The CFO–CISO Partnership for Risk Mitigation: Balancing AI and Security

Megan - 0:53: Today, my guest is Tony Jarjoura. Tony is a technology industry executive with proven success in building and growing high functioning world class teams. He's built his career on being a solution oriented trusted advisor to high growth technology companies. Tony started his career at E and Y where he helped his clients successfully complete public offerings, domestic and foreign, acquisitions, private placements, and accounting policy implementation and adoptions. Tony is very proud to have worked with clients from their early rounds of funding through to the point of international expansion and multibillion dollar revenue performance. His experience provides his clients and colleagues with a unique perspective on their business, accounting, and growth issues. Post E and Y, Tony's managed the finance and controllership function for a multibillion dollar technology company with global operations. His experience includes leading the finance and accounting functions through M and A, divestitures, complex revenue transactions, revenue forecasting, debt, equity, tax, and financial reporting. Tony's also overseeing the revenue operations function, including the transition to a subscription model, contract terms and conditions, and deals desk diligence. Today, Tony is Chief Financial Officer at Gigamon. Tony's been with Gigamon since 2020 where he's worked his way up through the following positions, Director of Revenue from September 2020 to May 2021, Senior Director Controller from May 2021 to June 2023, Vice President Revenue Operations from June 2023 to May 2024, and Vice President Finance and Corporate Controllership from June 2024 through January 2025. Gigamon offers a deep observability pipeline that harnesses actionable network level intelligence to amplify the power of observability tools. This powerful combination helps enable IT organizations to assure security and compliance governance, speed root cause analysis of performance bottlenecks, and lower operational overhead associated with managing hybrid and multi cloud IT infrastructure. The result is that modern enterprises realize the full transformational promise of the cloud. Gigamon serves more than 4,000 customers worldwide, including over 80% of Fortune 100 enterprises, nine of the 10 largest mobile network providers, and hundreds of government and educational organizations worldwide. Tony, it's great to have you here with us today. So as the lines between finance technology and security continue to blur, the partnership between CFOs and CISOs has never been more important. Companies are realizing that financial resilience and cybersecurity resilience go hand in hand, especially in an era where AI is reshaping both opportunity and risk. So to kick things off, was there a particular moment or project throughout your career that made you see the real value of the CFO CISO collaboration?

Tony - 3:53: Yes, absolutely. There's a particular project I could think of where we were working on an IPO for a really hot technology company and we were going through the internal control over financial reporting framework, really prepping for SOX and the role of the CISO and the role of the CFO is very much aligned especially with respect to risk and risk mitigation. And I recall from that project that the key focus was what are we doing from an IT perspective to mitigate risk and to address what could go wrong that would then parlay itself into the financial statements. And that project was a very close collaboration between both organizations with the North Star of being risk mitigation. I'd always talked about or hear about Wall Street Journal headline risk. Something small can go wrong and it could have a massive disastrous impact from a business perspective and the alignment of those two offices is super critical. And I recall going into the bowels of the IT systems that are being used to generate the information that's being recorded and ensuring that there are in fact detect controls, prevent controls, and enough there to mitigate things from going wrong that ultimately that the CFO and those charged with governance are responsible for when it came to reporting the numbers and preparing for this IPO and also in preparation for the company becoming publicly listed company that has to continually address controls, test controls, and ensure that they are operating effectively and mitigating risk. And in that exercise, it was very clear that there is so much cross collaboration needed between the CFO org and the CISO org. If the CISO org does not have adequate controls in place to mitigate things from going wrong, then the information that the CFO is relying upon, whether it's forecasting or financial statements or footnote disclosures, you can't rely on those if the basis of that information isn't being sourced correctly, being calculated correctly and being addressed from an IT perspective for risk mitigation.

Megan - 6:19: And before we jump into the meat of the conversation, let's just take a step back. And can you walk us through your career and how it is you got to where you are today? And also tell us a little bit about where you are today, Gigamon.

Tony - 6:33: Absolutely. My career started at Ernst and Young in the San Francisco offices serving Bay Area technology companies, high growth tech companies going through the IPO process. And that's where I spent a number of years. The beauty of that role is it gives you a very interesting vantage point to be able to see an idea in board minutes turn into research and development, turn into a product launch and the entire gamut from A to Z. That lens or vantage point from a quote unquote auditor perspective is a really interesting one because you can see all the nuts and bolts, how everything transpires and leads itself into the financial statements. I saw what worked well and I saw what didn't work well. And I made the transition to the other side, so to speak, and joined Gigamon to lead the revenue efforts. We had initiated our transition from perpetual to subscription. There's a lot of accounting nuances there and led the charge on revenue, revenue operations, got to interact with a number of our customers and negotiate contracts and work through solving problems and navigating good outcomes for ourselves and for our customers as needed. And that role transitioned to taking on more within the accounting and finance organization and ultimately rising up to the CFO role that I'm in now where I oversee anything and everything accounting and finance related. And I still enjoy the rev ops side of the business, and the role now is far more intricate than it has been in the past. The amount of cross functional collaboration, the amount of thinking ahead and what's around the corner, especially with respect to AI, which we'll talk about in a little bit, keeps me excited and engaged.

