Cloud Backup

We`re just sending through your details

Please give us a few moments whilst we get your account ready.


The CFO’s guide to IT Risk

The CFO’s guide to IT Risk

posted in ProductProduct ● 4 Nov 2015

In many organisations, the IT function reports directly to the CFO or FD, yet few finance professionals are equipped to understand the technical complexities of IT. Add to this the barrage of reports on common software vulnerabilities, sensitive data leaks and malicious software (‘malware’ or ‘ransomware‘), along with the importance IT systems have in virtually all organisations today, and you may begin to despair.

Despite this bleak picture, the CFO is in fact ideally placed to monitor and manage IT risk. The discipline is little different from managing risk in other areas of the business, which CFOs should be quite familiar with. KPMG’s recent article on cyber security highlighted a number of areas boards need to consider, including:

  • Board directors need to understand and approach cyber security as a business risk issue, not just a problem for IT.
  • Discussions of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer, as well as specific plans associated with each approach.

Business Continuity Planning

CFOs are often viewed by IT managers as the holder of the purse strings, yet if the functions work more closely together there can be great benefits for both parties. The CFO can guide the IT manager in where the greatest risks lie within the business and where to focus their attention, and can then work as the advocate within the business for necessary expenditure. In looking at alternative solutions, the IT manager can often make significant operational savings for the business.

A good place to start such a fruitful relationship is in reviewing the Business Continuity Plans of the business. Reviewing and questioning these plans, how they work for each IT system and the business impacts in each case, will invariably lead to productive debate. This should enable risks to be clearly identified and quantified.

The areas outlined by the KPMG report provide a good structure around which to address these risks.

Mitigating Risk

Many CFOs will be surprised at the level of risk mitigation which is common in even the most rudimentary IT implementation. ‘Redundancy’ is a familiar word to all IT managers, with failure of multiple elements of any system simultaneously often allowed for.

Within these multiple-redundancy implementations, areas of risk can be difficult to identify, and are often not immediately apparent. Replication across two sites, for example, ensures the loss of one site shouldn’t excessively disrupt your IT systems. But what if a ransomware attack is replicated across both sites? Even in a replicated environment, a backup is still required to mitigate some risks.

Further, it’s important to ensure all processes within the system are being followed as documented. Manual tasks such as changing backup tapes and moving them off site will often look good on paper but may not be followed in practice. Automated systems with daily reporting will often prove more efficient and more easily verified.

In all cases, regularly testing and challenging the existing Business Continuity Plans is essential.

Avoiding Risk

Avoiding risk in IT will often be achieved by choosing the correct solutions. Before committing to hardware or software projects or expenditure, the changes should be viewed in the light of the existing Business Continuity Plans. In many cases, no changes will be necessary and no additional risks will be introduced. Occasionally a more detailed review will be required.

Moving to cloud software from on-site implementations for the first time may fall under the latter category. This can be a challenging area for both the CFO and the IT manager.

Nobody can ever guarantee a complete removal of risk, however choosing the correct cloud provider can provide comfort in this risk. ISO certification demonstrates that a provider implements appropriate policies and processes to manage risk, and should be seen as desirable in any cloud provider.

In many cases, a cloud provider will have greater resources and expertise than an IT department to provide network and systems security. In this respect, cloud implementations shouldn’t be considered the highest risk option without first scrutinising the alternatives.

Accepting Risk

Accepting risk is often a neglected option, particularly within IT implementations. Data breaches, for example, do not have to represent significant risk to the business; sensitive data breaches should be the focus of concern.

It may be appropriate to create separate IT systems with varying degrees of security and risk management, and to segregate company data and processes within these systems. This can be a complex process to initiate, but can provide significant cost savings and improved risk management if correctly implemented.

Transferring Risk

Outsourcing systems and processes, or moving to cloud providers, will often result in a transfer of processes and costs, however it will rarely result in a genuine transfer of all risks. In these cases, a detailed assessment of the risks is still required, with particular attention paid to contract terms.

A more effective and robust method of transferring IT risk is in ensuring adequate insurance is in place. Most businesses will already have some form of insurance in place, however it’s important to read the fine print. Some insurers are now excluding cyber attacks from their standard liability insurance, for example, but this can often be covered at extra cost.

The way forward

While risk management in IT is a subject many would prefer to avoid completely, it is an area which will impact almost all businesses. Ignoring the risks that exist, will do nothing to prevent the consequences when things go wrong.

The IT market is dynamic and fast-moving, with many suppliers and products presenting alternative methods to achieve the same end. CFO’s must work closely with IT managers in reviewing these products from a cost and risk perspective, which will often result in cost-effective solutions which are suitable for the business.

By Gareth Dyson, CFO at Redstor


Bocada support for Redstor improves backup monitoring and revenue opportunities for MSPs

Reading, United Kingdom, September 23, 2021Redstor, a global data management and protection SaaS business, today announced a partnership with Bocada LLC, an award-winning IT automation company, to provide MSPs with greater visibility over customer environments and increase their revenue opportunities. 

Continue reading

XTECH and Redstor enter strategic partnership

Reading, 15 September 2021 – Redstor and XTECH announce a strategic partnership to protect customers’ traditional infrastructure as well as cloud and SaaS data from a single app.

Continue reading

How machine learning combats threats like the Kaseya ransomware attack that targeted MSPs

The recent ransomware attack on Kaseya, a cloud-based IT and security management provider services company that supplies tech-management tools to customers worldwide, has the potential to be the most serious cyber-criminal incident this year.

Continue reading

RedTribe (SA)

  • This field is for validation purposes and should be left unchanged.