Watch on YouTube
Check out the show description
Check out the show description
Michala Liavaag is in conversation with Jackie Freeman, a former Chief Financial Officer and currently a consultant and trustee of Age UK, Shape Arts and The Roundhouse Trust.
She candidly shares her journey to becoming a cyber savvy executive and the lessons she learned on the way.
Check the Trustee’s week events: https://trusteesweek.org/events/
⭐Found this useful? Please rate and review, as it helps reaching more people
👍You can also subscribe and share on social media
💬 Contribute to future episodes with your cyber security concerns and questions
🤝Connect with Michala and Cybility Savvy:
✍🏾Written and produced by Michala Liavaag
🎦Co-produced and edited by Ana Garner video
🎵Music by CFO Garner
Read the episode transcript
Read the episode transcript
Michala: Welcome to Cybility Savvy the show that demystifies cyber security for not-for-profit boards and leaders
Our guest today is Jackie Freeman.
Jackie is a chartered accountant bringing over 30 years commercial and third sector experience having worked in the retail hospitality and not-for-profit sectors she was formerly the finance director of pizza express and her last senior appointment was executive director of corporate services for the charity Marie Curie. Jackie is also a trustee of Age UK, Shape Arts, and the Roundhouse trust, and shares their strategic finance, finance and HR and business audit and risk committees respectively. Jackie now combines her governance roles with interim and consultancy projects, in both the commercial and not-for-profit sectors.
Hi Jackie thank you so much for joining us today.
Jackie: Morning Michala delighted to be here.
Michala: Excellent, so we've got a lot lined up for our guest today because you've had these different roles as chief financial officer and trustee.
Michala: so, let's have a chat first of all for those who don't know you, do you want to say a little bit more about yourself.
Jackie: Thank you yes so I’ll try not to ramble on too much so yeah I'm a chartered accountant. It's always seems like a bit of a surprise when Michala says over 30 years’ experience but unfortunately that's true. So what what's there to know best about me? I qualified in public practice but wanted to get out into business as soon as I could because I really enjoy being in business really helping businesses grow and move forward and dealing with things as they crop up and I've done a variety of roles from quite operational roles to quite strategic roles and now I'm mostly using that experience as a trustee which is really interesting to be on the board of some really interesting charities and helping them with their growth plans.
Michala: Excellent so did you actually always want to be a CFO or was it something else and then it was the interesting business that triggered?
Jackie: No when I was at school I was really interested in the sciences, so I had this ambition that I might be a doctor, but then I realized that doctors had to see poorly people and probably thought no I'm not quite sure that's really for me so, I've done all these science A levels and thought well I don't really know what to do next so I carried on with science at university and really enjoyed it at university. But then didn't have a clue what to do, so I thought the best thing to do was to get a good general business education and trained as an accountant, and once I started my training I really enjoyed it. And you know one thing led to the other really.
Michala: Oh brilliant, it's really funny how like our paths start out one way and then you end up somewhere some but completely different yeah, but we absolutely love what we do that's brilliant.
Michala: So, in terms of you've done obviously the operational finance and strategic finance side of things they're very involved in risk as well, what would you say is one of the biggest lessons you've learned from being a CFO on the strategic side?
Jackie: I think it's having a really clear vision of where you're aiming for and keeping that in your head as you plan your strategy, but also being able to balance you know where your vision is and how you're going to achieve it. Then you know, you have to balance your financial situation, the operations, who the people are in your business, to help you have good objectives, but you really need good objectives to help you achieve your strategy and your vision.
Michala: Excellent so it's a really core role when it comes to a strategy, which won't be any surprise to our guests. So, you talked about balancing risks against various things there, and obviously I'm most passionate about cyber security, so in terms of balancing risk about cyber security how have you found that?
Jackie: I think it's something you have as you go into roles like a CFO or a trustee or board role, you have to always bear in mind that there are risks associated you know facing your business. And so, everything you do really if you think about the risks and its sort of almost you're doing a risk assessment but for you know key tasks and objectives, you have to run your business and you have to achieve what you want to do but you do it in such a way that you manage the risks. And you're not trying always as you know people listening will know you're not trying to eliminate risks, but you are trying to manage risk in a way that you feel then comfortable. So, you know either you can insure against some risks, you can mitigate some risks, and you can remove some others. But you do have to run your business, so you have to be able to run your business and bearing mind those risks.