Megan - 8:22: And as you mentioned, you started your career at Ernst and Young which gave you a unique vantage point across both security and finance and accounting. So how did those early experiences shape your perspective on partnering with finance and security teams to evaluate complex technology investments?

Tony - 8:43: It allowed me to see the fundamental building blocks at every stage of a process. It allowed me to lift under the hood and see the nuances and the details of how a control matrix is set up, of how a process is supposed to function. And that allowed me to then come back over the top and say, there's a weakness here. This is not best practices. There's a shortcoming. How do we go back and gain the trust of the business process owners and the IT owners to improve upon a process in order to fortify it, shore it up, and make sure that it really is mitigating risk for the business?

Megan - 9:23: And when it comes to decision making frameworks, many companies struggle to balance innovation and protection. So in your current role at Gigamon, what frameworks have you found to be most effective for aligning CFO and CISO priorities when assessing things like AI investments?

Tony - 9:43: It really starts with understanding what the business is doing, where the business hopes to be, and aligning on commonality of goals. And that starts with the CISO and myself understanding where we're headed, working with the business process owners and the functional leadership to understand what's important for them, what causes them friction, what causes them to stay up at night, what problems are they trying to solve, and then working together to understand what's needed to help facilitate those friction points, understanding what levels of funding is needed, and then ultimately coming to the table with the decision makers to decide what is our best ROI. If we have a dollar to spend, where are we going to get the best return on investment for that dollar? And working with my colleague across the table to go through all the different software stack items that are in play and what they hope to have in play and understanding which ones are going to give us the best ROI so we can go ahead and make those investments. Now you figured out where you're going to move forward, then taking each of those new software applications and understanding how it fits within the stack, what risk exposure exists, what information is being used, how those software systems are going to talk to each other, and building an ecosystem around that to ensure that we're mitigating risk. We're understanding where information is coming from and flowing to, and that it's accurately porting out the intended information that then is being used to make business decisions, whether they're financial or otherwise, and how the company operates and grows and expands.

Megan - 11:26: And I'm just curious, but to what extent do risks keep you up at night? I mean, it seems like they're becoming so sophisticated. I just wonder if there'll be a day where you just cannot tell the difference between a scam and a legitimate request.

Tony - 11:43: Absolutely, Megan. That scares the crap out of me, for lack of better words. It's very frightening the level of advancement that AI allows a nefarious actor to gain access to. And we've seen cases where a quick podcast of audio or a quick short video can then be run through an AI tool on a homegrown system like a simple GPU, maybe a few thousand dollars, nothing fancy, nothing crazy expensive, just a home system that can then take that video and audio file and turn it into otherwise appear to be a fully legitimate video of you saying or doing anything. That's really frightening. We see lots of phishing attacks. We see emails of this needs to get paid immediately in order to secure a discount or it's overdue. Can you please approve it? And you go through all the things that you learned from a training perspective. Right? Look at the link to the email. Look at the email address. Look at the domain of the website. Look at how the email is structured. Look for typos. Look for oddities. But at the end of the day, the astronomical level of AI's advancement makes it that much easier for bad actors to target folks. And so internally, we have set up a tremendous framework of controls to mitigate things from going wrong. If something doesn't feel right, pick up the phone and call. If something doesn't pass the sniff test, doesn't matter what level or sense of urgency there exists, pick up the phone and talk to the person. Walk across the hall and talk to them face to face if you can. What scares me is in a world where there's a lot of key players that are remote and maybe not necessarily always in the office together, having that ability to hide behind a screen and hide behind text and try to pull off bad behavior. That really is worrisome to me. And looking ahead in the future, technology is only getting more and more complicated and advanced. And I just always go back to trust your gut, take your trainings and the slightest thing that feels off pick up the phone and talk or set up code words between you and your team members. Do anything and everything you can to assess, reassess, and challenge what's being asked of you when it just doesn't pass the sniff test and doesn't feel right.

Megan - 14:23: That's great advice, and thank you for sharing that. So back to the questions. Can you share a real world example where collaboration between finance and security teams led to a meaningful outcome, let's say reducing risk while still maximizing ROI?

