To think that your company's and customers' data is safe from hackers these days, even with a phalanx of security systems guarding them, is a quaint notion
|
|
Editor’s Note—Tech is hard. We get it. To help, StrategicCFO360 and The CFO Leadership Council are launching a new effort—starting with this free newsletter—to help finance pros make more confident technology choices and help software providers understand and more successfully serve their needs.
On October 29-30, we’ll also hold our inaugural Finance and Accounting Tech Expo at the Javits Convention Center in New York City. Join us!
We could use your help, too: If you have feedback, ideas or product, people and company news to share with the community, email us at vince@CFOlc.com—Vince Ryan, editor
Data Security: Trust No One
To think that your company's and customers' data is safe from hackers these days, even with a phalanx of security systems guarding them, is a quaint notion.
Too many pathways and entry points to that data exist. What was once a bumpy towpath for hackers has become an eight-lane superhighway. The data and information your organization stores in third-party systems and applications and with business partners is one of the most vulnerable access points—or at least you should assume it is.
How do organizations prevent incurring a multi-million-dollar hit to the income statement or, like the IRS this week, experience the humiliation of a forced public apology for leaking customer information?
The third-party problem can seem overwhelming—according to Kiteworks, a provider of systems for securing access to and sharing enterprise content. Two-thirds of U.S. organizations exchange sensitive content (including financial information, strategic plans, intellectual property and contracts) with 1,000 or more third parties.
Frank Balonis, chief information security officer of Kiteworks, is an engineer by trade who has worked in the federal government safeguarding critical information about U.S. defenses. We asked Balonis how companies can protect sensitive data handled by third parties, especially if they don't have the tools to audit and track everything that leaves their systems.
- Know your partners. To protect data, businesses must get it right every time; the hacker only needs to do so once. The goal is to minimize the risk of an attack and breach. A good compliance program for securing personally identifiable information per industry regulations is a good foundation. But the organization must ensure third parties pay the same attention to security and monitoring of the specific information shared with them, Balonis says.
- Get answers. At a minimum, ask the partner/platform provider the following, says Balonis: Where is the data we enter being stored? Is it being stored encrypted or unencrypted? Where is it being processed? Who has access to the data? What happens to the data after the relationship or agreement is over? Is it deleted? For a more detailed analysis, the Cloud Security Alliance has a broader and more specific assessment questionnaire. It covers audit and assurance policies, business continuity management, secure data disposal, information governance procedures, procedures for security incidents and much more.
- Review attestation reports. Read the reports of the third party's security systems by an independent reviewer and ask questions about any findings that require addressing, says Balonis. "If I'm about to put a company's sensitive information into a third-party's cloud services, the first thing I ask is whether they have an ISO certification," he says. "Do they have a SOC report?" If the answer is "no," says Balonis, "I won't even move forward. I just go on to the next candidate."
- Assume hackers are inside. Given all the attacks from nation states and other sophisticated hackers, preventing system penetration is almost impossible, says Balonis. So have a robust detection and response system or similar tools so that if hackers "start mucking about in your systems, alarms are going to go off," he says.
- Use an identity management system. Tools like Azure Identity Management and Ping Identity can help secure cloud computing environments, Balonis says. These systems control user access based on location, device and user risk; require authentication beyond passwords; assign permissions to privileged accounts; and securely authenticate storage. When a partner of Kiteworks experienced a data breach very recently, Kiteworks' identity management system reduced the impact on Kiteworks to zero, Balonis says.
Lastly, everyone in an organization should be aware of the reality of the cloud: "Cloud computing just means someone else's computer," Balonis says, citing an old system administrator joke. "Someone else is controlling what you are doing in the cloud."
From our partner:
Unlock Your CFO Potential with the Daily Checklist. Become a savvy, strategic CFO with this free daily checklist! Discover top tasks from leading CFOs to enhance your efficiency and value. Access exclusive tips, strategies, and more. Download your free checklist today!
|
|
|
|
Steve McNally, CPA, is the CFO of The PTI Group, a global provider of plastic packaging and sustainable packaging design and development, and past chair of the Institute of Management Accountants. We asked him to describe PTI Group’s IT environment.
Our primary tools are the NetSuite mid-market cloud Services ERP system, including G/L, A/R, A/P, purchasing, quoting and time tracking, and FileMaker Pro for operational activities like company workflow, scheduling, quality management, inventory control and data storage. We also leverage the Microsoft 365 suite, of course, as well as virtual prototyping and other industry-specific software.
Several years ago, we outsourced our IT help desk and related activities, providing access to a group of skilled IT professionals and significantly upgrading our information security as part of the package.
What’s your joy, and what’s your headache?