Michala: yeah no thank you for that, that's a really key point about being able to run the business because certainly some of old school security practitioners you know that story about everyone was saying no first, when actually it should be okay yes but how do we do that and working very closely obviously with data protection practitioners as well.
Jackie: I think it's how do you do it safely, yeah, should be the question you ask yourself and safely can be for all sorts of things can't it? You know everybody knows you do a health and safety risk assessment when you're doing something that might have a harmful effect on your people, so I think it should become second nature to do a cyber security risk assessment when you want to start something new in your business.
Michala: yeah, that's definitely a dream of mine about that becoming second nature for everybody.
Michala: In your most recent CFO role at Marie Curie you actually took on the additional responsibility of being a senior information risk owner, which for those who aren't familiar with the term it means that you had delegated authority from the executive team to accept information risk on behalf of the organization. And how did you find sort of getting into that role when you first took it on?
Jackie: In a way I guess it's actually it's slightly what should the right would be, intimidating because it is quite a big role it's a big responsibility to take on. You know you are effectively that face of information risk for the organization in particular in its contractual obligations to the NHS and not really to the NHS, to its patients to the patients we deal with, to the staff to everybody involved, and in charities particularly donors too. So, it's you know it is quite a big responsibility and I think it was probably bigger than I expected so as a CFO taking on that role you really need to have experts helping and advising you. But you also need the board behind you too, so that balance of knowing that you're supported by the board and having experts to help you in coming to any conclusions or decisions that you need to make is absolutely vital.
Michala: Yeah and that's difficult one isn't it for the not-for-profit sector in terms of having those experts in house, because obviously well first of all there's a bit of a shortage of those with experience, and then the salaries at the moment are very high for people to secure, so that's not an easy task.
Michala: What's your view about buying in resource?
Jackie: yeah I think that has to be an option for charities and any organization that don't have the breadth, and scope, and size, to be able to have that resource in-house. You know I think the most important thing is knowing what you don't know, and making sure you get that expert opinion in a way you get that. If you've got the scale and scope and finances to afford it in-house that's absolutely great, but if not, there's you know some good experts to buy in to.
Michala: so, you also just mentioned about when you started it's a bit intimidating and you found it larger than you expected. What would you say was the sort of biggest surprise for you in that experience?
Jackie: Well, the breadth of the role, and the requirements of the role. So, the first thing I do I'm a sort of learn by you know going on a course and reading and stuff. So I went on a course, and I had a checklist of all the things that you know you have to make sure you're doing and reporting on, and I'm just like wow that's huge, but I try to keep focusing on what the really important things are which is managing information risk in the business, but you know it is quite, there's quite a lot to do to make sure you're doing it well.
Michala: Yeah absolutely and then how did you find that sort of balance between the data protection privacy side of things, versus the security side of things?
Jackie: What I found is that the data protection privacy and information risk is so broad it impacts so many different things that are happening in the organization, many of which the people actually involved in the projects or initiatives don't even really realize that there's going to be an impact. So, getting people to think about it as a matter of course as we said earlier is quite difficult because it is so broad and it covers such a wide range of activities in the organization.
Michala: Yeah so you would be a supporter then of sort of security awareness initiatives and privacy awareness initiatives then?
Jackie: Yeah it is you just need to make it second nature for people that they automatically think about doing things in a safe way. So, nobody sets out… I don't think… well clearly there are some people who set out to do damage to an organization, but the vast majority of people who are working in an organization because let's face it: our staff are our biggest strength. you know all the businesses I've worked in it is about a people business and that is what I love. but they can be our biggest weakness as well. So got to try and think that they also they think about these things just as they say. So, you know as it's sort of taken a while to everyone to say you know turn your computer off at the end of the day, lock your screen when you go away from your desk. you just got to try and keep plugging away they're just those small things and then gradually building on it I think so that the things become matter of course and they just happen all the time. but you know things do go wrong and then you've got to get it so that people feel that they recognize when things have gone wrong, and they do report it so that you can catch anything before anything seriously bad happens.
