Organizational IPO readiness with Dr. Tom Vo, Chairman and CEO of Nutex Health

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, where we explore topics being discussed in the C-suite and executive boardrooms worldwide. Today, we're joined by Dr. Tom Vo, Nutex Health CEO and chairman of the board. He has been instrumental in the startup and management of over 30 specialty hospitals and emergency centers throughout the U.S. Today, Dr. Tom will be sitting down with my Protiviti colleague, managing director Justin Krystopher. Justin, I'll turn it over to you to begin.

Justin Krystopher: Great. Thank you, Joe. Tom, thank you so much for being with us today. Really looking forward to the conversation.

Tom Vo: Justin and Joe, thank you very much. Thank you to the Protiviti team for including me.

Krystopher: When I think about some of the things we've talked about in the past and some of the insights you've shared with me about your own journey, your new Texas journey of going public, I can't help to think about, what is your current view of the current state of the capital markets? What trends are you seeing that are out there and signals to investors that are kind of fueling the current influx of IPOs and other public offerings. Then, thinking back to 2023, 2024, what were the things that really influenced your decision to go out, to go public?

Vo: Yes. Thank you, Justin. To answer your question, what is the current IPO market like… I would say that the market is open for business. I would say that the market is hungry for great companies that have good cash flow, that have a great story to tell. But it is measured. It is measured for sure. The market is not like it was back in maybe 2021, before we became public, anymore. It's not just going to reward any company that is out there. The company that wants to do IPO now has to have a great story, has to have cash flow. If they don't have cash flow, they have to have a way to prove to the market that they will get cash flow. So, definitely, the market is open for business for the right company. I mean just this quarter alone, first quarter, I think there were something like over 20 IPOs. So, for sure, the public equity market is alive and robust right now as we speak.

Krystopher: Yes. We're definitely seeing that bent up demand, I think, from really having those slow years in 2023 and 2024 where there was virtually no activity. I think there's a lot of market volatility out there right now. There's a lot going on in the world. A lot of conflicts that just create uncertainty but that investor sentiment that we're definitely seeing is out there — investors are looking for those companies with strong fundamentals and the really great growth story and the growth potential. We're seeing those actually be very successful at the moment. Definitely agree with you. Tom, when you think back to 2023 and 2024 when new techs went out, what were some of the things that influenced your decision?

Vo: Yes. So, we were a private company for a good 12 years before we became public. So, our company started around 2011-ish but we didn't go public until around 2022. In 2022, one of the biggest — well, there's several factors — but I would say one of the biggest factor was growth. We wanted to tap into the public market in order to grow. Being public is a great way to do that, as you know. The other factor was, including myself, I have probably another over 200 private physicians who were investors in the company. So, my goal at that time was to sort of like reward the investors by making their investment a little bit more liquid so that they could sort of like cash out if they wanted to — but that's more of a secondary goal. Then, the third goal was to use the stock as a currency because as you know, the stock is a very strong currency, especially if you use it the correct way, say, with M&A or to reward our executive team or even to align ourselves with our day-to-day employees. It's a very strong tool because — I mean, as you know, most people, when they go to work, they work for cash, they work for a paycheck. Now, if they have equity, then they're going to work for equity in addition to working for cash. So, it's a very strong motivator. People have a lot more to gain than just the paycheck because the harder you work, the higher your equity hopefully will be. So, it's one of these things where when the ocean rises, all the boats rise. So, that was one of the main goals that I wanted to bring as we become public.

Krystopher: To really incentivize employees, the doctors that have been — to bring them up, bring them along with you.

Vo: That's right.

Krystopher: When you think about the right vehicle, the right path, I know there's a couple options out there, IPO, traditional IPO. Then, there's the SPAC, the SPAC merger route. There's direct listing or really private capital raise. I think, for folks that don't know your story, if you can just enlighten us a little bit on which path you chose. I think you highlighted it a little bit in your last response but what were those key factors that really took you down that path? What were the things that you thought were critical in making that decision?

Vo: Yes. I mean this is one of those HO question of, “Okay. Which is the best way to become public?” There's about three or four different ways to do it. Really, a lot of it is dependent on the company and what their culture is like, what their ultimate end goal is. Do they want capital? Do they want liquidity? Do they want to be more visible to the public? The way we did it was that we went out and looked for a shell company, a company that is considered public but may not be big enough or may not be profitable, that is traded on the pink sheet market as an example, that is not on one of the traditional market like NASDAQ or New York Stock Exchange, and then see if those are compatible, and then just work a deal with them, negotiate. So, that's exactly what we did. 

Now, when we became public, the good news with us is that we did not need cash. We were very profitable at that time. We were valued about $1.8 billion at that time. So, we were a bit of a unicorn at that time. So, the company that we found was a company that was also in healthcare. They were valued at, I don't know, a couple hundred million. So, when we merged with them, I think we got diluted by about 7%. But the downside was, number one, we had zero visibility. We went from a private company one day to a public company the next day. We didn't go on any roadshow. We really didn't even use a banker to consummate the deal. Then, on top of that, nobody knows who you are. There is absolutely no investor research, IR or anything along that line. So, we had to start from ground zero. The day that we became public and get our name out, find analysts, talk with investors, talk with bankers, and so on and so forth. So, there is some downside to that but if you just want to become public just to be public and able to access the public capital, that will be an easy, or easier, way to do it so that you can do it faster.

Krystopher: Yes. So, it's a trade off of…

Vo: It’s a trade-off, a lot of trade-offs.

Krystopher: You can go out very quickly in that respect, but you don't have the visibility to those investors. You have to do a lot of work afterwards in public to really build up that reputation with the investment community and go out and really fundraise that way.

Krystopher: Correct. That's right. That's exactly right.

Krystopher: When you think about organizational readiness, from your experience, and maybe looking at using a bit of hindsight here, what governance and cultural shifts do you think were essential within your organization prior to going public? What was effective for really implementing these types of changes?

