CFO Studio Magazine with Dominic Caruso, CFO, Johnson & Johnson

Q4 2016 WWW.CFOSTUDIO.COM 39 in the areas of managing capital, and finding and retaining top talent,” he said. He pointed out that it can be difficult for mid-sized companies to hire all the knowledge workers necessary to deal with cybersecurity, due to the many and varied systems most enterprises use and competition for resources from big-name firms. As a result of this predicament, Mr. Mallen noted that many companies are outsourcing a number of their IT functions as well as turning to cloud computing, which brings along its own set of issues. To that point, he cautioned: “Before picking a vendor to store your invaluable data, attempt to determine if that company is taking all the right measures to secure it.” He recommended compiling an “appropriate and comprehensive questionnaire” in order to glean an understanding of the vendor’s overall security system. “Some of those inquiries should include: How do they segregate data? Who has access to the data? And what are all of their security controls?” In terms of managing third-party vendors, he added, be sure to get the appropriate reports. “Many CFOs receive a Service Organization Controls report, or SOC 1 report, from a vendor and think that it’s adequate in this area, but it’s not,” as it mainly focuses on financial reporting controls. Mr. Mallen advised requesting a SOC 2 report, which is centered around a business’s other controls as they relate to security, confidentiality, and privacy. Risk Prevention The issue of USB drives, or so-called “thumb drives,” came up at the dinner and, as Mr. Mallen pointed out, there is a “ton of risk” associated with these handy little gadgets. “An employee can inadvertently unleash a virus onto the organization’s network by plugging in a thumb drive that is, unbeknownst to them, infected.” In addition, an employee could download sensitive information onto a thumb drive and then leave the company, or simply lose it. One way tomitigate this kind of risk, Mr. Mallen said, is to use encrypted thumb drives. Amore aggressive approach would be to “lock down your computers so they don’t accept outside drives,” only those that have been issued by the company. To take it a step farther, “Provide thumb drives only to employees that department managers approve” to receive them. In this vein, he said, “You begin tominimize and narrow down your areas of risk.” From a non-gadget standpoint, Mr. Mallen said, “One of the most important things you can do that is not technology related is to make sure your staff is continuously trained and educated on phishing emails and websites. Links in emails and websites are one way that hackers install malicious software on a computer, which then allows the hackers access to systems and data. Mr. Mallen also recommended that staff be expected to adhere to all prudent cybersecurity policies and protocols. Mr. Mallen acknowledged that cybersecurity adds complexity to the system, and “if you make it too complex, there’s more chance for human error or misconfigurations.” In addition, he advised the attendees to “build cybersecurity into new systems that are being put into place, so that it’s already a part of the process for your business units.” You don’t want to create changes in the workflow, he said, nor do you want to make it harder to operate your business. The hackers have that angle covered for us already. C “BUILD CYBERSECURITY INTO NEW SYSTEMS THAT ARE BEING PUT INTO PLACE, SO THAT IT’S ALREADY A PART OF THE PROCESS.” Bill Baldwin CFO, Kepner-Tregoe, Inc. Andrew Einhorn CFO, Edge Therapeutics Neil Glasser CFO, MJH Associates Brian Hart CFO, Berje, Inc. Chris Krasas CFO, Carl Stahl Sava Industries Bert Marchio Chief Accounting and Operations Officer, Edge Therapeutics Elizabeth Miller Vice President, Finance & Treasurer, Mauser USA, LLC Lisa Strassman CAO, Director of Finance and Corporate Controller, Daikin America, Inc. Peter Xeinis VP, Finance and Administration, Lavipharm Paul Mallen CFO, Amalgamated Life Insurance Company Discussion Leader MEETING PARTICIPANTS