The top executive of a cloud services provider was in full flow. “We have never lost one piece of data,” he declared. “We’ve never lost a single byte. We have never been hacked. We have never accidentally given another customer someone else’s information.”
So far, so good. But when the direct quotes were played back for confirmation, the company asked that they be excised. It seems that what sales people are more than willing to tell potential customers are not necessarily things that they want on the record and disseminated to a wider audience.
Which is a pity, because security is the top concern of CFOs, treasurers and other finance executives about cloud computing and Software-as-a-Service (SaaS). They want answers and reassurances in clear and unambiguous language.
“The key issue for us is security of data,” says Felix Wang, General Manager (Administration, Accounts & Finance) at Itochu Plastics, a wholly owned subsidiary of Japanese trading giant Itochu.
Speaking at a recent CFO Innovation roundtable, he said that Itochu handles more than US$1 billion worth of trade and 1 million tons of cargo a year. “We are cautious about cloud computing for the simple reason that our key resource is our network of suppliers and customers and we do not want their data compromised.”
Michael Chow, Executive Director for Finance, Asia Pacific, at Sovereign Richwell, was at the same event. “What if, despite all the systems and precautions, there is a breach?” he wondered. “What are the real liabilities of the vendor who created the architecture?”
Still Behind in Asia
Asia’s finance executives are increasingly comfortable with the idea of entrusting the public cloud with company email, salesforce management, and even processes around aspects of customer relationship management and HR management. A 2012 CFO Innovation survey of Hong Kong CFOs found that 44% are already on the cloud, while 27% are planning to do so.
But they are still holding off on putting financial management and reporting processes on the cloud via Software-as-a-Service providers, which are seen as sensitive and business-critical. (SaaS sits on the cloud and customer data resides with the service provider; cloud computing providers offer SaaS and other services, such as storage, firewall, computing platform and solution stack.)
“It’s only a matter of time,” argues New York-based CEO Jiro Okochi, who co-founded Reval, a US-based provider of SaaS solutions for treasury and risk management, in 1999. “Why would the evolution of automation be so different here?” Reval has firm footholds in the US and parts of Europe, but has yet to make much of a dent in Asia.
His optimism is based on Reval’s experience in the US. More than a decade ago, when Reval first started, Okochi recalls phoning the treasurer of a leading auto manufacturer. After explaining what the new company was all about, “there was silence and then the treasurer said to me: ‘Let me get this straight. Me, big auto company, is going to give you, a cloud-based company, our data? No thank you.’ Click.”
“But three years later,” recounts the CEO, “they’re our client” – along with Google, Microsoft, Coca-Cola, Deloitte and other large corporations and multinationals in the US and Europe. Reval today has more than 575 clients in some 25 countries.
Looking for Visionaries
The trick, says Okochi, is to find “visionary CFOs” who have a clear-eyed view of the gains and downsides of cloud computing and SaaS, and who then decided that the benefits outweighed the concerns.
“Fifteen years ago in the US, SaaS wasn’t well accepted,” he says. “It took early [adopters] to say: ‘What you do really meets my business requirements, but the client-server guys aren’t doing it, so I don’t have a choice, I have to give this SaaS thing a try. Or, this SaaS thing sounds cool, I don’t have to deal with my IT, no upgrades, I’m signing up.”
Reval has already found some of them. Okochi ticks off some names: “Axiata, GLP, Hong Kong Aviation, some of the financial institutions like Citic, AIA and Standard Chartered Bank.” Malaysian telco Axiata chose Reval’s SaaS treasury and risk management solution last July for the regional treasury center it is building in Kuala Lumpur, which will serve operating entities in Malaysia, Cambodia, Sri Lanka and Bangladesh.
That said, the Asian landscape is still challenging for cloud-based service providers. “We find a lot more companies who are still using manual processes,” says Okochi. “That surprised me on this trip.” In the US, about 80% of large companies have implemented some type of treasury technology, either on-premise, SaaS or developed in-house. Only 20% exclusively use spreadsheets in cash and treasury management.
“It’s the polar opposite here [in Asia] among large companies,” says Okochi. “You have 90% spreadsheets. Instead of seven people in treasury, you have 100 people faxing, signing, signing again, authorizing . . . I’m not even talking about hedging and derivatives. I’m talking about getting your cash position within a reasonable time.” In a recent meeting, a treasurer told him it takes her a week to know the company’s global cash position.
The way Asian enterprises scale their business is also different, observes Tony Singleton, Reval’s Asia Pacific Managing Director. “They add more bank accounts, so they add more staff to go to the bank portals and download bank statements, which are then keyed into spreadsheets.” To make sure payments go out correctly, Asian companies will hire a second or third pair of eyes for checking. “So you have six-eyes verification, and if your volume goes up, you add another set of six eyes.”