Michala: For you, if you think back to before you were cyber savvy and that transition: what was one core moment if you could pinpoint it as to which kind of made that light bulb go off for you?
Jackie: I think it's just seeing some of the things that happened. it was a really sort of sad case way, so this is sort of a good example but I think it was just as I was being appointed. You know somebody had been working on a train. Well, we all work on trains don't we? But somebody had been sitting behind and had been able to read what she was doing and she was doing something quite sensitive. And had written in and complained. Now you know that in a way that's probably quite good because we knew and there was some you know really interesting circumstances as there always are for these things, about you know why she's been working in this way on the train. So, there's never a black and white answer and that was sort of the thing that made me think: no there isn't a black and white answer but how do we try and make these things safer so that when one thing leads to another as it inevitably does you're trying to not put any of the information at risk?
Michala: In the time that you were responsible for this would you say it's fair to say that you actually dealt more with sort of human beings and accidental things rather than you know those cyber criminals attacking the organizations?
Jackie: Yes, I think for me that's where the I think some of the decision making comes now you know if you get a big there's a big cyber attack somebody's attacking the NHS you know I think it was when I first joined Marie Curie there was it was just as the WannaCry one so you know that, you've got to deal with it you know you might not know exactly what you have to do, but you know how you're going to have to do it you finally you get the patch you hopefully move it forward and you hope you haven't been attacked, but if you have this is what you do. And I think that's where the experts the you know the information security experts, the IT experts, the technical people can roll into action, because there's quite a set prescribed things you want to do and move towards doing. Where people have made a mistake it's much more nuanced so you need to understand what were the circumstances to led to that mistake and has that mistake caused the organization any harm and what can we learn from it to try and avoid that mistake happening again?
Michala: yeah it's definitely more nuanced, I agree with you actually.
Michala: And just thinking about that and that lessons learned side of things what would you say is your biggest lesson learned from acting both as a CFO and CIRO?
Jackie: I suppose one of my sort of just more general ones is that you know when I was when I was younger I think I probably had a natural inclination to procrastinate a little bit and think you know I’ll get more information I’ll get more information and you know being a numerical person I’ll gather more data and then eventually the answer will become clear and I think as you as you get more senior you realize that you can't always make decisions on perfect data. So I think I learned that sometimes you just you have to make a decision on the best information you have and that not making a decision can be much more weakening than actually making a decision and moving forward. It might not be the perfect decision but you have to you have to make decisions and move forward. Somebody told me once write down what you think you're going to decide and put it in an envelope and then when you get to the time when you really have to make the decision make your decision and open that envelope again and see if you would have made the same decision back at the you know two or three weeks before or whatever it was and more often than not more often than not you probably would have done. So that was that was really big learning to me. Sort of more on the CIRO side, I think it is that people are only human and people will make mistakes and do silly things and you've just got to accept that but try and do whatever you can to protect the organization bearing that in mind.
Michala: Excellent some great learning there and I love the idea about the envelope I have to try that one myself. So thank you very much for all that insight into your journey to being cyber savvy on the CFO and CIRO side.
Michala: So, some of our audience are trustees and as an experienced trustee yourself I’d like to hear your view on the challenge that cyber security presents to trustees and how you've managed this across the different organizations you've been a trustee for.
