What the CFO Needs to Know: Cloud Computing
▲ Cloud computing, the remote hosting of applications on virtual platforms for on-demand, Web-based delivery, is on the fast track. Analysts estimate that during the next six years, 90% of new spending on Internet and communications technologies will be on cloud-based technologies.
Cloud computing (which at its simplest means storing and accessing data and programs on the Internet — the cloud — instead of a personal computer) is profoundly impacting how IT professionals implement, deploy and manage technology solutions. It’s also having a dramatic effect on the cost, payment structure and business strategies associated with IT rollouts.
▲ The cloud increases cost visibility: Cloud computing substantially increases the cost visibility of IT deployments.
“The cloud is here to stay,” said Chicago-based Christian Hagen, a partner in the strategic IT management practice of global management consulting firm A.T. Kearney. “It gives improved visibility of your true IT consumption and costs. Traditional implementations give you a ‘peanut butter’ spread of costs where you don’t get to understand the true drivers.”
Hagen added that in terms of capitalization, cloud-based services differ from traditional IT implementations in that they are mostly accounted for on the expense side.
▲ Implementation is easier, which can also cause problems: Cloud systems are easier to implement than traditional IT systems since no internal hardware is usually required. As a result, the IT department is often much less involved or even bypassed entirely in systems selection and implementation, with individual end users able to pilot and roll out turnkey cloud-based solutions on their own. This easier implementation process also decreases upfront IT costs. However, Hagen cautioned CIOs that cloud rollouts need to be carefully monitored.
“Software as a service (SaaS) providers will often go right to the end users,” Hagen said. “It sounds good and you save time, but you can wind up with shadow systems that haven’t gone through appropriate IT procedures and end up with a fragmented application architecture. Introduction of new applications should be managed by both the CIO and CFO.”
The flexible and quickly deployable nature of cloud computing also makes the cloud an ideal environment for testing and development of IT systems, even if companies plan to later deploy those systems in-house.
▲ Different models have different cost structures: Not all cloud deployments are created alike. There are three basic models of cloud systems implementations: public, private and hybrid. Public deployments take place on shared clouds where multiple clients use a single platform, while private deployments take place on a dedicated platform used by a single client, and hybrid deployments use both public and private clouds for different solutions.
Hagen estimated that roughly 25% to 50% of traditional infrastructure costs are eliminated through a cloud deployment. In general, public cloud hosting is cheaper upfront than private cloud hosting, with hybrid rollouts costing somewhere in between. Hagen explained the benefits of each model.
“Public clouds have very targeted uses, such as development and testing environments where protecting the data is not as important,” Hagen said. “Private clouds have a more secure, sophisticated architecture. Hybrid clouds use both the public and private models, with companies selecting each model for various processes.”
Amazon Web Services, Microsoft’s Azure and Google’s Compute Engine rank among the largest public clouds.
▲ You pay for what you use: Generally speaking, cloud deployments use a flexible “pay as you go” model. Users pay for the amount of virtual services that are delivered and/or the amount of virtual server space they require.
The flexible nature of cloud infrastructure means that cloud-based IT deployments can be scaled up and down according to changes in the user’s needs, with corresponding cost adjustments. Private clouds generally offer the most usage and cost flexibility.
“The private cloud infrastructure offers a better match between supply and demand,” Hagen said. “You only get charged for the IT you use.”
What the CFO Needs to Know: Data Breaches
▲ Data breaches are on the rise: Mounting an attack on retail systems has become increasingly attractive to attackers because malware can be delivered at very low cost, according to Mark Bower, VP product management and solutions, Voltage Security, a Cupertino, California, provider of data-centric encryption and tokenization.
“So it becomes very attractive to attackers to try and steal credit card and personal data they can monetize very quickly,” he added.
As to the role of a financial chief, “the CFO has the responsibility to look at overall risk in the organization, and data security has become a big factor in risk mitigation,” Bower said. “When a data breach happens, it will damage the brand and consumer trust, which impacts revenue and results in unforeseen costs to the organization.”
▲ Chip and PIN versus chip and signature: The global Europay, MasterCard and Visa (EMV) protocol mandates that payment cards store data in a secure embedded microchip, rather than in an unprotected magnetic stripe, as is common in the United States. Customers then further verify their identity with either a secure PIN number or a signature.
The cost of either identity verification method is similar, but most industry experts are promoting chip and PIN as more secure. While a criminal who steals or finds a chip and signature card can still forge the signature (especially as it is often on the back of the card), PIN-based identity verification eliminates this threat. Target has committed to spend up to $100 million to reissue all the debit and credit cards in its branded REDcard portfolio using chip and PIN technology from MasterCard.
“The chip validates that it’s the real card,” said Tom Litchford, VP retail technologies for the Washington, D.C.-based National Retail Federation. “The PIN provides two levels of validation.”
▲ Upcoming shift in fraud liability: Liability in fraud resulting from retailer security breaches currently rests with financial institutions. But as of October 2015, any U.S. retailer that experiences card fraud relating to a customer using chip-based cards must assume any costs if they do not have equipment that can process chip-based card payments. However, selecting, implementing and training associates to use that equipment will take time.