We are charged with creating economic value; to do so, we must make sound business decisions. My joy is ensuring cross-functional partners have the analysis and insights they need to perform their responsibilities effectively and being able to quickly create new tools when we identify gaps or business needs change. My headache is being told, at the eleventh hour, that we need to delay the implementation of new features because members of the user community didn’t perform their acceptance testing before the final go/no-go meeting.
If you could wave a magic wand, what would you make your software companies do for you?
Simplify their standard software license agreements and eliminate the multiple pages of small-type CYA legalese so I can quickly and confidently add new tools without inadvertently creating risk or incurring hidden costs.
What’s your best piece of tech advice for others in your job?
Take a practical approach to new technologies. Cultivate a digital-savvy mindset, asking the right questions when considering an addition to the organization’s tech stack. Ensure investments are consistent with the organization’s overall philosophy and strategy. Drive cross-functional discussions regarding each investment, verifying the purpose, need, strategic objective and problem to be solved. Then, ensure new and existing tools are used to their fullest by investing in ongoing training and periodically reassessing use vs. capability.
|
|
|
|
Have news to share? Drop us a line at vince@CFOlc.com — Vince Ryan, editor
Intuit signed an agreement to acquire technology from mobility risk intelligence company Zendrive to accelerate adoption of Intuit’s usage-based auto insurance product, Karma Drive.
Workiva added to its ESG & sustainability platform with the launch of Workiva Carbon, a set of capabilities for simplifying carbon accounting, setting science-based emissions reduction targets and responding to stakeholder demands for transparency.
Spend management platform provider Ramp launched Ramp Travel, a system designed to streamline travel booking for employees and give employers more control over and visibility into spending. Users will have access to Priceline’s accommodation inventory and airline partners.
Automated bookkeeping and accounting platform company Digits acquired budgeting and forecasting platform Basis Finance to accelerate its FP&A roadmap. Digits serves pre-seed to series B startups.
American Express announced the purchase of two companies: Tock, a reservation, table and event management technology provider owned by Squarespace; and Rooam, a provider of contactless payment solutions that integrate with point-of-sale and loyalty systems used by restaurants and entertainment venues.
|
|
|
Have news to share? Drop us a line at vince@CFOlc.com — Vince Ryan, editor
Broadridge Financial Solutions appointed Roz Smith as chief operating officer of Broadridge International, effective May 1. London-based Smith spent 18 years at HSBC.
Data analytics provider Sigma named Christina Liu as chief financial officer and Ali Harmer as general counsel. Liu was previously chief accounting officer for Confluent and Zendesk.
Netgain, a provider of NetSuite-native software solutions, appointed Roman Bukary as chief revenue officer. Bukary has experience in sales at Phenom, Oracle, NetSuite and SAP.
Workday announced the election of Michael Speiser, a managing director of Sutter Hill Ventures, to its board of directors. Speiser was the founding CEO of Augment, Observe and Pure Storage and for two years served as part-time CEO of Snowflake.
London-based Stability AI, developer of the popular Stable Diffusion text-to-image AI model, named Prem Akkaraju, formerly of Weta Digital, to the CEO seat. Akkaraju replaces Stability AI’s founder and former CEO Emad Mostaque.
|
|
Stock performance is as of the market close on June 25, 2024
|
|
|
|
|
Plan to join us at the Finance and Accounting Technology Expo, the country’s largest annual trade show for buyers and vendors of corporate finance and accounting software. This year’s event will occur at New York’s Javits Convention Center on October 29-30, 2024. This is an excellent opportunity to network with industry peers, learn from experts and discover new products and services. Register online at StrategicCFO360.com/FATE/register/ and get a limited-time, free registration using the code czh510.
Keynote just announced! Daymond John, founder of FUBU, Shark Tank judge and bestselling author, will bring his unmatched expertise to the stage.
Master’s Guide To Digital Transformation: Your Path To Growth July 17, 2024 | 3-4 pm EDT | Live, Online
The Continuous Close: A Remedy for Month-End Stress July 31, 2024 | 1-2 pm EDT | Live, Online
CFO Insights Series: AI & The Modern CFO – Latest Developments August 8, 2024 1-2 pm EDT | Live, Online
|
|
|
|
If you enjoyed this e-newsletter, please subscribe to receive future issues in your inbox. You can also share it with your colleagues and friends who might be interested in finance and accounting software. To subscribe or share, please visit StrategicCFO360.com/FATE/ and fill out the form at the bottom of the page.
Thank you for your support and feedback. Don’t forget to add editor@FinanceAccountingTech.com to your Safe Senders list to make sure it gets delivered.
|
|
|
|
|
|
|
|
|