Jackie: Okay thank you so yes so as a trustee we're involved with the governance of the organization the charities that we're on the board for. And one of those key responsibilities is of course determining risk and helping to manage risk and ensure the organization is managing risk appropriately. And if any organization hasn't got cyber security on its risk register and quite high up on its risk register I think that it needs to have a think about it. So it's you know certainly an area on the risk register that everywhere that I’m a trustee is involved in. And so as a trustee you're of course not running, you delegate the day-to-day running of the organization to the management team. But trustees are involved in the governance so on a cyber security side it's really making sure that the organization is dealing with the risk of cyber security properly. One of the things you can do is getting a report about what's happening, getting an understanding of is the organization following the procedures and controls that it has in place to mitigate the risk? So as everybody you know if we've got a mandatory training module as everybody in the organization needs to do it done it and is it up to date? just some you know some good KPIS about the procedures and the policies and making sure that the governance is right. Then ? So that you can then take learnings from it and make sure and see how we could learn from it move forward and reduce the risk to the organization going forward. So being a trustee is an oversight role. and it's just making sure but working with the senior management team I’m not we're not marking their homework, but it's just making sure that the controls the processes and what's happening is being done effectively to manage the risk to the organization.
Michala: At the start of that you mentioned that the cyber security is high up on the risk registers for all the charities that you're involved with. Is that a direct result of what you sort of learned as a CIRO would you say or was it always kind of something you were aware of before?
Jackie: I think it's you know of something I’ve been aware of as being a risk to the organization. I probably know quite how big a risk it is to the organization having been having held the CIRO role. So you probably can have a more informed discussion about the risk now that I’ve done the CIRO role.
Michala: okay and would you say you've actually seen that change over the years because I know you've done being a trustee for a long time?
Jackie: I think I probably would I’m encouraging people to raise up the risk register more over time, and I think partly because the risks have actually increased in the external world over time as well.
Michala: yeah no absolutely.
Michala: And the period that we've just had in terms of the pandemic and the huge challenges for charities around the fundraising and the remote working which is obviously introduced to additional risk, how have you kind of dealt with that from a trustee perspective?
Jackie: So it's been so more generally the charities I’ve worked with had to change the way they work quite considerably quite fundamentally. So as a trustee this is where you really come and help and support and I’d say guide and I don't understand that in a patronizing way but it's give your support to the senior management team who are trying to manage that business day-to-day and it's been affecting the charities I work with in in different ways, but that remote working that's that sudden move to you know everybody not being in the office but being able to access all the systems at home, it has definitely impacted all. And some of the questions that trustees can ask is how are you managing that securely? How are you changing your processes? And coming from the CFO side how are you managing your financial processes because I think sometimes financial processes and information security can be quite tightly linked in this particular context so just asking them questions helping them to you know think about the think about what they need to be doing, because you know certainly you know the first 12 months a lot of people were thinking about just survival but you know making sure that just in the back of their mind we were thinking and doing things in a good a way as possible to keep the risks down.
Michala: You mentioned the close links between finance and cyber security so I’m guessing you're thinking about fraud on that front. I know that there's a new standard that's come in that IASME me are responsible for accrediting and it'll be interesting to see if more organizations sort of go down that route. Would you say that as a trustee that's something you would be pushing and supporting?
Jackie: I think it depends on the size of the organization. So, two of my charities are quite small, one's quite big so you know the big one I think should definitely be always looking to follow the best practice well everybody should be following best practice but whether you know actually following you know an accredited standard I think is you need to do what's proportionate. But where there's you know good ideas, good suggestions for procedures things that would improve financial controls. Then you know I would always be encouraging organizations to do things that can improve their financial controls if they can manage it you know proportionate to the size of their business and the operation of the business.
Michala: yeah and that's a really important point isn't it about being proportionate to the business and I think in cyber security when you know as professionals we tend to focus on the detail it's for your operational as you're strategic you do sort of open up and think about balancing that risk, but proportionality is quite challenging I think because everyone's got a different view of how risky something is don't they? You mentioned that you've obviously taken a bit more of a proactive approach in encouraging cyber security thought on the trustee boards. What's your view on having a dedicated trustee with a set role for information insurance and cyber security?
Jackie: I think it's probably again I’m going to be a bit sound like a parrot because I’d be a bit repetitive. I think it depends on the organization, the size of the organization, the scope of the work it does. I can see some you know definite advantages to that, but I get not all boards have got somebody with the right skill set on their on their boards so it's whether you wanted to bring someone on and that that can be quite a big decision I think for trustee boards. Boards should definitely recognize that it is part of their governance role so how they do they need to think about how they manage that governance role and if it's having a specific and nominated trustee that that's fine or need to deal with it in some other way, but you can't ignore that responsibility.
