The One Thing Every CFO Should Know About IT Risk

Trust is important in business. Every leadership position requires individuals who are great at their jobs and evaluate their performance over time against key performance indicators (KPIs). Leadership usually has an idea of what to look for and at least a base understanding of employees’ positions. Although, for financial professionals who are managing IT personnel, it can be challenging. How do financial professionals develop the right KPIs to review IT personnel? Verifying that IT work is being done correctly can be very difficult, if not impossible, for non-technical executives.

Few CFOs learned IT management in their undergraduate degrees, and many may not have received IT training during their MBA, depending on when they graduated. Most CFOs learned through self-study and handled issues as they arose. One of the biggest issues in IT management is oversight of the work itself. How can a financial professional verify the technical details of security and systems administrative work? How can they be sure IT processes meet industry standards and are conducted according to those standards? IT oversight is a challenging field, especially for those who are not IT experts.

The biggest mistakes companies make in IT oversight is evaluating their IT team by how well they handle projects and emergencies. Firefighting against security and other emerging issues is an important and necessary part of the work done by IT personnel. Nevertheless, it is the wrong criteria by which to evaluate performance. Instead, the company must develop process management criteria by which to evaluate the staff. How well are they doing against daily, weekly and monthly metrics? How efficient are they against best practices and industry standards? And most importantly, are they improving?

The first step toward creating the right criteria is to establish a baseline. How well is the department functioning? Most companies erroneously focus on help desk issues, as they are the most visible form of interaction with customers, which makes gathering information from easy. However, help desk issues, for the most part, reflect short term productivity. They do not speak to the system administration and security functions, which rarely get reviewed in detail.

The IT Story is More Than the Metrics

When asked, your team will likely report that everything is great, and to the best of their knowledge, they may have reason to believe they are on track. They may even produce charts showing average close rates of tickets, percent of 1st call ticket resolution and a detailed log of the various updates and patches they conducted in the last month. However, the metrics and charts are only part of the story. They don’t speak to the overall security strategy and infrastructure management, nor will it point out any blind spots in the system.

There are few things harder than checking your own work. Think back to your college days, when you turned in a paper that you wrote, rewrote then maybe had a proofreader review. How often was your paper returned with red lines, which, in hindsight, were silly and even obvious mistakes?

Cognitive bias makes it difficult to see your own mistakes. Your mind knows what it was trying to do or say and blocks out wrong information. IT management is not immune to these effects, and according to your team that did the work, everything seems fine, until it fails. Mistakes can creep into a process and go unnoticed for months and even years since fast paced changes in technology can mean that what was once a best practice may no longer be. Continually reviewing your systems will help keep them up-to-date as things change. One way to identify your baseline and to avoid potential blind spots is by having a third-party IT audit.

Third-party IT audits have three major benefits:

1. Third-party Technology Audits Lower Risk. By reviewing each major function of the company’s IT processes and procedures, the management team will gain insight into how well (or poorly) their network and security functions are managed. The IT audit will point out deficiencies and highlight risk areas that can be improved.

Copy

2. The Power of the Outside Voice. Sometimes hearing a warning from an impartial outside entity can have a profound effect. When someone you are familiar with brings up an issue, how well they communicate the message and how well you received the message can affect if they get the attention and budget they require. Your team may think they communicated a vulnerability to you but were you able to understand its implications and urgency? Many IT managers are introverts, and their idea of sounding an alarm may be quite different than yours. What seems like a minor issue, which requires no follow-up, could actually be a major issue. The recent failure at British Airways is a case in point. The airline lost more than a hundred million dollars after a power surge damaged vital IT systems. Power surge protection is one of the most basic IT best practices. The full investigation is not complete, but it seems unfathomable that the issue was undetected. Every entry level IT technician is taught about power surge protection. Most likely, the team knew they had an issue, but it got buried in the communication with the outside team. Even the most cursory of IT audits would have highlighted the issue as the level 1 emergency that it was.

3. Verification Builds Trust. Peer reviewed work can set the standard going forward. Once any issues are identified and remediated, processes can be updated. The new processes can set the standard going forward and become the baseline for developing KPIs. What is inspected will improve, while decay in the process will be less likely knowing a refresher audit will occur in 12-18 months. Teams that know the evaluation is fair and set against a known standard will far outperform teams that are comfortable knowing that no one is watching.

Lowering IT risk begins with reviewing systems and structures against industry best practices. Hiring third-party technology auditors can not only lower risk, but it can also improve performance and help prepare you for the future.