Managing Precious Time


I started working on my doctorate at Concordia University January this year.  I realized that full-time finance work heading up worldwide accounting at a $6 billion global high tech company, along with my adjunct teaching (also at Concordia), was probably going to kill me at a relatively young age.

So a month ago I left my corporate job to focus on my doctorate and teaching.  My expectation was that my productivity, at least for the remaining two commitments, should go through the roof.  I was wrong.  I had morphed my corporate job into a place where I could do everything.  I could come in early, stay late, or even come in on the weekends, logging on to my PC and answering company email, doing work, while also juggling the rest of my life.  That office had become my center.

Now, at home, no longer do I use a PC, I have a MacBook Air.  No longer do I have the company’s scheduling software to enable me to multi-task.  One month later and I’m still transitioning to this new way of life.  My calendar is now fully migrated to CalendarMob (Google Calendar), most of my contacts have my personal email address, and I am steadily becoming more proficient on the MacBook!

Yet when my boxer Patton wants to go outside or remodelers are banging away on my new hardwood floors, I still feel unnaturally ill at ease.  Should I get an outside office?  Maybe I should go back to work?

Cyber Challenges – Focus on What Matters Most to the United States

The Internet has enabled a great many benefits, connecting people around the globe, along with the information people share with each other. But just as Albert Einstein discovered the means for splitting the atom, and never intended that this technological breakthrough would be used to eviscerate thousands with an atomic bomb, so too has evil intent emerged as a result of the enabling of the World Wide Web and connectivity.

An ever-expanding array of Internet-based applications has virtually replaced Encyclopedia Britannica, search engines such as Google have placed at our fingertips answers to virtually any question we may have, from the trivial to the scholarly. Yet alongside these virtuous educational tools of the past decade or so we’ve also witnessed a dark side to the Internet. [1]

●     in 2010, out of the million most popular (most trafficked) websites in the world, 42,337 were sex-related sites.

●     from July 2009 to July 2010, about 13% of Web searches were for erotic content.

Besides the preponderance of pornography, other activities of ill intent have cropped up including identity theft, industrial espionage, credit card fraud, phishing, child exploitation – criminal use of the Internet has flourished. The Internet has also been used to great effect by criminals to trade their cyber wares. Investigators have uncovered sophisticated black market operations such as DarkMarket and ShadowCrew who use the Internet to trade cloned credit card data and bank account details, hire botnets (infected networks of computers) and deliver hacking tutorials.[2]

Malicious viruses have made headlines over the past several years, but the economic hardship suffered by American businesses has been almost insignificant, making these attacks more annoying than truly disruptive and costly.[3] A virus in 2000 infected 1,000 computers at Ford Motor Company. Ford received 140,000 contaminated e-mail messages in three hours before it shut down its network. Email service was disrupted for almost a week within the company. Yet, Ford reported, “the rogue program appears to have caused only limited permanent damage.” None of its 114 factories stopped, according to the automaker.[4]

Increasingly sophisticated virus attacks on one or more computers have caused many problems for individuals, companies and public institutions. Stuxnet, Flame, Duqu, Red October, and Iran’s ongoing attacks against the US banking system have brought the phenomenon into the nightly news, but the pattern of attacks includes numerous older and less discussed programs such as Titan Rain, Ghostnet, and the attacks on Estonia and Georgia.[5]

Arguably the most successful known campaign against American oil and gas firms is one dubbed “Night Dragon” by McAfee, the cyber security firm that first disclosed its existence. According to McAfee, Night Dragon was a “coordinated, covert, and targeted” campaign by China-based hackers to obtain confidential data from five major Western energy companies, beginning around 2008 and extending into early 2011. Night Dragon was able to steal gigabytes of highly sensitive material, including proprietary information about oil and gas-field operations, financial transactions, and bid- ding data. It is difficult to tell if and how any of this information was used. One U.S. oil executive interviewed said he believed that on at least one occasion a rival national oil company appeared to know his firm’s bidding plans in advance of a lease auction, which resulted in his losing the bid. Security experts believe Night Dragon is only one of several similar attacks, of which oil and gas companies are either unaware or afraid to disclose publicly for fear of displeasing investors.[6]