Tony - 14:40: Absolutely. One that comes to mind is with respect to AI tools. AI is hot, and it's moving quick. We found a lot of different organizations wanting to invest in AI tools. And the cost on some of these tools is to the point where it can go under the radar, but it's not terribly expensive to deploy. There's a lot of public AI systems as well, ChatGPT amongst many. So it's easy for someone to use their home computer and copy paste something into ChatGPT. We have to block that. We have to prevent that from happening. And so working hand in hand with our CISO, we put measures in place to prevent access to any and all IT systems. We then consolidated the needs and the asks of the business, and we embarked to find an enterprise wide corporate AI solution that would allow our operators, our business partners to use and gain and take advantage of the AI tools that are out there in a centralized and controlled environment. Rather than having fifteen, twenty different tools across the board, it's all centralized into one enterprise wide solution that has gone through a tried and true IT evaluation. We have substantial controls around where information can be accessed from, who can see what, what levels of permission exist. It went through a detailed bottoms up implementation of a corporate enterprise wide AI solution in order to mitigate risk, in order to wipe out and eliminate the use of individual tools controlled by an individual user and bring it up to a corporate level that is facing the scrutiny of our top notch IT security team. And that involved collaboration between my CISO and myself looking at budgets, looking at spend, looking at risk mitigation, and ultimately finding a tool and a solution that allows us to mitigate the risk of individual users deploying something on their own. It allowed us to pool all of our dollars together for one contract. Right? You have economies of scale there when you negotiate enterprise wide solution. It allowed us to go back to our teams and give them a tool that helps them do their job better, that helps them do their job faster, that allows them to use AI in their day to day activity for better output, better productivity and better growth. That individual example sticks out in my mind because one, it's relevant with AI. The ROI on it was clear, the aggregation, and it was a positive outcome well received by the organization and put into place in a manner that helps us mitigate things from going wrong.

Megan - 17:32: And these days, innovation, AI, and AI adoption are all moving at the speed of light, but the need for robust security and compliance never goes away. So how do you personally balance those competing pressures of being able to drive innovation quickly while still maintaining strong controls?

Tony - 17:51: Absolutely. You want to move fast. And sometimes when you move fast, things break. And you always have to balance moving fast with training in a way to avoid and mitigate, but not in a way that slows down the business, suffocates the business, or restricts the business. And the way we do that is best served by being proactive, not reactive. It's best served by having policies and procedures in place for what we're deploying and making sure each player knows what their objectives are and what they need to deliver on any given project. And what that allows us to do is to create a process that we can rinse and repeat in deployment of any software, AI or otherwise, that follows through what you're expecting at every step of the way in order to ensure that when you've deployed that product, risk is mitigated and you're not taking forever to get it out to the teams. The go live or launch isn't dragged out by a tremendous amount of red tape. It is formulaic. It is a process that we put the evaluation through that we move quick on in order to not slow down the business, but also ensure that backbone is still there, it's still solid, and we're not cutting corners. Because those corners that you cut might seem like low exposure items at the time, but down the road, if not implemented correctly, could put you in an exposure situation that you can't recover from.

Megan - 19:22: And let's switch gears and talk about collaboration. So what cultural or organizational changes have you found necessary to build trust and alignment between finance and security teams?

Tony - 19:35: Breaking down the hierarchy. I have an open door policy. Anyone at any time can walk into my office regardless of what level they are within the organization. My partner across the table, my CISO has done the same. I can go straight down to any person in his team and ask a question and vice versa. And I think that helps us get to answers quickly, get to solutions quickly, and elevate risk when needed. I can have something bubbled up to me instantly versus having to go through some sort of hierarchical chain. We also have very frequent meetings between myself and the CISO and then across the organization between IT and the finance and accounting team. They're always going through iterations. How do we make things better and more efficient? So from a cultural standpoint, just breaking down barriers to having conversations and having open door policies and having the ability to walk across the hallway to the IT folks and say, hey, this is coming up or this is a problem or this isn't working well. And then vice versa, having the IT team feel empowered to say, what are you evaluating? What's on the horizon? What upgrades are coming up in XYZ IT systems? And that level of openness and collaboration makes it a lot easier to identify problems, find solutions, and think ahead as to what's coming around the corner for teams to plan so that you're in a proactive mindset versus a reactive mindset. Whether it's software that's being sunset or something that needs to be upgraded, having the open lines of communication across the teams is important in being able to move fast, get to decisions quickly, and avoid breaking things to the extent possible.

Megan - 21:19: And before we talk about AI investments, I'm just curious to know how do you estimate the risk of something bad happening, like a data leak or whatever the case may be? How do you estimate what the risk of that would be for a company? Is there any way to do it?

