by Felicien | May 15, 2019 | Education
Opportunities to spend on tech are endless these days. But your budget isn’t endless. Your company needs to invest in technology, but you need to do it in a way that’s smart and strategic. Check out our CFO’s guide to smart investing in information technology. We’ll show you how to prioritize your technology investment so that you can make smart decisions and stay on budget.
The Problem
The problem with smart investing in information technology is the sheer number of choices available. Hardly a day goes by without a new B2B information technology product hitting the market. You can’t possibly purchase them all, nor does your business need them all.
As the CFO you may or may not be involved in specific purchasing decisions, depending on the size of your business and the size of the purchase. You do, however, bear ultimate responsibility for setting your purchasing strategy. With so many IT investment options available, you may be overwhelmed trying to cut through the noise and decide what’s best for your organization. The lower your comfort level with technology, the worse the confusion gets.
Understand the Importance
The first step toward solving this problem is to engage with it. Understand that in many real ways technology is the future. You can’t afford to sit on the sidelines or to keep doing business as usual. Your competitors aren’t, and you’ll be left behind.
Simply put, picking the right new tech and integrating it successfully into your business can give you a competitive advantage over competitors. Therefore, in concert with your business’s technology team, you and the financial team must evaluate new IT developments, selecting and implementing the trends that will keep you competitive.
A Framework for Evaluating Emerging IT Innovations
Typically, companies receive far more internal requests for new software or hardware that can be approved within the current budget. To add to the problem, B2B sales efforts come from every direction. These promise to solve one problem or another or to give you that competitive advantage over your competitors. Never mind that the salesperson is trying to sell the exact same solution to those competitors.
What’s needed is a framework for evaluating emerging IT innovations. The questions below can help you decide which internal requests and outside sales pitches are worthy of your attention . . . and your money.
Question 1: How does the tech improve the group requesting it?
Many businesses receive countless technology requests from within. You and the finance team likely can’t approve every one of these, nor should you. The easy questions to ask are “does an employee want this software?” or “Will this software improve the employee’s situation?”, but those aren’t the right questions. Instead, ask “how will this piece of software improve this department or the whole company?”
This strategic question can help you prioritize your technology spend. Software A may very well improve life for that one person in sales, but if Software B realizes far more gains for a 30-person division, it ought to rank higher in the budget.
Question 2: Would this investment disrupt our existing IT deployments?
Sometimes blowing up the status quo is just what you need to succeed. Other times, though, wisdom is to leave well enough alone. If a new technology investment isn’t going to play well with your existing systems, you want to find this out before signing off on the purchase.
Neither internal requests nor external sales pitches are immune from this danger. Work with your technology teams to discover how a new investment will interface with your current system. Don’t spend the money until you’re convinced that the new tech will integrate into your current systems.
Question 3: Would this investment disrupt our workflow?
This is similar to question 2, but it focuses on the human component. A shiny new piece of software may well speed up Step 4 in a complex process in your business. Maybe it even cuts the time in half. Sometimes, though, there are trade-offs. You need to know if it’s going to make Steps 1 through 3 an absolute pain to complete, or whether it will add time to Steps 5 through 8.
Avoid facing an employee mutiny by fully vetting the impact the new technology will have on your current workflow. Be sure it’s a true net step forward before you commit.
Question 4: What are the returns on investment we will see by implementing?
With question 1 you’ve already established how the product will benefit one or more departments. Now, take it a step further and look at your ROI. How greatly will this investment increase sales? What estimate can you place on the productivity or quality-of-life gains? Is the cost worth the advantage you’ll gain over competitors? Answering questions like these gets you to a more specific understanding of the true worth of a proposed investment.
Conclusion
Navigating the new technologies available will always be a challenge for CFOs. By asking these 4 questions, you can prioritize your technology investments smartly.
by Felicien | May 15, 2019 | Education
Data security becomes more important with each passing year. It’s important to have a good understanding of the terms that both governments and the information security industry use. Understanding these terms will help you lead your organization to comply with today’s regulations as well as whatever new regulations are coming down the pike. Today we’ll define three major terms: personally identifiable information, non-personally identifiable information, and personal data.
Personally Identifiable Information (PII)
Personally identifiable information, or PII, is information that organizations may hold on individuals that can be tied to the individuals’ identities. The National Institute of Standards and Technology provides a legal definition for the USA:
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
PII comes in two varieties. Linked information is the more sensitive variety. Anything that can by itself be used as an identifier is considered linked information. Social security numbers, driver’s license numbers, full names, and physical addresses are all examples of linked information.
Linkable information is the second category. Linkable information can’t do much on its own, but it becomes powerful when linked with other pieces of information. ZIP code, race, age range, and job information are all examples of linkable information.
