In short:

• You’ve heard the arguments about why core IT services are still being run in-house, and you haven’t pushed back. Now, it may be time to force the issue.
• The unfortunate reality: Few IT organizations are able to make emergency software updates in a timely fashion.
• Data loss — whether financial or nonfinancial records — can have serious fiscal and reputational ramifications. Don’t let this crisis go to waste.

Last month, Microsoft announced a major vulnerability in its Exchange Server software — what Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency, called “a crazy huge hack.”

In brief: A sophisticated attacker based in China gained access to Exchange email servers in January and stole data from tens of thousands, if not hundreds of thousands, of organizations, including large and small companies, nonprofits, and municipalities. No one knows exactly how many were affected, but a lot of CIOs are now spending significant time and money scrambling to find out if data was stolen or if malware is hiding on their systems.

Given the scope of the attack, we likely won’t know for a long time the actual extent of the harm. One thing we do know: Companies that use Exchange Online, Microsoft’s cloud-based email and calendar service, are not scrambling. If your company runs Office 365, you did not have to take any action. Microsoft quickly and automatically updated its cloud software.

Running On-Prem? It’s Time for Some Conversations

If your organization has Exchange running in a server closet somewhere, make sure that your technical team has updated the software. Then, think seriously about outsourcing your email and any other in-house services you can. The finance function has a lot to lose if the company is compromised.

In my own discussions with cybersecurity professionals recently, I have been struck by the number of very large, very technical companies that didn’t have to scramble because they chose to outsource. If these firms, which have more than enough skilled staff to maintain their technical architectures, are using cloud versions of common software, you should ask why your company chooses to do it differently.

Your IT department likely has a variety of justifications for keeping technology in-house. They may argue that it’s less expensive and that they can better control costs. Running an application on your own hardware comes at a fixed fee, and you may have sunk investments in infrastructure. There’s no money budgeted for an outsourced option. They might argue that you have a full-time staff to maintain hardware and systems. If you outsource, what happens to them? And it goes on.

Some industries keep processes in-house due to legal concerns. For example, if a cloud provider maintains a service, law enforcement can subpoena the provider for information, and you may not have a say in, or even knowledge of, the proceedings. So law firms and media outlets, for example, may want to maintain some software in-house.

At another level, your CIO may contend — though not in so many words — that if you don’t trust the team to run basic software like email, then you can’t trust them to run applications.

Attackers Have Time, Money & Smarts

There are legitimate arguments for running some systems internally, generally around control, privacy, competitive differentiation, and support.

Sure, cloud services occasionally have outages. The reality, though, is that these concerns rarely stack up against the operational efficiency, cost savings, and security benefits of the cloud. As a CFO, it is your responsibility to ask questions and help frame the discussion around cost/benefit. Yes, a lot is going on right now. But at the time of this writing, thousands of companies are being compromised every day because they failed to properly secure their Exchange Servers, long after the problem was announced.

Even reasonably large IT departments have a hard time staying on top of vulnerabilities. Then there’s the time required to plan how to fix problems, when to take down production systems and who will test the updated system to ensure it is working properly. None of these is a consideration when software is delivered as a service.

If your IT team believes that these are non-issues, let them justify that in terms of dollars and cents. Otherwise, my advice is to use this latest “crazy huge hack” to start the conversation about moving your software services to cloud providers.

Tips for Having ‘The Talk’

Be proactive by:

• Determining which applications you run internally that have cloud-based alternatives. IT should be able to easily generate a self-assessment of assets and processes that handle your critical data or that must be available for operations.
• Tallying the total cost of ownership — hardware, software, personnel, training, support contracts — of those applications compared with the cloud alternatives.
• Asking your internal team or a consultant specializing in security risk assessments to generate a report on the consequences of potential vulnerabilities in your in-house software and IT’s ability to stay abreast of threats and update software in a timely manner. What’s their time to patch systems, the impact of an outage, and the process for scheduling upgrades?
• Quantifying the impact of a potential breach on each on-premises system.

With that data in hand, leadership can perform a true cost/benefit analysis of moving various applications to the cloud.

While I, as a CISO, would welcome this conversation, I know of many CIOs and CISOs who could be offended by the implications of these questions. Should this be the case, you as a CFO should hold firm and inform them that you are responsible for managing all financial risks and optimizing expenses. If they start throwing around technical jargon, remind them that these systems impact operations, risk, and finance, and these critical concerns transcend the technology.

Hopefully, this won’t be an uncomfortable conversation, but if it is, it is likely an even more important talk to have, as technical leaders may not understand that “their” systems are a critical aspect of the organization’s financial health.

There is never a guarantee of security; however, cloud providers typically do a better job securing services than your IT team. This is not only OK to discuss — frankly, your company’s future health may depend on that conversation.

Finance leaders are expected to deliver insights and analysis to help make all sorts of critical business decisions. That includes budgeting for and prioritizing security and data protection measures.