On September 11, 2001, hijackers took control of several commercial airplanes, crashing them into the Twin Towers of the World Trade Center (WTC) in New York City, the Pentagon in Washington, DC, and a field in Somerset County, west of Pittsburgh, Pennsylvania. Almost 6,000 people in total were killed. Besides the human toll, the cost of rebuilding was estimated at over $100 billion (CNN Television News Report, October 5, 2001). Since this time the United States has reacted by defensively spending billions and billions more trying to ensure such a terrorist attack on our soil cannot be repeated.[7]

Is it possible that terrorists could develop a Cyber Terror program to attack our power grid, harm our drinking water, cripple our communication capability or neutralize our military? Of all the dark and sinister ways the bad guys have been using and abusing the Internet, combined with future potential doomsday scenarios, how do we determine those that matter the most in order to focus our resources and reduce the affect of real and present cyber dangers? Let’s start by debunking some of the unlikely candidates and myths that matter much less.

Within the United States there are tens of thousands of separate water systems, many operating with their own network infrastructure and software. To impact national water utilities would require a serial attack on each system, not easily undertaken. Physical assaults typically associated with extreme weather, have disabled some water utilities, but only for a matter of days and only to a very limited extent. System problems have not affected water availability to any significant extent.

Some have argued cyber-terrorists could attack and shut down our power grid. In fact the 3,000 or so utilities, public, private and co-operative are highly integrated and connected. But the various electrical power providers use mostly different software and MIS technologies to operate their controls for power generation and transmission. An attacker would have to settle for a few vulnerabilities identified in a minority of the thousands of providers and even then there is no evidence that disruption would be prolonged to any great extent.

Could a hacker get control of one of our commercial or military aircraft? Even though there is a lot of technology and hardware including microprocessors and communication equipment aboard today’s aircraft, the plane is still subject to the pilot’s control of it, so even this fear is unfounded. (One exception is recently Iran did manage to lock into the right frequency in order to land an unmanned US drone in their country).

Another thesis of fear promulgated is how China (for example) could disrupt our banking system (Iran seems lately to be working on this very thing, although thus far without too much damage to banks’ data and data security) and bring about economic collapse in the United States. Possible, but unlikely, and here is why: China holds US$1.3 in United States Treasury Bonds. If the yield on these bonds was impacted by adverse economic conditions in the United States, China’s own sovereign wealth would be severely and negatively impacted. Most large economies around the world are hurt economically whenever the US economy suffers.

Of all of the possible challenges we face with Cyber Crimes, most can be managed, and the costs of the negative impacts are far outweighed by the many benefits our interconnected information superhighway provide to people around the world. But there remains one rather significant issue that we must address with a variety of ways and means, utilizing every possible tool at our disposal. This is the problem of Cyber Espionage. The legacy of the United States is its inventiveness, its innovation, and technological breakthroughs — the “knowledge” that has been created — especially in the past 50-100 years. All of this is protected by a variety of legal sanctions whether trademarks, patents, copyrights, with a huge accretive economic impact in the form of royalties and licensing fees.

If a rogue country is sanctioning cyber espionage in order to glean technology, learn trade secrets, understand and reverse engineer drugs, electronics, or radar-evading aircraft, that country gets an unfair leapfrog jump without having had to pay for it.[8] We measure the costs of Cyber Espionage in terms of direct costs (lost sales and market share), indirect costs (increased competition and related disadvantages caused by competitors learning trade secrets) plus defensive costs (increasing the robustness of the firm’s firewalls and security to prevent a future breach).

It has been estimated that Cyber Espionage costs the United States at least $100 billion per year. But that is only the direct and measurable costs.[9] The indirect and defensive costs are certainly much larger. Companies invest heavily in Internet safeguards such as firewalls and other security systems to prevent an unwanted breach of their company network. Yet, smart hackers continue to upgrade their capability and find ways to circumvent increasingly robust computer systems. This in turn leads to more company investment to continuously improve upon and strengthen and protect the company data.