Non-Personally Identifiable Information (Non-PII)
Non-personally identifiable information, or non-PII, is information that doesn’t fall into the above categories. All sorts of information falls into this category. In the digital world, IP addresses, cookies, and device IDs are considered non-PII, since (unlike what you see on TV) these pieces of information can’t be used to identify an individual.
Personal Data
Personal data sounds like a casual way to describe the above, but it’s more than that. Personal data is a term used in Europe that is roughly equivalent to PII. Euro-centric publications won’t tend to use the term PII unless discussing something explicitly American. Many of the same principles of PII apply to personal data, but there are some further ramifications that are important to know.
As the USA does with PII, the EU has a specific definition for personal data, defined in GDPR as this:
Article 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A Crucial Difference Between PII and Personal Data
One of the most crucial differences between the NIST’s definition of PII and GPDR’s definition of personal data is this: GPDR concludes that even cookies, IP addresses, and “other identifiers such as radio frequency identification tags” can be personal data, especially when combined with other unique identifiers.
In short, the EU’s GPDR guidelines are more restrictive than their USA equivalents. This is the explanation for the rash of “cookie notices” that’s spread around the web, and it could have implications for your business.
Wrap Up
If you need more information about PII, non-PII, and personal data, don’t hesitate to reach out. We’re here to serve you and meet your IT needs.
by Felicien | May 15, 2019 | Education
Human capital is one of the most important business assets and also one of the most elusive. Today’s employees are staying only an average of around 4 years, far different than years past when people regularly stayed with the same company for over a decade. Job stability is a serious concern for organizations, who often find that they are losing their highly qualified staff members when a better offer comes along or when opportunities dry up. This can happen because organizations do not have a stable and structured human resources staff that is able to continuously create opportunities for training and advancement within the organization — staying tuned to the needs of the highest-performing staff members while supporting a positive culture throughout the organization. With the focus on swift moves and organizational change, it’s a strategic imperative that you have a top executive focused on the human resources needs of the business.
“Culture Eats Strategy for Breakfast”
Anyone who has been through business school has heard this old adage from management guru Peter Drucker, as related by Mark Fields in 2006. While it may be a bit trite, this statement has never been more applicable as the corporate culture can quickly fester due to poor decisions by business leaders who are not keeping personnel needs in mind. People want to work somewhere that provides personal as well as financial fulfillment and that often means finding a flexible working situation or the ability to advance their careers with hard work and dedication. If the culture of your organization is toxic with poor leadership in place, it may not even be obvious until you begin losing high-potential staff members.
With a Chief Human Resources Officer (CHRO) in place, there is likely to be a greater focus on gathering employee feedback as well as looking into breaches in rules and etiquette by staff. It doesn’t take long for a positive corporate culture to turn into a negative without a continuous focus on employee satisfaction. The perception that “leadership doesn’t care” or a lack of accountability can poison even the most positive working relationships. A CHRO helps actively listen around the organization and has the ability to raise concerns to the highest level while adequately explaining the challenges and offering strategic solutions.
Encouraging Meaningful Diversity and Mutual Respect
Diversity of thought and cultural fit are every bit as important as ethnic diversity in your workforce. It’s easy enough for managers to hire someone who not only looks like them but also thinks like them — something that a CHRO can help guard against. There’s more to a hostile workplace than a single person or small group of individuals who are behaving badly. It starts with the idea that staff members can get away with atrocious behavior and that the perpetrators are being enabled due to their high-performance standards or position within the organization. It can be challenging to discipline individuals who are perceived to be exceptional, but having C-suite representation for all personnel can help lead to accountability and mutual respect. Meaningful diversity occurs when managers and supervisors are encouraged to step outside their comfort zone and work with people who may be a great cultural fit, even if they may not have exactly the right pedigree or high levels of experience. A dedicated and involved CHRO helps hiring managers to see beyond the surface to find the exceptional staff members that will help the organization grow and evolve in the future. It’s never too early to begin encouraging managers to celebrate diversity and inclusion through a variety of different initiatives that can ultimately result in a more balanced workforce.
Attract and Retain the Best
Creating a positive culture also means finding what motivates employees and being able to illustrate the real business benefits of reducing turnover and providing the perks that employees truly want. HR is moving far beyond simply being the “complaint department” or a way to ensure compliance with a variety of rules and regulations. Having a CHRO provides the business with a higher degree of strategy in the hiring and managing of talented staff members. Millennials and Generation X alike appreciate being able to work from home or remote locations when the work permits it, but a CHRO is able to help quantify the savings that can be expected for the business as well as the softer side of employee engagement. Proactive human resources support is quickly becoming a differentiator for businesses that view these roles as more of a strategic position instead of the tactical role that HR has played in the past.
