Yesterday I ran across this article at CFO.com. As someone who started in this industry nearly two decades ago and planted firmly in the cloud, I’ve a few observations and admonitions.
On Question One:
Yes, by all means compare TCO. But be sure to compare it accurately. This will mean learning more about what your IT group so they can answer the questions you need to ask them. The article makes a critical mistake in assuming and asserting that the cloud makes it easier to know what your cost is because you get a bill.
I say this because while it should be obvious, that bill doesn’t cover the cost of getting to the cloud, or the cost of the people and the investment into said people, that keep your business running in the cloud. The cloud doesn’t get rid of your people. I would hope that a CFO would know this and take that into account, but that isn’t always the case.
On Question Two:
Does the CFO have the skills to “manage the cloud”? I’d bet more often than not they do not have those skills - that is why they are the CFO instead of the CIO! The proper answer here is to work with the CIO on tracking needs, growth, and changes in business regarding how and when to use the cloud - and what cloud to use. The CFO’s job is not to manage IT. Keep that in mind as it will resurface.
On Question Three:
I’ve got a particular nit to pick here, but it is a big one. The article asserts the following:
“but it’s up to CFOs to vet their providers’ security and make sure their certifications, policies, and procedures fulfill their businesses’ regulatory requirements”.
No, no it isn’t. Again, CFOs by and large do not have the skills to analyze the security practices and options of cloud providers. It should be the security team, or at a minimum, the CIO who vets the vendor for security. Considering that most reasonable CIOs would turn this over to their security experts, the idea that the CFO should be taking over this role is ludicrous and dangerous.
Further, it should be legal’s job to confirm that regulatory requirements are met. Unless CFOs are getting trained in security and legal review of regulatory requirements and how well a potential vendor can address those, they should not be expected, or even allowed, to do those things.