Knowledge management focuses on capturing and sharing knowledge. Because of this, KM researchers tend to focus on issues related to knowledge capture, storage, and sharing. However, because knowledge is valuable, it is a target needing to be protected. KM researchers and practitioners need to think security and explore how important security skills are to KM practitioners and researchers. Increasingly new KM job postings are showing up and MIS departments are investing in and making knowledge security a corporate priority.[10]

The indirect costs are far greater however. Within the United States companies spend a total of almost half a trillion dollars each year on research and development. This is the investment that leads to new breakthrough technologies, novel, less expensive, and qualitatively superior products, and drugs and medical equipment to treat or even cure various diseases. If a rogue country such as China can glean this technology for themselves and for free, they have an immediate an unfair advantage, gaining knowhow they spent almost nothing to acquire, utilizing this free knowhow as a platform to move their own technology further along.[11]

Recently President Obama has spoken out to directly implicate China conducting Cyber Espionage, going so far as to name the location in Shanghai allegedly housing the prolific hackers: the computer security firm Mandiant, that identified P.L.A. Unit 61398 near Shanghai has been named as the likely source of many of the biggest thefts of data from American companies and some government institutions. [12]

China’s extensive cyber research activities and allegations over cyber espionage have put the United States on high alert.

XI’AN, CHINA—The leaflet posted in the school of information engineering here at Xi’an Jiaotong University was brief but enticing, offering computer-savvy graduates a hefty stipend and the chance to serve their motherland. “I was curious,” says Liu, who asked that only his surname be used in this article. It was the spring of 2007, and Liu, then 24 years old, was wrapping up a master’s degree in computer algorithms. Encouraged by his supervisor, Liu called the number on the leaflet; that summer, he joined an elite corps of the People’s Liberation Army (PLA) that writes code designed to cripple command-and-control systems of enemy naval vessels.

PLA writings call the electromagnetic spectrum “the fifth domain of battle space,” putting cyberspace on an equal footing with ground, air, sea, and space. Cyber conflicts “threaten national security and the very existence of the state,” two scholars with the Academy of Military Sciences wrote in China Youth Daily in 2011. State media regularly tout PLA activities in cyber defense, a catchall term encompassing everything from surveillance and espionage to weapons such as electromagnetic pulse generators that disable computer networks and malware designed to take down power grids or contaminate water supplies. Augmenting PLA efforts is a legion of civilian researchers and hackers whose efforts ostensibly are directed at repelling electronic intruders. In 2011, more than 8.5 million computers in China “were attacked by rogue programs every day,” a 48% increase over the previous year, says Li Yuxiao, a cyber law expert at Beijing University of Posts and Telecommunications.[13]

“Only three months ago, we would have violated U.S. secrecy laws by sharing what we write here—even though, as a former director of national intelligence, secretary of homeland security, and deputy secretary of defense, we have long known it to be true,” write Mike McConnell, Michael Chertoff and William Lynn.[14] “The Chinese government has a national policy of economic espionage in cyberspace. In fact, the Chinese are the world’s most active and persistent practitioners of cyber espionage today.”

“Evidence of China’s economically devastating theft of proprietary technologies and other intellectual property from U.S. companies is growing. Only in October 2011 were details declassified in a report to Congress by the Office of the National Counterintelligence Executive. Each of us has been speaking publicly for years about the ability of cyber terrorists to cripple our critical infrastructure, including financial networks and the power grid. Now this report finally reveals what we couldn’t say before: The threat of economic cyber espionage looms even more ominously.”

What will be needed to combat this seemingly intractable problem? A multi-pronged solution has recently been proposed, providing complete coverage of how to ensure the protection of company proprietary information and assets, including how to develop an effective corporate counterespionage program. Written by a former veteran of the Office of Naval Intelligence, the program provides guidelines to determine the current threat level to an organization’s proprietary assets as well as the physical security countermeasures, policy, and procedures that must be in place to establish an effective counterespionage program. This comprehensive approach is what is called for, a systems approach, multi-faceted to address protecting sensitive data and trade secrets in a corporate security setting, organizations that have proprietary information and assets to protect, businesses that have operations or partner with companies overseas such as China, organizations that work with the federal government on classified projects, security and counterespionage professionals, and university degree programs in Homeland Security and intelligence. [15]

We need to move beyond simply calculating explicit direct costs of Cyber Crime, as mentioned earlier, approximately $100 billion in the US annually and $400 billion worldwide.[16] This is only a relatively small part of the cost involved. A broader more complex solution must be aggressively undertaken to protect our national interests and the knowledge and knowhow our country’s organizations have spent so much time and capital developing. The sense of urgency cannot be overstated and besides the prophylactic systems-approach aimed at reducing the problem, a head-on confrontation demanding rogue states halt their state-sanctioned hacking immediately, must be met with very serious consequences if compliance is not forthcoming.