But it’s a model that’s not sustainable in a business environment where finance talent is getting scarce and expensive. “We are seeing a switch from spreadsheets and manual processes to automation, no matter what country you’re in,” says Okochi. This is especially true of companies that are acquiring assets in other countries in Asia and elsewhere. “They are getting concerned about what those local operations are doing with spot FX risk or signing up for loans with a local bank,” notes Okochi.
What About Security?
The key stumbling block is data security. Like other cloud-based service providers, Reval says the security worries are overblown. Okochi has no problem being on the record about Reval’s security credentials. “Yes,” he said unequivocally, when asked whether Reval can declare that it has never lost a single byte of data, has never had its systems hacked and has never given another customer someone else’s information.”
“When we sign up technology companies like Google, part of their vetting process is to send hackers in,” says Okochi. “If you pass a Google hacker, you know you have pretty good security standards. Every time we sign a bank, it’s the same process.” Because Reval is always getting its tires kicked by new and existing clients, he argues, everyone benefits as the company fine-tunes the security features in response to the concerns raised.
Reval is also audited by Big Four accounting firm Deloitte, which periodically evaluates and reports on its controls, security procedures and other systems. CFOs and treasurers should be asking for a copy of such audit reports and also for information about the service provider’s track record with strengthening and updating security features as part of their due diligence.
“There are key audit reports that, if you’re a vendor of any sort of credibility, you should be able to provide to the client,” says James Bartholomew, Asia Sales Director at NetSuite, a provider of cloud-based business software including ERP and financial systems. “These provide you a written guarantee that your data is going to be secure.”
Like Reval, NetSuite stands by its record on security. “In my ten years with the company, we’ve had absolutely zero instance of any concern with data security and hacking,” declares Marc Huffman, NetSuite’s Senior Vice President of Asia Operations. “We use the same standards that you would use with your banking experience to provide security between a browser and our data center” – including token authentication and socket-layer technology for data encryption.
But the real danger in security, says Huffman, actually does not lie with the service provider. “It’s the one malicious individual, it’s the employees inside your organization that are taking information with them, or it’s carelessness.” The security breach can come from a laptop or iPad left in the airport or the USB left unattended in the computer port.
Lawrence Ong is General Manager for Enterprise Security Services at HP Enterprises Services, Asia Pacific and Japan. “You may have the best [security] technology,” he points out, “but if our employees go around sticking Post-it notes on their monitors with their username and password, no amount of best technology can help you overcome that violation.”
It is important to have clear rules and policies for employees, says Zoran Iliev, who is a certified Interpol computer forensics instructor. “If we have rules, we need to follow them up, we need to re-enforce them and explain them.” It is true that finance professionals are typically sensitized to the need for confidentiality and discretion, but the cloud environment may present them with new circumstances that they don’t necessarily know how to handle.
So if you are the visionary CFO who has decided to put financial management processes on the cloud, what do you need to know? To address the key issue of data security, here’s a check list:
- Apply the standard third-party risk assessment concepts used in any IT outsourcing project. Most of the techniques and processes for assessing providers and ensuring security also apply to the cloud, says Alex Skilton, Senior Manager at KPMG. “It’s all about making sure you understand the requirements of the service [and] build those into the contract.”
- Be clear about issues around ownership and control of the company’s data. Under the SaaS model, the company’s data is typically stored in the provider’s servers. Make sure it is clear that the company owns its data, not the provider, and make sure the data can be transferred to another provider or back to the company if you decide to switch vendors or terminate the contract.
- Have the right people at the table asking the right questions. It is important to hammer out agreements on how data would be managed and who has access to it at the negotiation stage, says Skilton. Don’t let the provider get away with “some sort of vague assurance.” Commitments around data security and other issues should be “solidified through a professional agreement.”
- Implement a robust system around data security policies, implementation and accountability. Typically, IT or finance can guide, but they cannot enforce and exact accountability. That’s the province of HR, which should help inform employees about data policies and periodically remind them about the rules, says Richard Stagg, Managing Consultant at security firm Handshake Networks. .
“I’d like to give someone a kicking [but] I can only make guidelines,” he says. When an employee is found to be stashing things in their Dropbox, for example, HR should “give them the previously mentioned kicking.” When it comes to the finance team, the CFO should probably step in as well.
About the Author
Cesar Bacani is Editor-in-Chief of CFO Innovation. Dylan Bushell-Embling contributed to this report.
Photo credit: Shutterstock