Vo: Yes. I mean going public is probably, if not the most important, one of the most important fundamental changes for the entire company. So, you have to basically prepare yourself mentally and organizationally to do that. It involves everybody from the top all the way down. So, as an example, when you're a private company, you may have a few investors, right? In our case, we probably had about maybe two or three physician investors that were all private. When you become public, now you have investors all over the world, right? So, these are other people's money that you have to take care of, and maintain, and be a steward of their investment. It's a huge responsibility. You have to make sure that you deliver, right? So, going public is one thing, like we talked about the three or four ways, but maintaining being public is a completely different animal altogether. In fact, in some ways, that is the harder task of being a public company is staying public, because once you do that, you need as much help as you can. 

Like for example, Justin, I know that you've been involved with a lot of public companies. You've seen a lot of potentials on downside and risk with being public. So, as a public company, you just have to basically be ready for anything. 

In the four years that we've been public, we've probably faced a lot of obstacles that I don't know if any other companies have faced. I'm sure a lot of companies have, but my point is that just in the four years, we probably faced activists; we faced restatements; we faced market downturns. We faced regulatory changes. So, my point is that — and I'm sure we're not alone — so, the point is that once you become public, you have to organize your organization to be prepared for basically anything. You have to be able to pivot. You have to be able to adapt to new market conditions, geopolitical — I mean, even like right now as an example. It's a perfect timing, a perfect example. So, the point is that you just have to be very adaptable, lead with conviction, put your head down, and don't worry about what the stock price does. Just continue to deliver and continue to execute.

Krystopher: Tom, those are some great points. I mean when I think about the work we do here, Protiviti, from an organizational readiness standpoint, we spend a lot of time with the executive teams not only helping them go public but really assessing where their organization is from a maturity perspective and spending a lot of time benchmarking them in many ways, events. What are their public peers? What are those public reporting cycles that go along with living as a public company and then surviving as a public company. Then, what are those governance elements that have to be built in and added? SOX being one of the big ones right out of the gate, especially not going traditional IPO route, you're going with another company that's already public. Your timeline for SOX compliance becomes — is essentially their timeline, right? You're marrying into that timeline by doing it that way. So, it does create a lot of challenges and a lot of compression with getting a whole lot of stuff done in a very short period of time. Then, also, at the same time, really scaling up your infrastructure to be able to maintain that going forward. 

In my own experience, I guess a lot of times, we'll get a company to the goal line, and they'll go IPO, and they'll be listed. We tend to stay on for a couple of quarters, if not almost the full year afterwards in some capacity, transitioning things off to new headcounter as they're developing and building that infrastructure, really passing stuff off, providing elements of training in that way. So, it's definitely common what you're going through. I think a lot of companies do experience that. I think maybe a little bit of bad luck that you're getting it all in the first four years, but definitely seems like par for the course.

Vo: Yes. I agree. No matter how much you prepare to be public, you can never be prepared for anything. No matter how much you prepare, change will come. So, if you don't adapt change, you're going to be changed, regardless if you're ready or not.

Krystopher: That's great advice, I think, to give out to any of the founders, any executive teams that are thinking about this is, yes, you got to be agile. You got to be ready for that change because you might not know what it is, but you do know there will be some element of change that's going to come out of this type of endeavor. 

Tom, just double clicking back on a point you'd made earlier and think about traditional IPO versus SPAC versus reverse merger or direct listing, one of the areas where I think you're at somewhat of a disadvantage is in investor communication strategies, where going the road you went down, you didn't have the roadshow. You didn't have that relationship getting established up front with analysts and with investors. Can you maybe go into a little bit on what strategies you use to really get in touch with that investor community and build your brand with those investors? What could you recommend for a company that's contemplating this or a newly public company that's similar pattern, SPAC or reverse merger? What could they do? What are those best practices they could follow?

Vo: Yes. With our company, to your point, we were pretty much invisible in the beginning. We didn't have any analyst coverage. It took us a long time to get even one. We didn't have a road show, to your point. So, every time we went out to talk with investor bankers, we had to explain the story. In fact, that's still happening now. One more unique aspect for our company is that we are a very unique company. There's no other company like us. So, people are confused about who we are. They don't understand who we are and what we do, in some ways. So, we have to probably work five times harder in order to explain a story. 

Having said that, I mean there's a few things that I would advise the executive to consider as you go out and market each company. Number one is execution is the key, right? Even if they don't know who you are, as long as you keep executing — and it may take 10 quarters to get the name out. It may take 12 quarters. This is not an overnight thing. Even if you're the most charismatic, well-spoken CEO out there, people are still going to wait until they see you execute. So, number one is you have to execute. You have to focus on the core business first. Then, you can go out and tell your story. If your core business, if the execution is not up to par, no matter how great you are, how eloquent you are, how charismatic you are, the market's not going to invest. So, that's the first thing. Execute. Focus on the core business. 

Number two is, keep things simple. When you go out and explain to investors, keep it simple, keep it succinct, keep it short so that people understand your goals and objectives. 

Then, number three, you just have to basically put your head down and continue to focus on the core business in spite of any potential bad news or negativity that are out there, right? So, when you become public, you're essentially a target. So, there will be days when you have some negative press, negative sort of forces that work against your company, and you have to basically react to it. So, the way that you react to it is also very relevant and very important. So, it's not just telling the story, but it's also explaining, not compromising the core business but you have to be able to explain when something potentially negative had happened to the company. You have to basically tell the investor, tell the analyst exactly what happened. Then, tell the analyst or the investor how you are going to go around and fix it, and get the ship back on the right track.

Krystopher: Do that in a very, very tight turnaround time. So, something happens, you have to disclose it. You have to also come up with that solution very quickly, at least a plan for what that solution will be.

Vo: That's right. People always want a plan, right? They don't want to hear your explanations, right? You don't have to sugarcoat it. You just basically tell them the truth, tell them your plans, and how you are going to turn things around.

Krystopher: Tom, when you think about the lessons learned along the way, the past couple of years, reflecting on that journey for going public, what advice could you give to really aspiring public companies, aspiring founders that are out there that might be listening, that are — the market's hot again. The market's heating up. We see a lot of activity, particularly with SPACs at the moment. What should they be considering before making a decision like this? What advice or lesson could you maybe share and enlighten some of these founders with?

