IT Questions Every CFO Should Ask

by | Mar 2, 2020 | Risk Management, Technology Strategy

Everyone in IT thinks a lot about CFO’s. They are a core key constituent for what we do. Unfortunately, people in IT don’t always know how to communicate effectively with CFO’s. I’ve seen IT people use acronyms to define acronyms. The leadership team at ZAG spends a lot of time working to educate our team on how to communicate effectively with CFO’s.

I’ve been thinking about this a lot and thought that maybe it makes sense to attack this communication problem from the other side of the table. To start with this concept, there are several questions that every CFO should be thinking about. These questions are based on decades of working in IT and helping organizations succeed.

What is the purpose of IT?

Every CFO should have a clear vision of IT’s purpose. This vision can range from being a cost center to being a competitive advantage for the organization. Both positions can be correct for an organization depending on the company’s situation.

The traditional role of IT is as a cost center. This perspective leads to cost containment as the chief focus. This view on IT is for most companies dated. If this is the role in IT for an organization, the CFO should do some introspection to determine if it is right for the future of the company.

Most companies are extremely dependent on IT. It has gotten to the point where even very low tech companies are dependent on their IT to function. Without email, IT-based information, the organization’s ERP system, etc, the company cannot function.

The reality today is also that the more IT is viewed as a competitive advantage, the better the company will flourish. IT is fast becoming a competitive advantage for most successful organizations. Having a clear vision for IT will lead to organizational success.

Is IT security really this complicated?

When it comes down to it, IT Security is really simple. Most of it can be boiled down to checklists to be completed. But there a lot of items on these checklists. ZAG has created its Standard Alignment Optimization (SAO) program to keep track of them.

If the organization implements the security standards, it will have a very safe security position.

But security must be maintained religiously. It is truly a case of ensuring you don’t have a weak link in your security.

CFO’s must demand that IT deliver security. You must require that your IT keep you secure. Challenge them on it. You know all about risk mitigation as a CFO. Focus on IT Security as part of your risk mitigation mission.

How technical is the best IT protection?

IT continues to fight criminals. Unfortunately, criminals continue to get better. It used to be good enough to watch for bad grammar in emails. That is no longer good enough. Criminals are writing phishing attacks in perfect language, reflecting how Presidents and other key executives actually speak. They are hacking accounts and sitting on them for months until the timing is perfect for an attack.

While IT must always work to get better, the best defense for many of these fraud attacks is to require nontechnical checks. Instead of relying on email, require that people pick up the phone and verify the request.

What’s the difference between Backups and Disaster Recovery?

Let’s face it, one of your key organizational responsibilities is risk mitigation. Backups and Disaster Recovery (DR) are all about risk mitigation. Don’t fall into the belief that they are the same.

Backups are the ability to recover from lost files and servers. These are critical. A simple file or email being recovered could save the organization greatly. Your IT team should ensure that they can recover from backups. Make them test restores monthly.

Disaster Recovery is much more complicated than backups. DR is the ability to recover a failed server, a lot of servers, all of your servers or the entire organization’s infrustructure including servers, PCs and everything.

If the DR situation is caused by a criminal intrusion, they may have wiped out your backups, databases, and everything. You are set with rebuilding everything. These are situations that happen today. Your team must be prepared for them.

There are two key terms that IT will throw at you when talking about DR. These are RPO and RTO. These are simply explained as:

RPO – Recovery Point Objective – How much data you are willing to lose. This is normally put in periods of time such as minutes, hours or days of data loss.

RTO – Recovery Time Objective – This is simply how long it takes you to recover from a disaster.

It is critical that your team perform practices of DR situations. If these aren’t done regularly, they are at absolute risk of not working. It is recommended that you do these at least annually.

Do I need an Acceptable Use Policy?

This actually isn’t an IT question, but every IT person should be making sure you have one. You must protect your organization by ensuring that everyone signs an Acceptable Use Policy (AUP) that takes away the perceived right to privacy while an employee is using a company computer, email or other systems. To not have this in place can put your organization, including your IT personnel, personally at risk.
Do I know how to use Cyber Insurance?

You should absolutely never have to use your Cyber Insurance. But if you do, make sure you know ahead of time how to transact on it. ZAG has only been brought into one situation where the company had to pay the criminals. That was heart-wrenching but the company (someone we had never worked with before) didn’t have backups or snapshots of their systems.

It is critical to know how to engage the insurance on this type of issue. They should:

  • Handle the negotiation with the criminals
  • Help ensure that the criminals have gained some level of trust in the wild. I know this seems counterintuitive, but the last thing you want to do is throw good money after bad by paying and getting nothing for it.
  • Arrange for the BitCoin payment. This is not something you want to figure out in a disaster situation. You also don’t want to be anywhere near this
  • Potentially bring in experts to understand how you got hacked and potentially make sure you aren’t at further risk

Understanding how to use your cyber insurance when all else fails is critical. Remember that criminals don’t normally encrypt you on a Monday morning. They hit you on a weekend. Make sure you know how to respond.


IT is not that complicated when it comes down to it. Too often the mystique of technology overshadows the real need to enable the organization to succeed through the use of this technology.

Ultimately, holding your IT team accountable often falls to the CFO. If that is you, make sure you engage with them. Don’t let the overuse of acronyms by your IT team become an excuse for IT failure. If needed, drive them to level up their communications to put them in the proper business context. Help make them successful by ensuring they deliver what the organization needs.

Related Content