FInding benefits that employees will appreciate is only a portion of what goes into attracting and retaining the best staff members for your organization. A proactive CHRO regularly reviews the competitive landscape to ensure that health and wellness benefits are commensurate with the marketplace. Creating wellness initiatives also falls to HR, with the long-term benefits of these programs helping bring a new focus to the value of encouraging positive health choices throughout the life of each staff member. Having a CHRO included as a deliberate part of corporate strategic decisions creates a more equitable focus on the individual needs of employees as well as the organization’s requirements for long-term growth.
Experience and Training Key for Successful CHROs
Not every CHRO comes up through human resources. It’s not unusual for someone more on the business, marketing or legal side see the value in making the leap in this direction. It is crucial that any CHRO candidate has a deep understanding of the privacy and liability issues that can arise from this sensitive position and department. These individuals thrive when they have a full understanding of people management, legal considerations as well as business operations in order to help managers and leadership identify staff challenges and how to move towards resolution. Few of these issues will be solved overnight, meaning your CHRO must have the ability to stay the course and navigate difficult relationships over time. The role of CHRO even has some aspects of a Chief Security Officer, as they will need to understand and be able to manage in-depth data privacy policies which can be quite complex depending on your business model. Measuring the success of various initiatives is also a data-driven operation that requires analysis and interpretation of diverse datasets.
Organizations may survive without someone from human resources at the executive table, but it is becoming more unlikely that they will thrive without this representation in the C-suite. Chief Human Resource Officers provide a needed counterpoint to the business-focused mantra that you may hear from other executives, providing a different perspective on reaching organizational goals through the introduction of positive culture change, accountability and diversity in hiring practices. This strategic role not only provides organizations with qualified candidates but also helps ensure that high performers stay and continue providing their brain trust to the business.
by Felicien | May 14, 2019 | Education
There was big business security news out of Brunswick, Ohio (a part of the Cleveland metro area) last month, this time involving a church. According to local reporting, the St. Ambrose Catholic Parish recently announced to parishioners that they had been swindled out of a whopping $1.75 million. The attackers’ methods have real implications for churches and businesses alike. We’ll look into their methods, but first a little more detail on this fascinating story.
A Church with Big Plans
St. Ambrose is in the middle of a fundraising and building campaign. As with many older church buildings, repair and restoration are needed. The parish’s Vision 20/20 campaign was supposed to be the answer. This campaign called for raising $4 million needed for repair and restoration, and the fundraising efforts were well underway.
The church only discovered there was a problem when the construction firm they’d hired, Marous Brothers Construction, started inquiring about unpaid bills totaling $1.75 million. The church leadership had been prompt in paying its bills, so they thought, and even had receipts and confirmations for funds transfers. They didn’t understand how the accusation of nonpayment could be true. The funds had left the account, after all.
An Old-School Hack, Well Executed
After involving the Brunswick police and eventually the FBI, an explanation surfaced. The church had indeed been hacked in a business email compromise attack, or BEC. An unknown attacker gained control over two church staff member email accounts. From there it was mostly social engineering.
The bad actors in control of these email accounts managed to convince (via email, of course) the rest of the relevant staff members that the construction company had changed its account information. The “new” account was, of course, controlled by the criminals. The most likely explanation from this point is that an actual, on-site staff member changed over the payment information, having been duped by very real emails that appeared to come from trusted colleagues.
The criminals kept the ruse going very effectively, apparently sending (bogus) confirmation emails so that the church staff thought they were paying the right people. Only when the construction company came calling was the breach finally discovered.
An Isolated Hack with Devastating Results
The church reported to local media that no other components of their IT infrastructure were compromised, including parishioner databases or stored financial information used for the church’s electronic giving service. The hack was isolated. All the hackers got was access to two email accounts. Yet they leveraged this small hack into a $1.75 million payday.
Strategies to Combat BEC Attacks
Stories like these underscore the importance of strong IT security, even in houses of worship. They also underscore the importance of training staff on recognizing the signs of phishing, social engineering, and other bad behavior.
Most BEC attacks don’t start as brute-force attacks. Rather, they start as phishing expeditions. Hackers lure credentialed people to give up their login information by presenting a sometimes extremely realistic fraudulent login page. The first step to preventing such attacks, then, is to educate your staff about how to spot phishing and other similar tactics. Teach staff not to assume that email is from who it appears to be from, especially emails that seem out of context or that ask for unexpected actions. At the enterprise level, implementing a better email authentication protocol like DMARC is an effective way to combat this kind of fraud.
Need Help?