Vo: Yes. I think in order to answer your question, maybe what I should do is explain to the executives what we went through since we've been public. So, we were a private company for a good, I would say, 12 years. Every single one of those years, we were a very profitable company — like 30%, 40% margins. The one year that we became public, there was a regulatory issue where our revenue dropped by about 35%— the year that we became public. So, the only thing that the public investors saw was a drop in 35% revenue, and that drop went straight to the bottom line. So, now, a 90% drop in profitability, right? So, that resulted in banks reaching out to us, calling out the loans. That resulted in our stock. Our stock just dropped by about 80%. That resulted in not one, but two reverse splits. Then, on top of that, we had to change auditor. So, we had some other disagreement and that we had to restate last year, 2025. Then, the good news though was that we rebounded. We turned things around. It took us about two years to turn things around but even when we turned things around, people still didn't believe it because our revenue essentially doubled overnight because of all the changes that we made. So, even though we turned things around, the public still didn't believe it. The public still thought it was sort of like a one-time thing, right? So, they didn't give us the benefit of the doubt.

Krystopher: Right. It's almost amplified by being a public company, right? If you're private, it happens and you explain it, you can talk to the board. As a public entity, now all of a sudden there's lawsuits, right? There's people that are going after you. There's people that are — things that are happening that are adding additional stress into something that just wasn’t there as a as a private company. So, it's really just having that thick skin and that resilience on top of being very agile, surrounding yourself with really the right people and the right advisors, the right experts, building that right team internally. I think these are all very critical aspects.

Vo: Yes. Absolutely. I mean, as a public company CEO or executive, or directors and officers, I mean people are going to talk about you, unfortunately. People are going to say negative things, right? I mean we've had a few of those in the past couple of years with activist reports and things like that. A lot of it may or may not be untrue or a lot of it may be in a different context, right? So, you just have to put your head down and continue through it. The hardest part of that, though, is that not only are you a public company, or the public sees those, but internally, your internal employees see that. So, you just have to make sure that you lead with conviction. You need to make sure that you have to basically get the right people underneath you that understand that no matter what happens, no matter what anybody says, that the team is still functional and the team is still growing, right? So, this is where I think leading with a very, I would say, definite mission and value statement and vision is very crucial because the entire team has to adhere to that mission and understand that no matter what obstacles anybody throws at us, we can still perform. Basically, ignore any negativity, ignore anything that comes away and just perform day-to-day, and continue to do the best for whatever service that you're doing. In our case, it's seeing patients, right? No matter what happens, no matter what anybody says, continue to take care of that patient in front of you. If you put your head down and do that, then most of the time you'll be fine.

Krystopher: That's really wonderful advice to hear and just really great lesson in keeping that tone at the top there, even through the adversity. Tom, that was my last question. I can't thank you enough for taking the time out of your day to do this. Really appreciate it. Really loved the candid conversation. Thank you once again.

Vo: Yes. Thank you, Justin. Really great to be here and great talking with you.

Krystopher: Absolutely. Joe, back over to you to wrap it up.

Joe Kornik: Thanks, Justin. Thanks, Tom. Thank you for watching. I'm Joe Kornik, we’ll see you next time.

Scaling sustainability on business with former ISA head and Honeywell exec Prabhu SoundarrajanScaling sustainability on business with former ISA head and Honeywell exec Prabhu Soundarrajan

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we welcome Prabhu Soundarrajan, President of the International Society of Automation and Head of Corporate Development and Strategy at Service by Medallion. Prabhu will be sitting down with my Protiviti colleague, Chris Patterson, an associate director in the business performance improvement practice. The two of them got together in our San Ramon office earlier this month. Chris, I’ll turn it over to you to begin.

Chris Patterson: Thanks, Joe. Prabhu, welcome. Thanks for being here.

Prabhu Soundarrajan: Glad to be here. Thanks for having me.

Patterson: Absolutely. Absolutely. It has been a long time coming, and for the sake of this conversation, did you drive here in an EV or a regular car?

Soundarrajan: I did drive here in my EV.

Patterson: Okay. Perfect.

Soundarrajan: I’ve owned one for the last eight years. 

Patterson: Okay.

Soundarrajan: Try to do my part in the environment. 

Patterson: That’s amazing. I have spent a lot of time working on environmental initiatives myself, and I did drive here in a 2009 Honda Civic. I believe that there’s life cycle emissions that I’m avoiding, but transition to EV at some point. It’s awesome.

Soundarrajan: That’s great.

Patterson: Yes. Well, again, thanks for being here. You have an extensive amount of experience in this space. Gosh, you are a board member, an investor. You’re a corporate strategist. You lead different initiatives globally. The list really goes on. Could you talk a little bit about that experience and what brought you here today?

Soundarrajan: Absolutely. First of all, I’ll start by saying, I think we all want to leave this world a better place to live for our children, on our next generation. Start with that purpose of doing good for the world in general, so we can have a long-lasting life for multiple generations. I think everybody wants that, but also, we want to do well, right? The whole idea of doing good and doing well at the same time is very possible by really focusing on a strategic framework around linking business sustainability and environmental sustainability, and driving key strategies that can advance not only business profitability, but also environmental stewardship. In my background, I spent a lot of time in big Fortune 100 companies driving different initiatives, as you mentioned, both in the strategic, environmental health and safety, waste management. Now, I have a corporate lens in driving those initiatives in maybe middle-market companies as an investor and also as an operator. Bringing those, I’d like to share practical examples of how we can drive business profitability whilst driving environmental sustainability.

Patterson: Absolutely. The key thing that you mentioned there for me is business profitability. Whether you’re a public corporation with many shareholders, or whether you’re a private organization, driving the financials forward is something of big interest, and the sole interest for some folks, and a large interest for others. Could we talk a little bit about risk, though? Prabhu, you’ve seen this play out in the boardroom, right? You’ve seen risk and how it is assessed at a board level. Can you just talk a little bit about how the board is really thinking about risk?

Soundarrajan: Enterprise risk is what I would start with. As board directors, right, we have to help our teams understand the inherent risks in any business. For example, given my experience in public companies and now sitting in private boards, and also in industry boards, right, there’s an envelope of risk every company operates with. It’s called an enterprise or business risk. As board directors, we consistently drive mitigating and minimizing that risk by providing tools and strategies to management teams and then the broader employee base. Environmental risk is a key part of that overall envelope of business risk. You could say if you’re in manufacturing, or if you’re in financial services, you have two different types of key risks. Manufacturing, you’re thinking about environmental health and safety, your facility risk, and your human capital risk, because without that, you can’t operate the business. You have a risk, I would say, from AI and what is AI doing towards your human capital and also your overall operations. That’s a risk. If you’re looking at an enterprise software company, you’re operating in different bounds around cybersecurity risks, right? Board directors have to be consistently guiding and channeling these management CEOs towards mitigating that risk.

