Why CFOs Should Care About the Cloud

Saying the last 10 years have been interesting for the CFO is a bit of an understatement. If you have been in finance that long, you would have survived the strictures of Sarbanes-Oxley, not to mention two stock market crashes, global warming and sustainability pressures, an ageing workforce and the ongoing technological revolution.

Against that background, your role may have changed somewhat. Of course, the traditional financial controller tasks are still fundamental for business, but it is likely that you also play a more strategic role in advising the CEO and senior leadership team in managing the business.
Given all of that, you could be forgiven for thinking that you can leave all decisions relating to the latest technology trends around cloud-based computing and services to the IT department. Surely they can handle decisions to do with system set-ups and server locations?
De-mystifying the Cloud
Cloud computing offers an alternative to traditional methods of increasing capacity or adding capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. It encompasses any subscription-based or pay-per-use service that extends IT’s existing capabilities in real time, using the Internet as the delivery mechanism.
The cloud analogy is easy to recognize as a depiction for the Internet. However, going to the next level of cloud computing can be as fluffy as the cloud diagram itself. The issue is that this is a rapidly expanding and evolving area of technology, with many suppliers defining what cloud is from their own perspectives. Essentially, cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to consumers on demand.
Cloud computing removes much of the need for expertise in the technology infrastructure supporting the organization. Business users simply take advantage of web-based tools or applications that they can access and use through a web browser, as if they were programs installed locally on their own computer.
Currently the majority of services are point-based applications offering a specific solution that fall into one of three categories, although aggregators and integrators are emerging (see table below).
Click table to enlarge
Benefits – But Also Outages
Cloud computing has the potential to greatly reduce cost and convert capital expenditure to operational expenditure. Infrastructure is typically provided by a third party and does not need to be purchased for one-time or infrequent but intensive computing tasks.


Mobility is enabled because users can access systems using a web browser regardless of their location or what device they are using (e.g., PC, mobile). As infrastructure is off-site (typically provided by a third-party) and accessed via the Internet, services can be provided to any location.
Maintenance of cloud computing applications is easier, provision from a single point means they are easier to support and to improve since the changes reach users instantly.
Scalability and agility improve, with users able to quickly meet demands without needing to deploy or have infrastructure resources in place. Security against threats is typically much stronger because applications are “virtualized,” therefore minimizing the threat to the local infrastructure.
Availability is also enhanced, which makes cloud computing suitable for business continuity and disaster recovery. Nonetheless, many major cloud services have suffered outages. The latest incident happened in late April, when Amazon Web Services’ Elastic Block Store product, used for storage, got ‘frozen’ from a technical glitch as the programs were being upgraded.
At times, IT and business managers can do little in the face of these outages. This is why Service Level Agreements (SLAs) are critical in any provision agreement.
Deployment Models
Because cloud services are provided over the Internet, you can be forgiven for assuming that all deployments share the same level of privacy and security. In fact, if you talk to suppliers, they are likely to describe as many cloud types as there are physical ones in the sky. There are different deployment types, which fall under three categories, as shown in the table below.
Click table to enlarge
Capex Into Opex
Generally, cloud computing customers do not own the physical infrastructure. Instead, they rent it from a third-party provider. They consume resources as a service and pay only for resources that they use – in effect, turning what used to be capex int operational expense.
The applications are typically billed for based on either a usage basis (e.g, an expense management system where there is a charge per expense report processed) or on a subscription basis (time/user- based) with minimal upfront costs.
Other benefits of this approach are low barriers to entry, shared infrastructure and costs, low management overhead, and immediate access to a broad range of applications.
But organizations should be aware of three issues:
  • Cloud financial ‘tipping point.’There will inevitably come a point when an on-premise service becomes fully paid up, whereas charges for cloud services will be ongoing.


  • Real costs of on-premise service. Many costs can be overlooked when assessing an implementation project. For example, maintenance costs run at between 15-25% per year, upgrades must be resourced both in terms of staffing and additional infrastructure requirement, plus when was the last time a project ran to schedule?