[1] Ogas, O., & Gaddam, S. (2011). A Billion Wicked Thoughts: What the Internet Tells Us About Sexual Relationships. Penguin.

[2] Home Affairs Committee, & Great Britain. Parliament. House of Commons. (2013). E-Crime: Fifth Report of Session 2013-14 [electronic Resource]: Report, Together with Formal Minutes, Oral and Written Evidence.

[3] Axelrod, R., & Iliev, R. (2014). Timing of cyber conflict. Proceedings of the National Academy of Sciences, 111(4), 1298-1303.

[4] Lewis, J., & Baker, S. (2013). The Economic Impact of Cybercrime and Cyber Espionage.

[5] Sliva, A. (2013, August). A Policy Analysis Framework for Cybersecurity Operations. In Social Science, Computer Science, and Cybersecurity Workshop Summary Report (p. 26).

[6] Clayton, B., & Segal, A. (2013). Addressing Cyber Threats to Oil and Gas Suppliers.

[7] McGavran, W. (2009). Intended consequences: regulating cyber attacks. Tul. J. Tech. & Intell. Prop., 12, 259.

[8] Nakashima, E. (2013). US Target of Massive Cyber-Espionage Campaign. Washington Post.

[9] Benny, D. J. (2013). Industrial Espionage: Developing a Counterespionage Program.

[10] Jennex, M., & Durcikova, A. (2014, January). Integrating IS Security with Knowledge Management: Are We Doing Enough to Thwart the Persistent Threat?. In System Sciences (HICSS), 2014 47th Hawaii International Conference on (pp. 3452-3459). IEEE.

[11] Polatin-Reuben, D., Craig, R., Spyridopoulos, T., & Tryfonas, T. (2013, October). A System Dynamics Model of Cyber Conflict. In Systems, Man, and Cybernetics (SMC), 2013 IEEE International Conference on (pp. 303-308). IEEE.

[12] Sanger, D. E. (2013). U.S. Blames China’s Military Directly for Cyberattacks. The New York Times.

[13] Stone, R. (2013). A Call to Cyber Arms. Science, 339(6123), 1026-1027.

[14] McConnell, M., Chertoff, M., & Lynn, W. (2012). China’s Cyber Thievery Is National Policy—And Must Be Challenged. The Wall Street Journal.

[15] Benny, D. J. (2013). Industrial Espionage: Developing a Counterespionage Program.

[16] Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J., Levi, M., … & Savage, S. (2013). Measuring the cost of cybercrime. The Economics of Information Security and Privacy, 265-300.

Rodd Mann, Doctor of Education candidate (Ed.D.) at Concordia University 

Financial METRICS

Five Metrics Every Finance Dashboard Must Include

By Rodd Mann, Adjunct Professor and doctoral candidate, Concordia University, Irvine, CA

Image 29 May 2014

Businesses need to set strategic goals and objectives that form the basis for every aspect of performance that is measured within the organization—most critically, the key ratios and metrics controllers use in finance. A lot of businesses set so many metrics that the most important ones are lost in the mix, but in reality, only five metrics are critical for controllers to include in an effective dashboard for finance.

These metrics are as follows:

#1: Sales. When measuring sales, controllers should keep in mind that all measurements need to be looked at in qualified, not absolute, terms. For example, what is the cumulative annual growth rate (CAGR)? If the market on average is growing at a rate of 20 percent and a company’s sales are growing at only 10 percent, then that company is losing market share.

Controllers need to look at sales in terms of time, trend, and industry. It is impossible to determine a trend without looking at data over at least a three-year period of time. Also it is critical to look at sales data against what is happening in the industry as a whole in order to determine whether this key metric is strengthening or weakening.