When you put the right mitigation strategy and sustainable mitigation strategy, you can drive a lot of business value and differentiate from your peers. Some of the companies have really done it well. They’ve planned it well ahead of time. I’ll give you an example. When I was in Honeywell, we had a lot of plants, right? In plants, we have to go into those plants in our automation business, so about a billion-dollar business. In Honeywell, they have to go into those plants and actually turn knobs and fix things. They have to be physically present on site. March 2020, I just came up with an example of remote monitoring. We put a whole technology envelope. I got the inspiration from a blog article that Satya Nadella wrote, who’s CEO of Microsoft, around remote work. We just said, “We have to be the first in the industry to adopt that remote work because it’s happening in the consumer industry.” We applied it to industrial plants. That was in February 2020. You know what happened in March 2020. That became the norm because then people could fully operate our plants without having to go into the plant because of COVID, and that really drove a huge differentiation for Honeywell throughout the COVID and coming out of COVID. That business resilience and reducing that risk profile of human capital being in the plant through remote work, through technology, differentiated us and added multiple basis points to the business.

Patterson: It’s incredible that you were able to have that foresight, right? I think that type of foresight is important at a risk planning level. You’re saying, “If something like this happens, if workers aren’t able to work in the factory, how do we go ahead and set up solutions, so that we can continue driving manufacturing forward? Down the chain, we can continue driving revenue forward, and we can continue supporting the employees that are working there with jobs,” right? It’s an upstream, and it’s a downstream solution. If you’re not conducting proper risk management and risk planning, then you will see that tie to the dollars, and you will not be doing your fiduciary duty effectively to your shareholders.

Soundarrajan: Absolutely. Very good point, and you have to predict it. You can’t wait for it to happen. I have an example of a portfolio company that took,in an annual planning, in terms of overall risk assessment of the business, we, from a board perspective, encourage them to look at cyber threats. The management listened to us from a board perspective. They listened to us, and they took a cyber insurance policy. Lo and behold, six months later, they got hit with a hack, and this was a small business. Honeywell has a big balance sheet. Companies that are public, like Honeywell, have big balance sheets. Now, if you have private companies, a cyber-attack can wipe out entire years of profits. Part of the resiliency of any business depends on how well you manage your expected and, more importantly, unexpected risks. Boards need to have a huge voice on that because, as a board director, you’re not involved in everyday operations, but you’re able to take a different perspective and guide the organizations. I would argue that no matter which area you’re in, environmental sustainability is a key part of risk management. For example, in Honeywell, every plant or every chemical plant, or every manufacturing plant could have safety issues. We have to drive procedures and policies to keep the safety incidents to a minimum, whilst planning for if there’s an improbable event or unexpected event of a fire, for example—because you are operating in fairly hazardous environments—that you have to plan and have procedures and policy in place and the insurance behind it to make sure you’re protected, and the business resilience is never compromised. That turns into shareholder value.

Big consumer goods company, it really drove—I’ll give you the example of Walmart—they really thought about it from an environmental perspective because they have big warehouses, big supply chains, huge operations. If you don’t assess the environmental risk and energy efficiency as part of your business practice, it’s hard to manage those cost overruns. They planned ahead of time, and some of these companies, small or big, can see up to 200, 300 basis point improvements both in EBITDA, which is margin business profitability, and also, from an investor perspective, in internal rate of returns, if you have a wholesome approach on enterprise risk management, including environmental risk assessment and sustainability.

Patterson: Absolutely. You talked a lot about automation, and you’re a board member of the International Society of Automation. From your perspective as a board chairman and maybe side by side as an investor, which are two hats that I know that you wear all the time, can you talk a little bit about how important automation is going forward?

Soundarrajan: Chris, we’re in the age of AI, right? We’ve been in the age of automation for the last 15, 20 years, right, and specifically the International Society of Automation focused on industrial automation. It’s one of the big risks in industrial automation or industrial manufacturing companies, cybersecurity. It’s important to link these known technologies, known best practices, such as automation and cybersecurity, to new initiatives, like sustainability. When I was President of the International Society of Automation, we really pushed for a sustainable automation framework, right? Because we saw a lot of companies trying to meet sustainability goals, ESG goals, if you want to call it, or green goals, but it was very hard for them to get there, be it a carbon neutral, or be it—there are different frameworks, like carbon neutrality and net zero. You remember those days, right?

Patterson: Yes, of course.

Soundarrajan: Science-based emission targets. The idea of using known technologies and known procedures, like automation, which we’ve been around for more than a decade, tying them into to help reach sustainability or climate goals was what was very productive by having our experts—we have 40,000 members in the organization—drawing from expertise and applying it to new areas is something that was very, very successful. Now, fast forward here in 2026, AI, artificial intelligence, and different learning technologies, including large learning language models. When most people talk about AI, primarily, they’re talking about ChatGPT. I love ChatGPT and OpenAI, but there’s a whole lot of discussion to be had around the power of AI. Not to be carried away with the trend, but actually, how do you apply it to solve real-world problems? The intersection of automation, cybersecurity, artificial intelligence can all make the world a better place.

Patterson: Absolutely. I think there’s so many companies right now that are really jumping on the buzzword of AI, and you highlighted something really important. That AI has been around for some time, or automation itself has been around for some time. Generative AI has really taken a jump over the past five years, give or take. Everyone’s asking, “How do we implement AI? How can we implement AI?” It’s almost the wrong question at times. It’s, “How does AI enable us to achieve our goals more efficiently?”