Does your business need help preparing for BEC, phishing, or social engineering hacks? Contact us today for more information.
by Felicien | May 14, 2019 | Education
Today’s businesses are nearly all in a period of transition. If you aren’t old enough to have lived it, all you need to do is stream a few episodes of just about any ’90s sitcom to realize that business has changed at an overwhelming pace since then. This change continues today. Companies are all at varying points on the journey of digital transformation. Some are on the bleeding edge, while most are taking a cautious or catch-up approach. A few remain blissfully unaware, but these aren’t likely to last much longer.
Doing Digital Transformation Right
Digital transformation sounds great, and I’ve already implied that it’s essential. That’s not quite accurate, though. What’s essential is doing it right. A poorly executed digital transformation can be just about as harmful as burying your head in the sand and hoping things will stay just as they are. (They won’t.)
Digital Transformation as a Journey, Not a Destination
One of the first aspects of a good digital transformation plan is to understand its nature. Digital transformation isn’t a one-and-done initiative. How do we know? For starters, we aren’t using Windows XP (or, shudder, the dreaded Windows ME) anymore. Technology will continue to evolve, and your digital transformation will continue as it does.
It’s better to think of digital transformation as a journey. Where are you right now? Where are your competitors? What do you need to do, procure, or implement to catch up with (or better, pass) your competitors? Once you’ve implemented those steps, start to look at what’s next.
Digital Transformation as Mission Critical
Businesses today must understand that digital transformation is mission critical. It’s not something you spend money on when business is booming and squeeze out of the budget when money is tight. As soon as you stop failing to innovate, you give your competitors an open door to squeeze you out of the marketplace. Keep up with your digital transformation journey and stay competitive.
Digital Transformation as a Monitored Initiative
Many companies that do form a digital transformation plan fail to follow through in some way. It’s important to regularly evaluate the progress of your company’s digital transformation plan (be it quarterly or monthly). If digital transformation is a journey rather than a destination, a company working from a 3-year-old digital roadmap is doing it wrong.
Evaluating Your Company’s Digital Transformation Efforts
Evaluating your company’s digital transformation is a complex process. If your company doesn’t have an evaluation plan in place, you might be wondering where to start. Here’s how to get started evaluating your company’s digital transformation.
Ask Questions
It’s easy to assume that a process or plan that’s not making too much noise is working well, but doing this is a mistake. As you should with any process or plan, ask plenty of questions at regular intervals. What is and isn’t working? What new implementations are causing friction among the staff? Is that friction due to lack of training or because the technology solution is failing to deliver? Is the plan sticking to budget? What new technologies or platforms are developing that should be added to the company’s digital transformation journey? What is the right time to add those technologies? Is a particular technology failing to deliver or costing more than you’d budgeted for?
Asking good questions of the right people can greatly improve your digital transformation efforts. Don’t be afraid to include a wide range of departments and seniority levels in your questioning, either.
Review Business Needs
Just as available technology changes over the years, so do your business needs. A piece of software that was mission critical in Accounting 10 years ago may be peripheral or even obsolete today. Similarly, the business needs of your Data and Analytics department today are likely quite different (and far more evolved) than they were 20 years ago. That’s assuming you even had a data and analytics group 20 years ago!
An important part of reviewing your digital transformation efforts, then, is reviewing each department’s business needs and processes. Providing new solutions to long-solved problems isn’t the best bang for your buck. Be sure you understand the problems and processes of each business unit so you can focus your digital transformation efforts in the areas that matter most.
Get the Right People in the Room
A digital transformation plan that no one really knows about isn’t going to accomplish much. A review of that plan that no one knows about won’t, either. Your digital transformation evaluation efforts should include a pretty decent cross-section of organizational leadership. The CFO and CIO (or their delegates) are key stakeholders, as are the leaders of various business units. The CEO must be informed and on board for this to be effective, though of course the size of your organization will likely guide the CEO’s level of real involvement.
Buy-In Is Key
You need the right people in the room, but you also need buy-in from those people. If digital transformation evaluation is a new concept (or a loathed one), you may need to educate first. Get the key stakeholders in a room and use points like these (not this one, of course) to help them understand the mission-critical importance of this process.
Data Is Everything (Else)
You don’t want your review meetings to be based solely on feeling. If your meetings sound a lot like “Well, Jane in Accounting is frustrated using this new software” and “I believe implementing this new platform will really help!”, you need a heaping helping of data. Task your analytics group with researching the effects of a new software suite, for example, so you have real data to go along with feelings.
Conclusion
The digital transformation journey is never-ending, and your efforts to evaluate that journey are as important as they’ve ever been. If you could use a hand, whether with the journey or its evaluation, let’s start a conversation today.