While CrowdStrike is a cybersecurity vendor, the global IT outage it caused a week ago wasn't technically about security
|
|
Welcome to the latest edition of the Finance and Accounting Technology Briefing, a biweekly newsletter jointly produced by StrategicCFO360 and The CFO Leadership Council. Our goal is to help finance pros make confident technology choices and give software providers a better understanding of their customers' needs.
A reminder: Our inaugural Finance and Accounting Tech Expo at the Javits Convention Center in New York City on October 29-30 is fast approaching. See the unique code at the bottom of this newsletter for a limited-time, free registration.
If you have feedback, ideas or product, people and company news for the Briefing, please email the editor at vince@CFOLC.com. We look forward to seeing you in October!
The Software Update From Hell
While CrowdStrike is a cybersecurity vendor, the global IT outage it caused a week ago wasn't technically about security. And it wasn't a "cyber" anything—it was real-world chaos, choking the operations of hospitals, banks, airlines and even broadcasters. Tallying up all the pain it caused—in some cases, we expect, closed businesses and lost jobs, and maybe worse—will take months, perhaps years.
Unfortunately, CFOs can't take that long to ensure this doesn't reoccur, even if they were just rubberneckers to this massive IT break. "Because the CrowdStrike failure shut down business operations, in many organizations, the results will land right on the CFO's desk," says Jon Winsett, CEO of NPI, an IT procurement solutions provider that had large enterprise clients affected.
For the businesses whose Windows machines went blue screen, it could mean revenue and brand integrity loss. For all businesses, though, the incident was a stark reminder that even well-resourced, trusted software vendors can inject vulnerabilities into company tech stacks, Winsett says. The "good guys" can do as much damage as the bad.
But this operational risk will be "tricky to mitigate going forward," says Winsett: "Seemingly innocent automatic updates are happening on our devices throughout the stack from the OS to the keyboard every day—halting those updates introduces other, equally perilous consequences."
While CrowdStrike has promised to improve the testing of software updates and stagger future update sends ("canary deployments," they're called), customers would be unwise to trust that will happen. "The confidence we built in drips over the years was lost in buckets within hours," wrote Shawn Henry, chief security officer of CrowdStrike, on LinkedIn.
To be proactive, companies must reassess their IT systems' potential points of failure and consider the need for greater redundancies and quality control across the IT stack. Among the other measures companies can take to lower the probability of being a victim of an event like this are the following:
- Handle software updates with care. NPI's clients are focusing on staged updates from now on to err on the side of caution. That requires "determining which technologies should be subject to a 'walk, then run' methodology where updates are not automatic but rolled out to a specific cohort or two first as a precautionary test before full-scale distribution," Winsett says. Data security, GRC and vendor risk consultant Craig Callé says, "This is a bit tongue in cheek, but service-level agreements need to indicate that untested, kernel-level software updates should not be pushed globally, at one time, especially on a Friday."
- Refresh recovery plans. Refresh and rehearse response and recovery procedures for non-breach scenarios, Winsett says. Plans for restoring systems after an IT outage can include "back-out" procedures specifically for updates that don't go as planned, according to a July 19 Forrester Research advisory. The procedures return the system to a known, good state. "CFOs should demand particular focus on revenue-centric systems," Winsett says.
- Hold vendors' feet to the fire. Software contracts can be used as a risk mitigation tool. CrowdStrike reportedly only offers a warranty if a customer suffers a security breach. CFOs should consider asking for "business interruption indemnification clauses from any vendor in the event of a software update gone awry," according to Forrester. "Maybe this teaches us that we need to have a greater focus on damages in software contracts," Callé says, to reimburse the customer for lost business. "Money talks. When you hold the vendor accountable for real damages, they're going to be more cautious," he says.
- Re-examine third-party risks. Tech teams need to map a company's third-party ecosystem to identify significant concentration risk among vendors, says Forrester, especially those vendors that support critical systems or processes. (Windows users, take heed.) In addition, "incident response and business continuity are important parts of a third-party risk [management] program," Callé says. "Third-party risk management should be about more than just sending and receiving questionnaires."
The actions above have their own danger, though: the potential to drive significant, unplanned IT spending, says Winsett. "Some vendors will smell blood in the water after this fiasco. CFOs would be wise to have a strategy in place to protect against overspending as they wade through the implications."
—Vince Ryan, editor, The CFO Leadership Council. vince@CFOLC.com
From our partner:
Imagine an instant network of your senior finance peers! A community that allows you to profit—personally and professionally— learning from other experienced CFOs who have stood where you stand. That’s the power of a CFO Leadership Council Membership. Join Today! Use Code CEG50 to receive $50 off membership.
|
|
|
|
Renae Flanders is CFO of World Insurance Associates, a full-service insurance organization offering personal and business products from national carriers and serving more than 300,000 U.S. clients through local agents. We asked her to describe the privately held company's tech setup.