Soundarrajan: Often the question I get, “Is AI going to take my job away?” right? Let me just step back for a second. We’re in an evolving phase of artificial intelligence, right? We have generative AI, which is primarily driven through learnings and large language models. That phase was very popular the last two or three years. We’ve entered into a new phase called agentic AI, which is super chargers of learning. If you listen to leaders in the space, like Sam Altman from OpenAI or Jensen Huang from NVIDIA, they talk about how we are entering into a new era called physical AI. It’s taking back to what I was saying in my role on automation. We’ve had the opportunity to learn from different technology trends, but to your point, the rubber meets the road is when you apply a technology to solve a business problem. Back to our core thesis here and discussion here around how do you link business profitability to sustainability and through technology, I would add, is something that companies and directors actually need to think about along with their management teams on a regular basis because the space is evolving. You’re getting more tools, and you’re learning more techniques to make yourself efficient, your enterprise efficient, and your investor return efficient.

Patterson: Absolutely.

Soundarrajan: I gave a keynote in 2024 at an ARC conference in Barcelona, and the topic really was, “Are AI and robots coming for my jobs?” You see a lot of press as recent as this week. There’s a lot of jobs that are eliminated because of AI, but let’s really unpack that for a second, right? I think what we should really be thinking about on an individual level is, “How can I make myself more efficient using the tools or set of tools and technologies that may include AI, GPT, Claude, whatever your favorite engine is? How do you take that to the enterprise, right, and how do you take that all the way to the market, the street, and all the way to—driven from the boardroom?” People have to be consistently using technology to better themselves, and then really think about AI reskilling, upskilling, and I would add new skilling jobs, right? Nobody wants to sit and do the same job for eight hours. There are certain jobs that still have a lot of repeated tasks. I was in public services, and we have a lot of material recycling facilities. You still have somebody sitting in a sort line and taking out plastic bottles and plastic film and to separate the material components. Can a robot do it autonomously? Maybe. It’s evolving. I’ll give you another example. Medallion is one of the companies I work with. They are in the janitorial space. They are cleaning buildings, and every building needs to be clean. It’s an essential service and a task. Now, can you just replace them completely with robots overnight? No, it’s a lot of learning involved. Adding the technology or the AI skills to augment human efficiency will translate into balance sheet margin improvements and investor returns.

Patterson: How do you make sure that you’re focusing on the right things as a corporation? 

Soundarrajan: Yes, it’s a great question. I think it all starts with strategic priorities and delivering business value. Starts with strategy. Don’t have a sustainability strategy. Integrate your sustainability strategy as part of your business strategy, so your environmental reporting becomes part of your core business processes versus a group sitting completely disassociated with the strategy, right? So, integrated. Start day one with the right day one procedure, so that you’re enhancing business value every day, every hour, every quarter, every year. It’s about priorities, right? You can’t do everything. You have to look at it from a short, mid, long-term initiative, right? Do meaningful, high-impact things. Use the Pareto rule. Do 80% of the work, deliberate with the results of 20% of the work. This is where I think I want to come back to this point on how automation and AI could be really helpful getting there, right? I would go on the web—and I actually published this in a position paper—I would say automation and AI to drive business value consistently depends on people. They’re not mutually exclusive, right? We have tools and technologies. Tying it back to how businesses should prioritize in the short term is you may want to use technology to guide you to 80% of the answer, and then you can say, “Okay, I now have a short-term strategy that is really aligned with my business strategy. In the midterm, I’m going to go double click and go deep into executing those with a number of human elements, right, in my operations or in my business enterprise.” Then long-term, you evaluate that. The midterm strategy is three to six months or a year. In a five-year plan, evaluate how you’re balancing between tools and technologies, like automation, AI, reporting frameworks, software, and the human element, and you start making correlations on what is the best use of the human capital alongside with technology. Net, you’re making one plus one equals four.

Where I’ve seen a lot of early failures is experimentation that’s not done with clear strategic framework. “Oh, I’m going to go be net zero.” Well, if you’re making gasoline, you’re never going to be net zero, right? If you’re making computer chips and your supply chain is using water power, you’re never going to be net zero. Having that right strategy, “Okay, I’m going to take a reasonable carbon disclosure-type reporting,” really, it doesn’t stress the business. At the same time, it increases business value. It’s not about only risk mitigation and risk management through automation and AI. It’s also doubling down on driving business value for long-term shareholder value, and that translates back to employee value, and that translates back to environmental value. You have to have a holistic short, mid, long-term approach and use tools and technologies to get there faster and do it repeatedly, sustainably, so you can drive business profitability, while doing well and doing good.

Patterson: Thank you so much for joining, Prabhu. If we could wrap everything up into three really big takeaways?

Soundarrajan: Yes. Take environmental ambitions into dollars. It’s all about the money. Not always all about the money, but the thinking needs to be integrated with—if you’re taking a new initiative, be it technology, be it environmental, different types of sustainability—integrate into your business operations from day one. That’s your first point is being additive. Then turn the risks to opportunities and resilience. Every risk envelope can present a huge growth opportunity, and we talked about several examples here. Do it sustainably, right? Don’t get excited about one or two technology trends. Take a step back. Have that short, mid, long-term approach. How you’re going to drive personal value, how you leave the world a better place for your kids, while driving business resilience, profitability, and long-term investor returns. For all my board members and colleagues, try and encourage your management teams to think beyond the everyday chatter, right? Think about not only using risk envelopes as a problem to solve for efficiency, but also use it for an opportunity because it’s all about sustainable growth and link it with environmental sustainability. That’s all I have to have.

Patterson: Awesome. Prabhu, thank you so much for joining today. I really appreciate all of your insights. You bring such a diverse perspective from not only serving as a chairman and a board member on the C-suite to an investor, to actually driving these things forward in companies and seeing real dollar amount results. I really appreciate your overall perspectives. Just thank you so much, and I’m looking forward to the journey ahead. 

Soundarrajan: It was my absolute pleasure. Thanks for having me and happy to contribute. Thanks so much, Chris.

Patterson: Absolutely, Prabhu. All right. Back to you, Joe.

Joe Kornik: Thanks, Chris, and thanks, Prabhu. Thank you for listening to the VISION by Protiviti podcast. Please rate and subscribe wherever you listen to podcasts and be sure to visit vision.protiviti.com to view all of our latest content. Until next time, I’m Joe Kornik. 

