the overall strategy of the company. Below are five key questions to ask your CIO regardless of industry or company size.

How is the IT strategy aligned with the corporate strategy?

Asking this question allows you to gauge where resources are being directed within IT and if they are yielding returns that exceed the hurdle rate. You need to make sure there is a viable business case for every material project in the IT portfolio that supports the corporate strategy. It’s important to note that not every project will translate into an easy-to-calculate ROI, and qualitative measures must therefore be in place to ensure that shareholder value is created.

What risks are you already planning for?

The answer should include testing, firewalls, critical system failure, anti-virus, spyware, anti-malware, etc. If you are holding credit card information, you must comply with the Payment Card Industry Data Security Standard (PCI DSS) and keep that compliance up-to-date every day. Not doing so may expose you to hefty fines and the risk of losing the authorization to process payment card transactions. The goal here is not to eliminate or minimize risk but to manage the risk exposure to ensure the right level of risk, in order to effectively pursue the strategic goals of the company.

What scares you? (If he says nothing, that’s a problem!)

There are numerous things every CIO should be scared of, from zero-day vulnerability to social engineering or phishing, which has become more and more sophisticated over the last couple of years. Key here is that the CIO makes you aware of these without all the technical details.

What is the security around our data and systems?

Not all data is equally sensitive. A plan must ensure that the most critical data is safeguarded. This plan should be a collaboration between IT and the rest of senior management.

What is our response plan for an incident?

Not every organization has one of these, and that’s OK, provided there is a clear plan of crisis response. Some organizations have generalized response plans for crises of varying types (critical system failure, natural disaster, power outages, weather, strike, etc.) with cyber incidents just another form of occurrence to be managed under such a plan. Senior management should run a process review on an annual basis.

Being a technology-savvy CFO doesn’t mean simply having the latest and greatest technology or knowing the latest cyber fad. It means being able to advance your organization’s growth or improve its competitive position by asking questions that identify key constraints holding back the organization from pursuing its goals.

Cyber Vigilant


As Seen in CFO Studio Magazine Q1 2017 Issue


Fran Shammo was prepared to talk about digital media and corporate communications in a virtual world that is rife with cyber criminals, and found the roomful of financial executives a more-than-willing audience. “I am very interested in knowing if CFOs at other companies are experiencing the same kind of apprehension and worry,” explained Mr. Shammo, who stepped down as Verizon’s CFO at the end of October in anticipation of his retirement at the end of the year. Less than a week after he spoke, Yahoo, which, two months earlier, Verizon announced it had plans to acquire, revealed that half a billion user accounts had been compromised.

Mr. Shammo spoke on “Delivering Your Company’s Message in a Digitally Risky World—Communications and Media from the CFO’s View,” at a World-Class Companies CFO Dinner, part of CFO Studio’s Executive Dinner Series, held recently at The Bernards Inn in Bernardsville, NJ. CFOs from select New Jersey–area companies attended the invitation-only dinner. Mr. Shammo said the intense discussion that followed his opening remarks on the cybersecurity concerns that plague him proved that “As CFOs, we’re all in this together when it comes to dealing with the very real and constant threats posed by cyber-attacks.”

Mr. Shammo cited statistics from Verizon’s recent Data Breach Investigations Report, which shows that, among other things, passwords are still the weakest link in the chain. “Sixty-three percent of confirmed data breaches involve using weak, default, or stolen passwords,” he said. This resonated with dinner participants who said they do, indeed, take the issue of passwords very seriously, and noted that password-enforcement programs are in place at each of their respective companies. Mr. Shammo mentioned that Verizon forces automatic password changes on its corporate network every 30 days, which elicited several nods of agreement around the table.

Participants expressed curiosity about the kinds of attacks that have taken place at Verizon. “Given the scope of service Verizon provides,” Mr. Shammo said, “we see almost every kind of attack on a regular basis, and we’re constantly trying to find ways to educate employees to be ever-wary of phishing scams and ransomware.” The group was familiar with the more common phishing scams in which a fraudulent email, appearing to come from a legitimate source, requests personal information. However, ransomware needed a bit of an explanation, which Mr. Shammo provided: “It’s a type of malicious software, or ‘malware,’ that prevents users from accessing their system until a sum of money is paid.”

This caught the attention of Greg Douglas, Vice President of Sales for Eatontown-based Yorktel, a video-communications and managed services provider, and a CFO Studio Business Development Partner. “It’s so important that everyone be informed and trained on cybersecurity. It’s not just for the people in Information Technology (IT), as the threat is huge.” He continued, “Financial executives are choice targets for hackers because of their authority to control company funds. They need to be particularly vigilant in their actions to avoid being compromised.”

Mr. Shammo agreed, and offered his fellow finance execs a sobering reality: “There is a high probability that every one of your companies has been hacked.” He added, “Most of you just don’t know about it, nor do you have any idea about who has been in your system, when they were there, or for how long.” In order to combat such cyberattacks, Mr. Shammo recommended long-term contracts with security firms.

Does Privacy Still Exist?

The conversation then shifted to mobile devices: “Years ago, we were all issued a company device that was for business purposes only, and secure. Then, we started bringing our own devices to work,” Mr. Shammo said, acknowledging that this resulted in a whole host of security concerns and problems for the IT department.

“I see things coming full circle,” he opined, “with a return to company-issued devices.” Attendees were in agreement; just about everyone in the room had a personal phone and a work phone in their pocket. “This is actually a good sign,” said Mr. Shammo, recognizing that “we are simply becoming more mindful about keeping personal stuff personal, and business strictly business.”

Mr. Shammo predicted that the next wave in security is going to be triple authentication procedures. “Double authentication,” he explained, “in which you log in to a website and receive an access code to enter will no longer be sufficient.” He continued, “It’s going to come to a point where, in order to get into a site, you’re going to have to allow location services to be enabled on your phone for an extra layer of protection.” This led to a consensus that, as years have gone by, there is simply no privacy anymore.

A Rock and a Hard Place

The evening was coming to a close as Mr. Shammo finally addressed digital media. “Verizon is a network company as well as a digital media company,” he said, “so there are different regulations that apply to different parts of our business, and different regulatory agencies that apply them. As a company, we are very focused on protecting our customers’ privacy across the entire company. From a regulatory perspective, however, it doesn’t make a lot of sense for consumers to have different rules and different regulators dealing with different parts of the Internet ecosystem.”

Mr. Shammo concluded that it’s a “fascinating world” right now. “Things are converging, and our ability to regulate or control privacy is just not keeping pace. We must be extremely careful about protecting the work we do.”

Copyright 2017