GrowCFO Show
#276 Why Information Security Is Now a CFO Responsibility, Howard Francioni, Lead Auditor, Akton Boundrie Group
Why It Matters
Cyber threats now directly affect a company's financial health, operational continuity, and brand trust, making security oversight a strategic priority for finance leaders. By integrating security governance into the CFO’s risk management toolkit, organizations can better protect assets, avoid costly disruptions, and meet increasing stakeholder and customer expectations for data protection.
Key Takeaways
- •CFOs face reputational, operational, and financial risks from breaches.
- •Risk registers must include cyber‑attack likelihood and mitigation strategies.
- •ISO 27001 drives password hygiene, device controls, and security culture.
- •Immutable offline backups prevent costly ransomware recovery expenses.
- •Data leakage awareness protects information even when data isn’t lost.
Pulse Analysis
In today’s threat‑filled landscape, a cyber incident can cripple production, erode brand trust, and trigger costly legal fallout. CFOs are no longer peripheral observers; they sit at the nexus of financial stewardship and operational continuity. High‑profile breaches at Jaguar Land Rover, Marks & Spencer, and Harrods illustrate how attackers exploit supplier connections to bypass perimeter defenses, causing supply‑chain shutdowns and multi‑million‑dollar losses. For finance leaders, the fallout translates directly into revenue volatility, insurance premium spikes, and shareholder scrutiny, making information security a core fiduciary duty rather than an IT afterthought.
Effective governance begins with a robust risk register that flags cyber‑attack exposure alongside traditional financial risks. Embedding ISO 27001 principles provides a structured roadmap: enforce strong password hygiene, deploy endpoint protection for PCs and smart devices, and cultivate a security‑first culture across every department. Even small firms, like Grow CFO, discover that formalizing policies—such as unique passwords, password vaults, and dual‑account laptop configurations—delivers measurable risk reduction. Training staff to recognize phishing, suspicious URLs, and social‑engineering cues turns the workforce from a potential weak link into a resilient line of defense, reinforcing the defense‑in‑depth model demanded by auditors and regulators.
Mitigation tactics round out the strategy. Immutable, offline backups guarantee rapid recovery without paying ransomware extortion fees, while regular patch cycles close zero‑day windows before attackers can exploit them. VPN usage on public Wi‑Fi, automatic screen locks, and clear data‑leakage protocols protect sensitive information even when data isn’t physically lost. By distinguishing between data loss and data leakage, CFOs can prioritize controls that prevent inadvertent exposure. Together, these practices transform information security from a reactive expense into a strategic asset that safeguards the organization’s financial health and long‑term reputation.
Episode Description
https://www.youtube.com/watch?v=wvSRX-na_Ho
https://open.spotify.com/episode/5viwKl2fFV1BFDZGyag2rN
In episode 276 of the GrowCFO Show, host Kevin Appleby is joined by Howard Francioni, Lead Auditor at Akton Boundrie Group, to explore why information security has become a core responsibility for today’s CFO. The conversation frames cyber risk not just as an IT problem but as a strategic, financial, and reputational threat that CFOs must own. Using high‑profile breaches such as Jaguar Land Rover and others, Kevin and Howard illustrate how attacks can halt production, disrupt supply chains, destroy value, and inflict long‑term brand damage, issues that sit squarely in the CFO’s remit of safeguarding enterprise value.
From there, the discussion moves into practical guidance for finance leaders who may not have a CISO or large security team. Howard explains how CFOs can embed information security into risk registers, adopt a “defense in depth” mindset across customers and suppliers, and drive culture change around password hygiene, endpoint security, backups, and data leakage prevention. The episode concludes with forward‑looking insights on AI, data governance, and why standards such as ISO 27001 and ISO 42001 offer powerful frameworks—even for smaller, growing finance organizations—to systematically reduce cyber and data risks.
Key topics covered:
Why information security has shifted from a pure IT concern to a strategic CFO responsibility, given its impact on operations, finances, and reputation.
Real‑world breach examples (e.g., Jaguar Land Rover, Marks & Spencer, Co‑op) showing how attacks on suppliers can cascade through the entire value chain.
Practical foundations of defense in depth: robust password hygiene, secure endpoint configuration, dual user/admin accounts, disk encryption, patching, VPN use, and regular device hygiene.
The critical difference between data leakage and data loss, and how everyday behaviors, such as conversations on trains or visible screens, can quietly leak sensitive information.
How immutable offline backups and structured risk registers enable organizations to survive ransomware incidents without paying attackers.
Emerging risks from AI and agents: systems built without security by design, hallucinations, IP ownership issues, and the need for AI‑specific governance frameworks like ISO 42001.
About Howard Francioni
Howard Francioni is an Information Security specialist with nearly two decades of experience in the card-payments industry—one of the most heavily targeted sectors for cyber-attacks—working across ATMs, POS, online payments, and MOTO environments. He led projects including pioneering contactless EMV acceptance in mass transit for Transport for London and building secure X.509 infrastructures for payment terminals, while also heading a PCI DSS function supporting around 140,000 merchants with data-driven compliance and breach investigations. Today, he helps organizations develop ISO/IEC 27001-aligned information security frameworks and serves as an independent auditor for UKAS-accredited certification bodies, combining consultancy and auditing to strengthen organizational security practices.
Links
Howard Francioni on LinkedIn
Kevin Appleby on LinkedIn
GrowCFO Mentoring
Timestamps:
00:00:38 – Howard explains how breaches cause production outages, operational disruption, and severe reputational harm—core concerns for any CFO.
00:02:21 – Discussion of how threat actors target less secure suppliers to reach larger organizations, and why CFOs must think in terms of ecosystem‑wide defense in depth.
00:05:00 – Howard outlines the three recurring problem areas he sees: poor password hygiene, insecure endpoints, and lack of a healthy “suspicious mindset” among staff.
00:10:19 – Concrete measures for devices, including PIN/biometric login, dual standard/admin accounts, disk encryption, patching, reboots, local backups, and use of VPNs on public networks.
00:18:23 – Stories about overheard conversations, visible screens, and password Post‑its illustrate how data can be leaked without being “lost,” and why leakage is often more insidious.
00:21:26 – Howard stresses that once files are encrypted, recovery is only possible if immutable, offline backups and clear mitigation actions were in place beforehand.
00:28:27 – Comparison between how the internet was built without security in mind and how AI is repeating the pattern, plus why AI‑specific standards are now essential.
00:35:52 – Kevin summarizes what CFOs should do next: understand potential large‑scale and insider risks, quantify reputational impact, and implement practical controls ahead of any incident.
Find out more about GrowCFO
If you enjoyed this podcast, you can subscribe to the GrowCFO Show with your favorite podcast app. The GrowCFO show is listed in the Apple podcast directory, Spotify and many others. Why not subscribe there today? That way, you never miss an episode.
GrowCFO is a great place to extend your professional network. Join GrowCFO as a free member today and participate in our regular networking events and webinars. Premium members can also access our extensive training center and CFO Digital Toolkit. You can enroll in our flagship Future CFO or Finance Leader programs here.
You can find out more and join today at growcfo.net
Comments
Want to join the conversation?
Loading comments...