The crime of our time: Ex FBI agent turned NEFCC CEO takes on elder fraud

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re joined by Brady Finta, Founder and CEO of National Elder Fraud, a not-for-profit with the mission to reduce elder fraud in America, which the FTC estimates could be more than $60 or even $70 billion a year. Brady has spent nearly a quarter century in the FBI as a special agent and the last seven years as a supervisory special agent before launching NEFCC earlier this year. He will sit down today with my Protiviti colleague, Constantine Boyadjiev, Managing Director and Leader of Protiviti’s Global Regulatory and Compliance Analytics Data Science Practice. Constantine, I’ll turn it over to you to begin. 

Constantine Boyadjiev: Great. Thank you, Joe, and equally, many thanks for joining us today, Brady. 

Brady Finta: Thank you. I’m glad to be here. 

Boyadjiev: Awesome. Great. Let’s jump straight to it, then. Brady, you certainly have had a very interesting background, nearly a quarter of a century in the FBI as a special agent, the last seven years of which as a supervisory special agent, so you come as a very seasoned professional with deep operational experience. I’m sure in your line of work, you have witnessed firsthand both how perpetrators actually operate, as well as, of course, the very deep ramifications and socioeconomic impact of their crimes, which certainly is not victimless. In fact, when we think about who it’s against, these perpetrators exploit a highly vulnerable class in our society, the elderly. Can you tell us why you launched the National Elder Fraud Coordination Center earlier this year and what specifically is the organization’s mission? 

Finta: Thanks for asking. The mission’s pretty simple, help reduce elder fraud in America. That’s what we really want to get down to. Why did I launch NEFCC? We call it NEFCC. It’s those victims. Let’s face it, these are our parents and our grandparents. Sometimes losing generational wealth, it’s absolutely destroying lives and it’s at such a scale that I just kind of feel like we have to do more. I think that was my general thought process when I left the bureau and put together NEFCC. 

Boyadjiev: I could personally empathize. Having elderly parents myself and seeing actually attempts at even some scams and schemes, which certainly are getting more progressive and creative. The Federal Trade Commission estimates that the overall cost of fraud to elderly and the older consumers in general is about $70 billion annually. That’s a staggering number. With the first wave of Boomers turning about 80 or so this year, I suspect this problem is only going to get worse over the next decade plus. 

Finta: I think the first thing we need to do as a society is agree on this scope. I am here to tell you, the reason the FTC had to estimate the $70 billion is because dramatic underreporting. If you’re walking down the street and somebody walks up to you and holds a gun to your head and steals your wallet, you’re reporting that. Right? But if somebody steals $100,000.00 out of your bank account based on a scam where they’ve misled you or coerced you, or whatever the case may be, my experience is around 80% to 85% of people never report that. I do think that number of $70 billion is accurate. Honestly, if you speak of that relatively in context, it’s greater than the GNP of 100 countries in the world. It’s a massive number. That volume and the way it touches all Americans, like you just said, you know your parents have touched this kind of scam world. I don’t know anybody that hasn’t. Name another crime in America that’s like that. I don’t know of one. Also, name another crime in America that goes up by 25% to 30% a year. I don’t know of another one of those either. 

So, when we talk about the problem, I think we need to really put it into perspective and call it the crime of our time. I think that’s where we are. When you talk about the types of scams and frauds, unfortunately, it’s kind of limitless. Some of the really common ones out there that are working all day every day right now, tech support scams, romance scams, investment scams particularly on the crypto side of things, government impersonation scams, pretty common, and the good old grandparent scam. I’ve done a few cases on those. All of these enhanced via sophisticated techniques and experience. They work really well. And I think that’s one of the things that we do have to keep talking about also is the fact that underreporting is so pervasive out there. Why is that? There’s shame, right? There’s fear that people are going to take my financial freedoms away from me. There’s a lot of reasons why people underreport. I think we need to keep reminding people, it’s not your fault. This is not your fault. These guys are good. They’re very good.

Boyadjiev: Yes, no, absolutely. The absolute numbers and the trends to which you point to are pretty alarming. Again, just emphasizing this is transborder as well and transnational. It’s not kind of a US phenomenon. Unfortunately, it’s trending upwards. I know you coming from a law enforcement background, you’ve been advocating about collaboration and cooperation between law enforcement and the private sector as one of the key principles of success in tackling such kind of multi-dimensional threats. What are some of the challenges that you see to that collaboration? Potentially, there’s a lot of vast data that needs to be collected, processed, analyzed, and then how could we overcome some of these challenges? 

Finta: It’s not easy. I think one of the reasons that this crime is so successful is not only do they have a good model. The process of either investigating or deterring or aggregating data on this is remarkably difficult for the reasons you said. So many sectors are involved and so many jurisdictions, at least from a law enforcement perspective. One of the first cases we did in San Diego when we started the San Diego FBI Elder Justice Task Force was a grandparent scam where three of the victims were in San Diego County. I think during the course of that case, the agents probably identified 350—that’s was probably a small amount of victims relative to that fraud—but all of them were in every other state in America. The bad guys were picking up money all over the country. Money was being laundered all over the world. The jurisdictional issues and putting all that together, even just from the law enforcement perspective, which is relatively small, were really difficult to overcome. It gets even more difficult when you talk about where the data is held to successfully pursue these criminal organizations. Your telcos, your tech companies, your banks, your wealth management companies, your retailers, your nonprofits—it’s everywhere. Even within those sectors, it’s one of the great things about this is so many companies in America are actually working on this problem, but it’s so siloed. Even within a particular sector, are the partners in that sector sharing enough data to put that picture together? Because everybody has their tiny little piece of that puzzle but we really can’t see the whole puzzle most of the time when it comes to the criminal organization, the victims, the money laundering, and the fraud cycle. 

I think the problem—we talked about how big it was—I think it’s too big for any one sector. It’s too big for the government. It’s amazing and hard to say that because I think the United States of America can do almost anything it puts its mind to, but it’s too big for the government. It’s too big for the private sector. It’s too big for any nonprofits. I don’t think it’s the key, I think it’s the only successful way that we’re going to wrap our hands around this problem is with true collaboration. 

