#276 Why Information Security Is Now a CFO Responsibility, Howard Francioni, Lead Auditor, Akton Boundrie Group

In episode 276 of the GrowCFO Show, host Kevin Appleby is joined by Howard Francioni, Lead Auditor at Akton Boundrie Group, to explore why information security has become a core responsibility for today’s CFO. The conversation frames cyber risk not just as an IT problem but as a strategic, financial, and reputational threat that CFOs must own. Using high‑profile breaches such as Jaguar Land Rover and others, Kevin and Howard illustrate how attacks can halt production, disrupt supply chains, destroy value, and inflict long‑term brand damage, issues that sit squarely in the CFO’s remit of safeguarding enterprise value.

From there, the discussion moves into practical guidance for finance leaders who may not have a CISO or large security team. Howard explains how CFOs can embed information security into risk registers, adopt a “defense in depth” mindset across customers and suppliers, and drive culture change around password hygiene, endpoint security, backups, and data leakage prevention. The episode concludes with forward‑looking insights on AI, data governance, and why standards such as ISO 27001 and ISO 42001 offer powerful frameworks—even for smaller, growing finance organizations—to systematically reduce cyber and data risks.

Key topics covered:

• Why information security has shifted from a pure IT concern to a strategic CFO responsibility, given its impact on operations, finances, and reputation.
• Real‑world breach examples (e.g., Jaguar Land Rover, Marks & Spencer, Co‑op) showing how attacks on suppliers can cascade through the entire value chain.
• Practical foundations of defense in depth: robust password hygiene, secure endpoint configuration, dual user/admin accounts, disk encryption, patching, VPN use, and regular device hygiene.
• The critical difference between data leakage and data loss, and how everyday behaviors, such as conversations on trains or visible screens, can quietly leak sensitive information.
• How immutable offline backups and structured risk registers enable organizations to survive ransomware incidents without paying attackers.
• Emerging risks from AI and agents: systems built without security by design, hallucinations, IP ownership issues, and the need for AI‑specific governance frameworks like ISO 42001.

About Howard Francioni

Howard Francioni is an Information Security specialist with nearly two decades of experience in the card-payments industry—one of the most heavily targeted sectors for cyber-attacks—working across ATMs, POS, online payments, and MOTO environments. He led projects including pioneering contactless EMV acceptance in mass transit for Transport for London and building secure X.509 infrastructures for payment terminals, while also heading a PCI DSS function supporting around 140,000 merchants with data-driven compliance and breach investigations. Today, he helps organizations develop ISO/IEC 27001-aligned information security frameworks and serves as an independent auditor for UKAS-accredited certification bodies, combining consultancy and auditing to strengthen organizational security practices.

Links

• Howard Francioni on LinkedIn
• Kevin Appleby on LinkedIn
• GrowCFO Mentoring

Timestamps: 

• 00:00:38 – Howard explains how breaches cause production outages, operational disruption, and severe reputational harm—core concerns for any CFO.
• 00:02:21 – Discussion of how threat actors target less secure suppliers to reach larger organizations, and why CFOs must think in terms of ecosystem‑wide defense in depth.
• 00:05:00 – Howard outlines the three recurring problem areas he sees: poor password hygiene, insecure endpoints, and lack of a healthy “suspicious mindset” among staff.
• 00:10:19 – Concrete measures for devices, including PIN/biometric login, dual standard/admin accounts, disk encryption, patching, reboots, local backups, and use of VPNs on public networks.
• 00:18:23 – Stories about overheard conversations, visible screens, and password Post‑its illustrate how data can be leaked without being “lost,” and why leakage is often more insidious.
• 00:21:26 – Howard stresses that once files are encrypted, recovery is only possible if immutable, offline backups and clear mitigation actions were in place beforehand.
• 00:28:27 – Comparison between how the internet was built without security in mind and how AI is repeating the pattern, plus why AI‑specific standards are now essential.
• 00:35:52 – Kevin summarizes what CFOs should do next: understand potential large‑scale and insider risks, quantify reputational impact, and implement practical controls ahead of any incident.

Find out more about GrowCFO

If you enjoyed this podcast, you can subscribe to the GrowCFO Show with your favorite podcast app. The GrowCFO show is listed in the Apple podcast directory, Spotify and many others. Why not subscribe there today? That way, you never miss an episode.

GrowCFO is a great place to extend your professional network. Join GrowCFO as a free member today and participate in our regular networking events and webinars. Premium members can also access our extensive training center and CFO Digital Toolkit. You can enroll in our flagship Future CFO or Finance Leader programs here.

You can find out more and join today at growcfo.net

Podcast: Play in new window | Download