#2: Manufacturing costs. These can be expressed as a percentage of revenue, or subtracted from revenue to get the gross profit margin. Manufacturing costs include materials costs along with labor and overhead needed to build the product.

Material costs can comprise up to 90 percent of the total cost of a product. It is vital for controllers to get a handle on these supplier-related costs, as well as their internal labor and manufacturing overhead (utilities, equipment depreciation and supervisory salaries to name a few). It is also important to analyze each of these cost categories separately, looking carefully at variances between the standard or target costs compared to the actual manufacturing costs.

#3. Operating expenses. Controllers that are not manufacturing companies need to take a close look at their operating expenses. They can look at these as a percentage of revenue and also relative to their competitors’ expenditures. Operating expenses include human resources, finance, security, MIS, advertising and marketing, general administrative expenses, as well as salaries of executives.

#4: Profitability. Profitability can be measured in three different ways: as a percentage of revenue, as a percentage of total equity, or if you are a manufacturer, as profitability divided by assets in place. For example, if the company has made a huge investment in machinery and equipment, are those assets generating sufficient profitability?

When calculating profitability, the denominator could be revenue, equity, or assets; this all depends on your perspective. For instance, the COO or general manager would probably track profitability as a percentage of sales. If a manufacturing company has invested heavily in a semiconductor fabrication facility, perhaps upwards of $3 to $5 billion, that company would need to measure the profit-generating capability of those assets in place.

#5: Cash flow. A business can be very profitable and perhaps also growing quickly— yet, somewhat surprisingly, it can run out of cash. Sadly, this has happened to many profitable, fast-growing companies that didn’t see how much cash it takes to increase inventory and accounts receivables.

Why? Businesses can run negative cash flow if they are spending a lot on property and equipment, or have too much revenue tied up in their receivables and inventory, so these are areas that need to be tracked closely. Other areas affecting cash flow that need to be tracked would include total compensation and other people-related costs such as travel.

In addition to tracking these five dashboard items on a predetermined basis, typically monthly, controllers can take the following steps to contribute greater value to their organizations:

  • Help to make sure everyone within the organization is clear about, and on board with, the business’s strategic objectives by translating the goals of the management team into clear, concrete, metrics.(Also make sure the ERP is set up to support measurement and reporting those metrics.)
  • Communicate clearly up and down the management chain how everyone is doing against those performance metrics—for example, by sharing results when the monthly financial statements come out. Controllers can get creative with their dashboard—for example, using a red, green, and yellow light coding system to show areas where metrics are tracking well, where there is trouble, and where remedial action needs to be taken.
  • Focus on finding ways to make employees and suppliers happy (and customer satisfaction and loyalty will naturally follow). For example, work to ensure that employee benefit packages are fair and suppliers are paid in a consistently timely manner.
  • Help design incentive and compensation systems that are set up around performance metrics and goals. This will help ensure that people have the focus and motivation to engage in the right behaviors that will yield the right business results.

While it’s true that controllers have a fiduciary duty to follow U.S. GAAP and close the books in a timely fashion, the modern role of a controller is developing into a person who adds value to the business by helping to establish a sound dashboard and use that dashboard to demonstrate what is and is not working. Controllers need to become an integral part of the business, helping in decision-making about everything from whether to outsource and where to build a new plant to what investments to make. This means being able to pull together a lot of the data that is available now and then converting that data into knowledge and information that will help the business fulfill its current objectives as well as establish effective new goals for the future.

While it’s true that controllers have a fiduciary duty to follow U.S. GAAP and close the books in a timely fashion, the modern role of a controller is developing into a person who adds value to the business by helping to establish a sound dashboard and use that dashboard to demonstrate what is and is not working. Controllers need to become an integral part of the business, helping in decision-making about everything from whether to outsource and where to build a new plant to what investments to make. This means being able to pull together a lot of the data that is available now and then converting that data into knowledge and information that will help the business fulfill its current objectives as well as establish effective new goals for the future.

Editor’s Note: Rodd Mann has many years of experience as a controller, most recently at Kingston Technology. He will be speaking at the IOFM Controller’s Conference and Expo, September 14-16, 2014 in Chicago.