Boyadjiev: I could see NEFCC’s role, vision and mission to maybe in some ways be acting even as a central magnetic force, a lot of stakeholders here, and protagonist in making this successful journey and overcoming some of these challenges, so terrific to hear that. On the topic maybe of data, a good transition into another area I wanted us to double click on, is the AI topic, artificial intelligence. It’s almost in everything we do and discuss today. Can you talk to us a little bit about the challenges that AI presents, especially sub-components of AI. There’s so much done these days with agentic AI and generative AI and large language models, and a lot of these emerging technologies that are on the forefront, which are used for often unintended purposes. They form part of the arrows and the quiver of malicious actors as well. We see very sophisticated phishing, vishing, smishing, deep fakes that look pretty real to the naked eye. Various other schemes from ransomware, malware, identity assurance and fraud, account takeover, just to name a few. Is there a world where we not only keep up, but hopefully stay ahead of the bad actors through AI? 

Finta: I’m generally a positive person, so I would say yes. We got our work cut out for us, though. Here’s the thing, I do feel positive about the state of affairs in essentially America’s private sector and the US government—all the federal law enforcement agencies and people. The good thing is nobody wants fraud. Our companies don’t want fraud, our financial institutions, our government. I think we can agree on that and essentially create almost like a joint venture environment where we agree we all have the same basic mission—protect our clients, protect our people, protect our families, and fight fraud.

With respect to AI, clearly, our adversaries do not have a board of governance that requires ethical use of AI. They use it however it suits them and they can troubleshoot it as much, “Hey, let’s try this on 100,000 people, let’s see what works. Let’s turn around the part that works, improve it, and try it on another 100,000 people.” In order to keep up, we’re going to need the hustle and we’re going to need to combine thoughts on this. I think this is one of those circumstances where the whole will be much, much greater than the sum of its parts. The thing is, and the beautiful thing is, all these companies in America, they all have anti-fraud efforts, vulnerable persons programs, people looking out for their clients, their affiliates. Nobody knows their data like them. So, when they have folks picking apart that data and coming up with the best pieces that can add to a puzzle, as long as we can stack those pieces up, lay them out, and put them together, I think we have a good chance of being successful. 

Boyadjiev: Maybe in just closing, can you just share your thoughts about why you think it’s so critical we get this right? It’s a tough nut to crack, clearly. 

Finta: No doubt. 

Boyadjiev: But why it’s so critical? 

Finta: It’s funny—well, maybe not funny. When I sat my mom down when I was still in the FBI and talked to her about, “Hey, Ma, these are some of the most recent frauds. These are some of the ways that they drag you in. These are some of the techniques they use. Whatever you do, don’t do this, don’t do that.” One of the things I told her is that if you don’t recognize the phone number, don’t answer the phone. If you didn’t specifically inquire for something on the computer, don’t click on a pop-up. Don’t ever download anything. Rightfully so, she kind of pushed back a little bit like, “What? It’s not kind of the world I want to live in.” Don’t ever trust anyone? Has it really gotten that bad? To tell you the truth, a lot of people are endorsing the zero trust model, and I think it has gotten that bad. I think customer trust for our companies and our institutions is incredibly important. Whatever we can do to build that corporate trust, we should. One of the things that I think increases trust among our population is to say, “Hey, you guys are working together. You’re working together with the government and you’re working together with these non-profits because you guys, you have agreement that this is something that affects us all and we all want to stop it.” I think increasing corporate trust is really important. I think also agreeing that this is a national security issue. When there’s $70 billion, now we’re just talking about elders, among fraud losses in total, we’re talking probably about $160 billion. 

When you’re talking $160 billion leaving the country and going to organized crime groups overseas, what are they doing with that money? They’re reinvesting it in affecting more Americans. A lot of those folks are in adversarial countries to the United States. So, I think elevating this to a national security issue for all of us is probably a good idea, and I would like to say really briefly, we talk about this collaboration a lot. I go to a lot of conferences where everybody talks about how we can work together. But I think instead of doing that on an ad hoc basis and every once in a while specific to an event or a crisis, we need something that’s always there, that’s structural. That becomes part of our culture that we share. That’s why we built NEFCC. So when tech companies and financial institutions and telcos and retailers sit in the same room and say, “Hey, I know something about those bad guys, what do you think about this?” That type of collaboration, that’s the future. That’s the future. 

The corporate participation is obviously the key to this and when we first started NEFCC, it was fantastic to find what we call founding members who finally just said, “Enough is enough. We want to participate. We want to launch this thing.” They invested in getting us started. Our partners from the beginning have been AARP, Amazon, Google, and Walmart. Not only got this ball rolling in terms of the process in our first few cases, but even since then, I think seeing the real value here, we’ve had some other companies come on very recently to include Microsoft, Meta, Capital One Bank, TIAA, and Chainalysis, all full NEFCC members putting their corporate might together in the fight against elder fraud. 

Boyadjiev: What can people do? What’s the best way to engage? 

Finta: I appreciate that, Constantine. We need more members. NEFCC needs kind of a corporate herd immunity on this problem, so please take a look at our website. It’s called fightelderfraud.org. There’s a little Get in Touch button on there and come join the fight. 

Boyadjiev: Thank you, once again, for the conversation today. Joe, I’ll turn it back over to you. 

Kornik: Thanks, Constantine. Thanks, Brady. And thank you for watching the VISION by Protiviti interview. On behalf of Constantine and Brady, I’m Joe Kornik. We’ll see you next time.

The days of prevention are over: Boards should refocus on recovery and resilience, says Halcyon CISO

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, I'm joined by Tony Spinelli who spent his entire 30-plus-year career devoted to pioneering and advancing technology, digital transformation, and cybersecurity capabilities across the globe. Currently, he is Vice President and Field CISO at cybersecurity and technology firm Halcyon, as well as a current board member for Blue Cross Blue Shield Association and PPAC Private Bank, where he additionally serves on the Risk Committee and the Compensation Committee. Previously, Tony has been a CISO for Capital One, Tyco International, Equifax, and First Data. Tony, thank you so much for joining me today.

Tony Spinelli: Joe, it's great to be here with you. I'm excited to talk about all the things we've got lined up for Cybersecurity Awareness Month.

Joe Kornik: Right. We are recording this in Cybersecurity Awareness Month but obviously it's something that we focus on year-round and Tony, I know you certainly are. You serve on multiple boards and have been a CISO several times over. So, I know you've seen plenty of change, but it feels to me like the pace of that change has certainly accelerated. Tony, I'd be curious to hear your thoughts about whether or not you think CISOs have done a good job keeping boards informed about the rapidly evolving threat landscape and have boards been responsive enough to those new risk factors that have emerged recently?