Tony - 21:41: That's a tricky one, Megan. I don't think there is one formulaic approach to assessing. The mind frame that we go through is what's the likelihood and what's the potential magnitude? In this day and age, any little breach of, say, personal identifiable information, PII, or any breach of data, while one could argue that the dollar value of whatever was breached is nominal or you can provide some sort of recovery on it. What's damaging is brand and reputation. Maybe you can't put a price on that. So even if something is measured as the magnitude wouldn't be terribly large and you can easily address it by doing X, Y, and Z, the damage to the brand or reputation is priceless and sometimes irreversible. And so when we think of risk, it's not a binary concept of, hey, could this be a big risk or this is risky, what are we going to do to mitigate it? Even if that risk exposure is relatively small or benign, the perception can yield significant brand damage and reputational risk. So what we always go through in making that assessment is what information is involved, what systems are being used, who has access to those systems, what information is moving from point A to point B, and who are the users? That always helps us in understanding what are we looking at and what level of exposure could exist. And at the end of the day, you always say to yourself, hey, if this was in the public domain, is this going to have that Wall Street Journal headline risk? And if the answer is yes, that's risk. Can you better mitigate for it?

Megan - 23:25: Thank you. That was a great answer. So when you're making AI investment decisions, how do you ensure that those choices not only fuel growth but also enhance your company's resilience against emerging cyber threats?

Tony - 23:39: Absolutely. So I think we're still in the very early stages of enterprise wide AI adoption and rollout. We're going to see a lot of change in the next twelve to eighteen months as not only the technology advances, but the use applications advance as well. For us, we're not in a position yet to say full bore AI everywhere. It is taking an enterprise wide stance on a corporate solution and then assessing each bolt on. What efficiencies do we gain out of it? What risk can this mitigate by having a system, especially with Agentic AI, go in and compare A to B and make a decision about C and D based on A and B? And we're still in those early phases of assessing. I think we're going to see a lot of use cases emerge, and I think we'll start seeing which systems out there are truly capable of being enterprise ready. In a small startup environment, your risk profile is different. You can afford to move fast and break things, and you can afford to disrupt. In a world of enterprise, you don't want to break things. You don't want to disrupt things. They could go sideways pretty quickly. And so the important aspect of that is assessing what are the benefits of this AI tool, what can we do to mitigate risk or things from going wrong in this tool, and address it from there. A few years ago with zero trust, every door was locked. And now with AI, it's almost like every single door is open. Get APIs and share information across all facets of the business so that the AI tool can better empower giving an end user an answer or a solution or to fix something. And I don't think the answer is all doors are closed and I don't think the answer is all doors are open. I think the answer is going through a process of evaluation of what the tool is doing, where is the information coming from, who's accessing it, and what it can and can't do, and making decisive action to say, if we set this up and the system has access to these things, what are we doing to block those? And then once we have this tool deployed, what are the outputs? What are the efficiencies? What are we gaining from deploying this tool? And we go through that assessment day in and day out.

Megan - 25:56: And even when both have the best intentions, there can be gaps in perspective, obviously, between a CFO and a CISO. So from your experience, what are the most common misalignments, and how can leaders proactively bridge them?

Tony - 26:11: There's oftentimes misalignment on dollar spent. What's in your plan for next year? There's often misalignment in thinking that we need to have all these 10 different solutions deployed, but not being able to zoom out for a wider aperture to understand that the investment for these systems isn't going to create a better ROI than using that dollar spent for something outside of the IT organization. And then you have the element of, hey, there's something that's on the horizon that we perceive to create risk, and we need to put dollars towards mitigating for that today that aren't necessarily in the plan. And so there's this constant balance of how you're spending your money, where you're spending the money, and assessing ROI against that.

Megan - 27:01: So finally, as we look towards the horizon, what trends in AI governance and investment should CFOs and CISOs be watching today to stay ahead of both risk and opportunities?

Tony - 27:15: There's a lot of excitement around AI, and folks want to move fast. I think it's critical that CISOs and CFOs are understanding the process involved in launching AI tools, understanding how these LLMs are set up, understanding where the information is coming from. There was the concept of garbage in, garbage out. The AI tools are only as good as the information going into them and as the LLMs are built. And so when I look ahead, it's critical to understand how we're implementing these systems, where the information is coming from, and ensuring its clean data that's being fed into the tool so that when the AI tool does its thing, the outcome is where you want it to be. It's an outcome that is productive, accretive, something that you can use and benefit from versus deploying a bunch of stuff, not understanding how it works, not understanding where the data sources are from, and then yielding results and outcomes that don't really help you. There was an article not that long ago, and the premise of it was the majority of folks deploying AI haven't been able to articulate a clear and defined benefit of the outcome of that. And so I think as we look ahead with all the excitement, with all the investment in AI, making sure that we press pause and step back to understand what are we trying to gain from this tool, and if we do deploy it, how are we going about setting it up to make sure that we are getting that ROI at the end of the day?

Megan - 28:45: That's great advice. And Tony, thank you so much for being with us here today.

Tony - 28:49: Absolutely. Thank you for having me, Megan. Really appreciate it.

Megan - 28:52: Yeah. This has been a very thoughtful and interesting and very timely conversation. Thanks again for your time. And to all of our listeners, please tune in next week. And until then, take care.