“Our goal is to start migrating right away,” Litchford said.
▲ Total switching costs: The NRF estimates that switching to either form of chip-based card verification would cost the U.S. retail industry $20 billion to $30 billion during a period of several years. The NRF wants the financial industry to shoulder some of the cost, but the switch will still prove costly to retailers. Reluctant CFOs should consider that Target reported costs relating to its data breach of $61 million in the fourth quarter of 2013 alone, and quarterly sales (including the holiday period) fell 5.3%.
Gartner has estimated the breach will cost Target $400 million to $450 million in total, and then there are qualitative costs like eroded customer trust and loyalty. Data security requires significant upfront investment, but CFOs need to understand the long-term financial implications of skimping on this critical expense.
▲ Data-centric security: Data-centric encryption and tokenization is a highly effective means of protecting card data once it has moved into a retailer’s network. This type of data protection, for example, would have made the Target breach, which attacked POS data inside databases once it had left the card, much more difficult. Data-centric security solutions neutralize the data when the attack happens, so the attacker gets nothing of value.
There are cost-effective and easy measures retailers can take to protect themselves. For example, Verizon data shows that nearly eight-in-10 cyberattacks originate in Eastern Europe, with 58% coming from Romania, 12% from Armenia and 8% from Russia.
“You can mitigate the vast majority of attacks by blocking out parts of the world where you don’t do business,” said Dallas-based Bryan Sartin, director of risk for Verizon enterprise solutions. “The technology and know-how have been around since the mid-1980s.”
The use of two-factor authentication can help greatly reduce the innate risk associated with giving outside parties access to your network, according to Sartin. To use the well-known example of criminals using phony vendor credentials to enter the Target network through a dedicated VPN link, if those credentials had been bolstered with the requirement of a PIN not stored on the vendor PCs, the attack would have never happened. And basic video and alarm security systems greatly reduce the opportunity for thieves to gain unauthorized access to card readers.
What the CFO Needs to Know: Construction
▲Construction and construction costs are not an exact science: Information derived from data may be predicable; people are not.
▲ The process takes time: Construction encompasses more that just the time it takes to physically build a store. It also involves the lease-negotiating phase, drawing phases, permit phase and bidding phase.
▲ Smaller spaces don’t always translate into big cost reductions: It’s often assumed that as store square footage gets smaller, the overall costs go down. But due to fixed items, such as restrooms, cash wraps etc., the cost reductions may not be as significant as expected.
▲ Calculate total costs to build out a store: The construction team only knows and/or controls a portion of the costs. Visual merchandising, IT, POS, security, fixtures, store start-up supplies, pre-opening labor, etc., are all costs that, in many cases, may not fall under construction’s hat. Some of these expenses may be forgotten when a CFO is calculating all the costs.
▲ The lowest price isn’t always the best price: Driving down lowest initial cost of construction may actually cost more money in the long run by resulting in increased operating and maintenance expenses. Optimizing total costs of ownership (initial construction, operating, maintenance, insurance, depreciation, etc.) will improve the bottom line.
▲ Technology is impacting store development: The increasing deployment of Web-based collaboration systems, along with the greater integration of outside partners into a retailer’s enterprise data systems, is affecting the store development process. It’s important that adequate controls over vendor access, password protocols and the like are carefully developed and strictly enforced to avoid the potential for data breaches that originate from invasion of vendor companies that lack the sophistication and data security of the host organization.
▲ Room for improvement: Any retail construction program where construction change order costs exceed 5% of base-contract amounts has significant opportunities for improvement. Creating and closely monitoring analytics that identify the cost of construction contract change-orders and their root causes, and systematically eliminating those causes, can significantly improve the accuracy of facility capital cost projections and ensure achievement of pro forma financial objectives.
▲ Building codes are changing: Building codes now require more alignment with sustainable construction/design. Consequently, initial cost will go up, but operating costs — particularly the cost of energy — will go down as stores become more efficient.
▲ Market demand impacts costs: The better the economy and the busier construction consultants and contractors are, the more you will pay for construction. Count on extreme cost increases when building in or near such boom markets as the oil/gas fields in West Texas and North Dakota.
▲ Dallas is hot: A recent study by CBRE Group shows that the Dallas-Fort Worth area is the top retail construction market in the country. About 2.6 million sq. ft. of shopping, retail and entertainment space was under construction here at the start of the year, which is slightly more than Las Vegas and New York City, the No. 2 and 3 building markets on the CBRE ranking.
In the Know
CFOs should make sure they receive timely and accurate information regarding construction budgets, schedules and ethics:
• Budgets: The CFO should be updated with a weekly budget status on all projects. Some retailers require that the construction team forecast costs for all pending or potential changes, and that it keep a change order log on every project that included actualcost increases/decreases, as well as including “placeholders” for potential budget impact. The CFO (at that time) would approve any significant budget increases.
• Schedules: Time is money. In addition to budget impacts, the CFO should be provided weekly schedule variances. After all, time is money.
• Ethics: The CFO should be alerted to such things as lawsuits, contractor kickbacks, etc., all of which have a potential cost impact.