Michala: So, in terms of that kind of upskilling and making sure that you know trustees understand the cybersecurity aspects would you say that you have had good resource support on that both from the organizations or those that specialize in supporting trustees?
Jackie: I should say I’ve only recently been appointed a trustee at age UK which is obviously a big national charity. So I’m really working my way through that and I think the audit they've got in a very strongly resourced audit and risk committee it is a regulated does regulated activity so they're very conscious of you know all of these obligations. So I haven't been as well did much there but the two smaller charities I think it's been it's been lighter touch and just being able to be sure that we've got the right processes and controls. It's not either they would have would say they've got a specific board expertise in this area, so it's just been you know working through things as and when we need to.
Michala: If you imagine say I was a new incoming trustee, what would be your one bit of advice for me?
Jackie: So, I think I would be looking at the risk register so even if you're not on an audit and risk committee the management or the ownership and governance of brisk is a whole board responsibility. So, make sure you're aware of the risks register and if you think that any of the risks that are highlighted are not in you know prioritized enough or do you think there's a risk that isn't on there then then you should shout. Any trustee has the has the right and responsibility to make sure that they're happy that risks are being managed appropriately in the organization.
Michala: That's great lovely thank you very much. I'm sure our audience will appreciate that advice as well any new and upcoming aspiring trustees thank you.
Michala: What are three books that you'd recommend to the audience and why?
Jackie: I really like reading business books and fiction books really so I've chosen three books. the first one I chose was I'm an actual introvert and so I chose Quiet by Susan Cain which is the power of an introvert in a world that can't stop talking. And it's really interesting to see that you know how the sort of extrovert nature has developed and how introverts can hold their own in this world that can't stop talking. So, if you're a more introvert by nature, I would definitely recommend that one. The second one is one I’ve had quite a long time and actually digging it out made me think I’m going to read it again which is called How remarkable women lead. So sorry to the other section of the population but actually it is it's got some really amazing stories of how women who've made it into leadership roles have done that. It's by two ladies from McKinsey and you can dip into it and you just read a few paragraphs oh yeah that's really interesting about how people have made it to their leadership roles and that it's quite inspirational, so that one’s good. The last one I chose was I chose is Radical candour by Kim Scott and it's just really interesting because what it what that sort of taught me is that that feedback and then you always say feedback really is a gift and you know I for one you know it was always a bit of sort of you know it's always quite difficult to give feedback and it really sort of made me maybe step back and think about how to do feedback appropriately in a leadership role. So they're three but if I can just choose a fictional book to finish off with I'd recommend anything by Kate Atkinson. I love her she's my favourite author.
Michala: that's brilliant thank you so much for that and I've read two of yours actually. That’s Susan Cain and Kim Scott and I agree that Susan Cain books are absolutely brilliant for us introverts so I highly recommend and I'll definitely have to pick up that second one.
Michala: What's one question that you wish I'd asked you, but I haven't and how would you have answered?
Jackie: I think it's quite a difficult it's been a really good conversation I suppose the only thing that I would say is: what's the importance of people? So we sort of said a little bit at the beginning that you know I’ve mostly worked in people facing organizations and people are our biggest strength and they can be our biggest weakness but there are some really key people that as a CIRO you relate to. So clearly if it's an organization as a CIRO it will have a cultic guardian and that's a really important relationship to build, but also the people who are the experts the information security experts and building that relationship and knowing you can trust their advice and their guidance to help you with the decisions you have to make is really important. And your board and your IT team, and your finance team, and your operational teams and your fundraisers, that relationship is thing is probably the most important thing of all.
Michala: Excellent thank you.
Michala: Well it's been an absolutely wonderful conversation with you thank you so much for joining us today and where can our listeners find you online?
Jackie: I'm on LinkedIn you can you find me there.
Michala: Excellent brilliant well thanks again Jackie really appreciate it.
Jackie: Thanks Michala thanks everyone bye-bye.