In the entrepreneurial culture of Silicon Valley, one of a CFO’s most important roles is to ensure that risk assessment and management are part of the innovation process, says George de Urioste, CFO of Pluribus Networks. Leveraging his high-tech company experience as a CFO, COO, CEO, board member and audit committee chair, Mr. de Urioste describes challenges of being a Silicon Valley CFO and how he is able to ask the tough questions concerning business innovation without being a “No CFO.” He also explains how CFOs can catalyze efforts to address cybersecurity threats across the enterprise and in the boardroom.
Q: What are some of the challenges of being a CFO in the heart of the high-tech industry, Silicon Valley?
George de Urioste
George de Urioste: There’s an “evolve fast or die” mentality in Silicon Valley. The hyper focus on business innovation and constantly changing business models and strategies place a lot of pressure on CFOs in two places in particular. One area is managing expectations from investors and Wall Street. This can be especially challenging in the high-tech industry these days because of the recent trends in technology company valuations. Doing that well, managing expectations, is about establishing trust and credibility with external stakeholders.
In Silicon Valley, you want to have a CEO who’s willing to leap tall buildings in a single bound and is confident in the company’s ability to do so. But you also need a CFO who will say, “Yes, we can make that leap, but it might take two or three jumps to get over that building rather than just one.” Investors appreciate CFOs whom they can trust to give them an honest assessment, whether it concerns good news or bad. I have always worked hard at building a reputation as a CFO who, if you ask me a straight question, I will give a straight answer whether I think you are going to like my answer or not.
The second challenge concerns playing the pragmatist’s role at the strategy table when you’re surrounded by people with a highly entrepreneurial mindset. We are operating in an industry where it’s so important to say “Yes” to innovation. However, the equation for innovation success needs to include risk assessment. This is not risk aversion, but rather the “CFO art form” of asking the right questions to be risk intelligent. For example, a company is ready to bring a new product to market and is contemplating a large expenditure. Have the entrepreneurs asked: “What customer behaviors are necessary to drive wide-spread adoption?” If the CFO gets deer-in-the-headlights stares, it’s likely the company isn’t ready to market the product, regardless of the innovation.
Q: How does the business typically respond to that honest and direct truth-teller mentality of a CFO?
George de Urioste: You have to earn the credibility with the business as a collaborator, so that when you ask tough questions, you’re not viewed as an adversary to innovation. I view my role as a servant-leader, so I’m always asking myself, “Am I doing everything I can to support the success of others?” When you project that attitude and back it up in your actions, the trust follows. The VP of marketing sits across the hall from me and is constantly coming into my office to bounce ideas off of me. He feels comfortable having me as a sounding board because he trusts that I understand that the company wins if he accomplishes his goals.
Q: What do you consider the biggest challenges when it comes to cybersecurity and preparedness?
George de Urioste: It’s only recently that senior management and boards have begun to grapple with the reality that individuals or loosely organized criminal hackers no longer represent the major threat. Rather, the biggest threat is coming from sponsored nation-state and organized crime efforts to penetrate networks to disrupt business and/or steal intellectual property. Defending against those actors requires a much bigger effort than just investing in cybersecurity products to defend the network at the perimeter.
To think we can prevent intrusion by locking all our network windows and doors is to engender a false sense of security. Why? Because intruders will get in, whether a company knows it or not. There is a need to broaden a company’s perspective to understand that the cybersecurity threat is on par with economic warfare, even when there is no apparent military consequence or human harm element. A major challenge to that is employees’ mindset when it comes to their role in cybersecurity. Cyber tools can be strong at the perimeter, but employees are inside the network perimeter; the choices they make on what to trust, what to question and what to be wary of are the critical link in the chain of security.
Q: What can CFOs do to help their companies take on those challenges?
George de Urioste: CFOs can make sure the IT organization has the resources available to take cybersecurity measures necessary to protect the network, IP and the company. Ensure that cybersecurity spending is a priority. CFOs can also assess the company’s preparedness for cyberbreaches by asking the CIO questions like, “What would be the result of a vulnerability assessment, if done by a third party? How would you know if someone is inside our network right now? How do you limit the attack surface once intruders are in the network? How do you prevent exfiltration, that is, preventing valuable information from getting out?”
On the people side, I champion the understanding that each employee is important to maintaining cybersecurity. Make sure everyone knows how they can be part of the solution to defending company value against cyberattacks by adhering to security and compliance measures. I also communicate that I won’t tolerate people who make themselves part of the problem by not complying.
Q: What can CFOs do to help their boards understand the importance and challenges of being cyber-prepared?
George de Urioste: Many boards have awakened to it and have raised the priority of cybersecurity. The challenge is getting more board members to recognize they should obtain advice from experts to enable risk-intelligent decisions. It’s good to know the perspective from the CIO. But just as a CFO has the financial statements audited, it’s time for a board to require audits of data center and network operations.
The CFO needs to be the transformation agent. Describing the paradigm of network security and related threats can be like trying to predict the timing of the next earthquake–no one knows when it will happen, but that doesn’t mean you should not invest in being prepared. The astute board respects being risk intelligent. Just as boards came to prioritize disaster recovery and business continuity, they now need to raise the priority on cyber breach and how to handle it once it occurs. CFO should assume a cyberbreach will happen, then demonstrate to the board the repercussions when it does. This can frame the discussion as a wake-up call. Specifically, describe to the board the potential intellectual property losses, legal expenses, property losses, reputational loss, time loss and administrative expenses.
Q: How has serving as a board member helped you as a CFO and vice versa?
George de Urioste: My board member experience has driven home for me that when it comes to communicating with the board as a CFO, it’s about the people first, the data second. Reading the dynamics of boardroom interactions is key to how I time and position the topics I want to discuss with the board. When it comes to helping my board interpret and calibrate financial risks, I make sure to frame the issues to enable quick absorption and help create priority, rather than get too deep into the weeds. For example, if I’m there to discuss a specific financial issue, I’ll focus on why it might be key to, or impact, our growth strategy, or how it could represent a risk to the enterprise.
My CFO experience comes into play in my role as a board member by enabling me to deep-dive the details that many board members may not have the financial acumen to understand. I’ve found that providing insight into how financial issues impact business value can be essential to determine if management is fully considering relevant financial matters in a new business strategy, and whether risks are being appropriately weighed. I can ask questions about a big investment or a proposed deal that only someone with a strong finance background would know to ask, and that’s a valuable tool to have in discussions with management.
View the original content and more from this author here: http://ift.tt/1DIzRY6
from cyber security caucus http://ift.tt/1IAK5RH
via IFTTT
No comments:
Post a Comment