  • Time to go live. Crucially cloud services can often be delivered in less than a week, whereas an on-premise project can take months or even years. What gaps does this leave within your organization and how important are they?
Beyond the technical evaluation itself, you should also consider the human investment. There are potentially huge productivity gains to rolling out a collaborative word processing service to the organization in addition to savings on internal resource. But as a strategic investment service, maturity should be assessed to ensure wasted resource is minimized.
It may make more sense to start in areas such as storage, infrastructure and security that would have minimal impact on the end user community.
Any major project should go through the normal evaluation of whether there is an appropriate return on investment. In fact, perhaps a better alternative would be to perform a net present value (NPV) analysis.
Both options (on-premise and cloud) can contain hidden costs and risks (e.g. ongoing maintenance and upgrade costs) and the opportunity costs/cost of finance may significantly impact the results.
More Than Just Money
Arguably the CFO has got a new role as Chief Risk Officer. With the turbulent economic climate and increasing penalties imposed on companies, the CFO has to be the board member who says “hang on a minute” and provides an alternative perspective to corporate decisions.
In this regard, business risk as well as basic economics must be considered for any project initiative. You should ensure that the standard checks are performed related to the viability of providers as a long-term partner. Remember, too, that data and continuity are critical, so ensure that their infrastructure is robust from a disaster recovery perspective.
Depending on your industry you will be challenged by a variety of compliance requirements. Nothing new here, but customers are ultimately responsible for the security and integrity of their own data, even when a service provider holds it and is subject to external audits and security certifications.

Cloud computing provides the opportunity to utilize multiple global suppliers. However, customers contracting with cloud providers outside their country or geography may have to ensure that these providers are familiar with local guidelines and regulations on the export of personal data.

As another example, many suppliers imply that cloud based services have reached a utility type maturity, meaning that all services carry the same risks and assurances. This is clearly not the case. It is crucial that any solution chosen by your organization is appropriate in terms of risk assurance.
How Secure Is the Cloud?
Security is always a key consideration and as such, the relative security of cloud computing services is a contentious issue. Some argue that customer data is more secure when managed internally. Others assert that cloud providers have a strong incentive to maintain trust and as such employ a higher level of security.
Data in the cloud is typically in a shared environment alongside data from other customers. You need to gain assurances that data is appropriately secured and that this is a fundamental aspect of the design and doesn’t carry additional cost or negatively impact the use of the solution.
Suppliers’ understanding of inappropriate or illegal activity also needs to be addressed and provided for. Customers must demand transparency, avoiding suppliers that refuse to provide detailed targets on all service elements and their performance against those targets.
It’s important to note that the business risk extends beyond a specific application. The increased use of cloud based services such as Salesforce.com means that many mobile IT users will be accessing business data and services without necessarily accessing the corporate network itself.
This will increase the need for companies to place security controls between mobile users and cloud-based services, such as cloud enabled security services that ensure all remote connections follow the same level of protection.
Many organizations also utilize social media applications such as Twitter, Facebook and LinkedIn, in addition to the more formal cloud applications. This tends to blur the boundaries between corporate and personal data. Security can be undermined simply by perhaps a senior executive bringing in their own iPad and expecting it to work on the corporate network.
Interestingly cloud computing itself enables security controls and functions to be delivered in new ways and by new types of service providers. It also enables companies to use security technologies and techniques that perhaps previously have not been cost-effective.
Organizations can struggle to justify the expense of security controls or functions that are needed to respond to unanticipated or infrequent events. Cloud computing, however, can make these types of services available at short notice, while streamlining provision at a scale appropriate to address the threat.
Where to Start
Cloud-based services certainly can be very attractive to an organization. The likelihood is that your company or certainly some of the staff are already taking advantage of it to some degree. However, as you assess the economics and risk associated with these services, perhaps one of the first to invest in is cloud based security services that can fully integrate with your existing environment.
As well as providing the building blocks for any IT enhancement program, security’s back-office nature means that it can be implemented quickly with minimal impact on end users.
Like any cloud based application, the security provider must offer the service levels that you require both today and as your business grows. The common hybrid deployment of the cloud means that a security provider can almost cover your whole organization like a flexible bubble that grows as your company expands.
About the Author
Harry Pun is Client Services Manager, North Asia, for Symantec.cloud – a division within Symantec Corporation that uses the power of cloud computing to secure and manage information stored on endpoints and delivered via email, Web and instant messaging. 


Suggested Articles

Some of you might have already been aware of the news that Questex—with the aim to focus on event business—will shut down permanently all media brands in Asia…

Some advice for transitioning into an advisory role

Global risks are intensifying but the collective will to tackle them appears to be lacking. Check out this report for areas of concern