Our accounting and finance tech stack starts with NetSuite as our GL and adds Power BI as a front-end to our retail brokerage systems (primarily EPIC and other Vertafore products). We have other proprietary systems inside of our wholesale and financial services businesses. We use Stampli (vendors), Concur (expenses), UKG (HR and payroll) and other SaaS systems that we connect to NetSuite via API. And like most finance and accounting teams, we use our loyal best friend, Microsoft Excel, to help with advanced modeling and data analysis.
What's your joy, and what's your headache?
I'm a simple woman. I experience joy when things work as intended, thereby giving me the ability to produce timely and meaningful results to stakeholders. Roadblocks, difficulty in system setup and user acceptance testing challenges often require a bottle of Tylenol.
If you could wave a magic wand, what would you make software companies do for you?
The tip of my magic wand has the words "understand my challenges" and "be transparent." Our most successful vendor relationships are with those who take the time to understand my pain points and are honest about whether their product can alleviate that pain. Too often, that gets lost in the sales pitch and by the time it gets to client success, they have a frustrated client to onboard.
What's your best piece of tech advice for others in your job?
My advice is two-fold: technology and people. On the tech front, seek out vendors who truly understand your pain points and can help solve your issues—the vendors who talk about YOU and not THEM. And on the people side, be sure to have a strong team who understands the power of technology and robust reporting.
|
|
|
|
Have news to share? Drop me a line at vince@CFOLC.com — Vince Ryan, editor
ERP provider Infor completed the acquisitions of Albanero, a data migration and management partner, and Acumen, a consulting and analytics services firm used by consumer packaged goods manufacturers.
CrewCost announced the launch of the company and its namesake product, a cloud-based construction accounting software package built for small and mid-size contractors.
AuditBoard launched new out-of-the-box self-assessment tools for internal auditors to comply with new global standards from the Institute of Internal Auditors. The standards go into effect in January 2025.
Blackbaud added new capabilities to its grants management software, including an applicant-centric portal and an AI-powered form builder for nonprofits applying for grants and for grant-makers selecting nonprofits to fund.
HUB Analytics launched its all-in-one platform for financial modeling, budgeting and forecasting, designed to combine the expertise of an entire accounting department into a single platform.
|
|
|
Have news to share? Drop me a line at vince@CFOLC.com — Vince Ryan, editor
BILL promoted Sarah Acton to the newly created role of chief customer officer. Acton, formerly chief marketing officer, will lead the company's go-to-market functions, including sales and marketing.
PwC named Dan Priest as its chief AI officer. A 12-year veteran of the firm with experience in digital and tech strategies, Priest is a former CIO of Toyota Financial Services.
Spend platform Brex announced that Sibongile Ngako, previously with Affirm, has joined the company as chief compliance officer, responsible for expanding Brex's frameworks for managing regulatory risk.
Ayara, a revenue management software provider, hired Rakesh Amerineni to be its new chief strategy and operating officer. Rakesh has more than 20 years of experience in finance strategy and transformation at DocuSign, LinkedIn and Cisco.
Mews, a provider of hospitality management systems, appointed Michael Coscetta as president. He was formerly chief revenue officer of blockchain infrastructure company Paxos and chief commercial officer of real estate tech company Compass.
|
|
Stock performance is as of the market close on July 23, 2024
|
|
|
|
|
Plan to join us at the Finance and Accounting Technology Expo, the country’s largest annual trade show for buyers and vendors of corporate finance and accounting software. This year’s event will occur at New York’s Javits Convention Center on October 29-30, 2024. This is an excellent opportunity to network with industry peers, learn from experts and discover new products and services. Register online at StrategicCFO360.com/FATE/register/ and get a limited-time, free registration using the code czh510.
Keynote just announced! Daymond John, founder of FUBU, Shark Tank judge and bestselling author, will bring his unmatched expertise to the stage.
The Continuous Close: A Remedy for Month-End Stress July 31, 2024 | 1-2 pm EDT | Live, Online
Three Ways to Future Proof Your Tax Compliance Strategy Aug 7, 2024 | 1-2pm ET | Live, Online
CFO Insights Series: AI & The Modern CFO – Latest Developments August 8, 2024 1-2 pm EDT | Live, Online
AI Connect – Monthly Training and Best Practices for Business Leaders Upcoming Session: Introduction to Agentic Workflows August 8, 2024 | 3:00 – 4:30 PM ET | Live, Online Featured Speaker: Glenn Hopper, a CFO with 20 years of experience leading finance operations
|
|
|
|
If you enjoyed this e-newsletter, please subscribe to receive future issues in your inbox. You can also share it with your colleagues and friends who might be interested in finance and accounting software. To subscribe or share, please visit StrategicCFO360.com/FATE/ and fill out the form at the bottom of the page.
Thank you for your support and feedback. Don’t forget to add editor@FinanceAccountingTech.com to your Safe Senders list to make sure it gets delivered.
|
|
|
|
|
|
|
|
|