Tony Spinelli: Yes, Joe, I think we're probably still in the early innings of informing boards and keeping boards informed. Having been a board member, I guess, over eight years now for multiple organizations and a CISO for more than 25 years at four organizations, I think we still have ways to go on keeping boards properly informed and boards really thinking strategically about cybersecurity. I think too many times what we get as board members, as we're informed about, whether it's a monthly or quarterly meeting, is what we're doing well in cyber. I think we've really got to flip the model: have a heavy dose of what's not going well and what we're concerned about. Because as board members, that's where we can really provide not only oversight but some help, right? Do you need funding? Is it a personnel issue? Do we need to think differently about the strategy that we're applying for cybersecurity? So, seeing hundreds and hundreds of decks at this point where you get information about cyber, I think you're getting 95% to 99% of what's going well and about 1% to 2% of what we're really bad at. I think that's where we as board members have to help leadership say, “Look, we know you're working hard. We know you're trying to do all the right things for cyber. Please never shy away from telling us what we're not good at and what we need more help with.” 

That's why I think we're a little bit in the early innings around that. I think some of it comes down to, in many cases, knowledge gaps. I think in some cases we're thinking about cybersecurity in terms of strategy, that everything needs to be secure. I can tell you, the definition of security in a secure system really doesn't exist. The way you need to think about cybersecurity, especially as a board member and certainly as a leader in cybersecurity that's on the strategic side, is to start thinking much more deeply about defensible systems. When you think about secure versus defensible—and we like to say, “Look, everything's secure and it's going to be great. We're very hopeful that it stays that way.”—that's just very unrealistic. If you can think about your cybersecurity systems in terms of them being defensible, I think you really have a shot, right? Because you're thinking much more about resilience. You're thinking much more about recovery. 

When you think about security, it's an old focus of cyber before 2010 where we used to think “Look, we're just going to prevent everything.” As we've seen, Joe, we have to be right millions of times a day to stay secure where the bad guys have to be right just once. So, I think as a board member to start thinking and critiquing and reviewing cybersecurity around the line of thinking about defensible, which means “What happens when the bad thing happens? What happens when a bad actor gets into our environment?” Because it will happen. The days of prevention are over as we've seen with the many headlines that are playing us today, especially from ransomware and the likes. It's really, really important that board members start wearing that defensible hat rather than secure and prevention because, really, as we're seeing today the best companies in cyber are the ones that can respond quickly, react quickly, and make sure that their systems are very, very resilient.

Joe Kornik: Right. Tony as both a CISO and board member where do you see the biggest knowledge gaps between CISOs and board members and how do we close them at this point?

Tony Spinelli: I think one of the big knowledge gaps is, we're seeing a tremendous amount of supply chain disruption, that's been plaguing us for probably more than four or five years now and has seemed to be hitting a crescendo in terms of those supply chain disruptions around ransomware. What's really intriguing about how this is coming about is we're seeing a lot of global manufacturers, fintechs, healthcare having their supply chains disrupted, if not their business operations disrupted. From a mismatch with regard to the cyber strategy and what they actually need to have in place, I think many times when we're informed about our cyber program a lot of it focuses on technology. And what bad actors are doing today is they're really exploiting the human threat vector to then move to the technical threat vector. What I mean by that is one of the biggest knowledge gaps is that these bad actors are really focused on human threat right now. That's very hard to get at because when you think of human threats, they're doing things like social engineering, phishing emails. But beyond that, some of the more nefarious knowledge gaps and challenges have been around impersonation of the help desk, where they're impersonating your help desk, calling your employees and getting information about their credentials, their passwords. If they can't get that, they're cracking those passwords. There's about a 46% efficacy rating right now that bad actors have for cracking passwords, 46% is incredibly high. Then we hear a lot in board meetings around “Well, we're going to start focus on zero trust” or “We're going to implement zero trust,” which a lot of times means how are we thinking about MFA and two-factor authentication and those things that go along with zero trust. Well, bad actors are exploiting individuals there with MFA fatigue, where they get the credential, they use the MFA and repeatedly send those messages to your phone. Eventually what an employee does to get it to go away, is they'll just click on it, right? Then you're in. Then therein is when the technical lateral movement and the ability to really start creating havoc in your environment. In many cases, what the bad actors will do is they'll turn off your endpoint protection, they'll turn off your technical controls and really provide them with a platform to either data exfil or provide a method where they can extort funds from you through ransomware and encrypting your information. That's what the number one threat vector is today, is exposing user IDs, passwords, you're really thinking about bad actors using valid credentials. That's what I think so challenging for board members and cyber practitioners today is that 98% of these attacks are being completed with valid credentials, right? Think about that. Is there a cybersecurity tool today on a piece of technology that stops valid credentials from working? No. That's really what we're up against, right?

Joe Kornik: You've given us a lot to think about in terms of risk factors. When we talk about risk factors, I think we probably have to start with AI, which obviously many companies are beginning to leverage in their core business functions. What do you see as AI's impact?

Tony Spinelli: I think AI is going to be a big challenge, and for board members is really critical to, I think, think along really four dimensions when we think about this as it pertains to cybersecurity. I think one of the most important things you could do is make sure that the leadership of the firm has a really great understanding of AI policy and practice. The way you can do that is by using the NIST AI risk management framework. It's a holistic framework that'll help you be really thoughtful about what the right policies, practices and procedures are and give you a box to make sure that you're really, really well controlled. 

Number two, I think—and this is probably the biggest one that I would focus on, and I personally have focused on with the boards that I've been on—and that's around a data governance program. I think as all companies today have a factor—with being a technology company—that you've had massive data sprawl wherever you've been. While you want to be well controlled and well managed, AI really requires a different level of data governance. You have to have really strong data modeling. You have to have really strong understanding of the uses of that data. I would really make sure that as a board member you ask to be walked through what the data governance program is, not just for AI, but what the data governance program is for the firm as a whole. 

I then think number three, as you go to the next step, as you're thinking about AI and the use cases come up, is you should have a really strong methodology for thinking about use cases and how those use cases are formed. When you get to that point, where you're thinking about specific use cases, as a board leader you want to ask about the risk assessment process, right? Is how do you have a risk assessment process built around AI use cases? Because that's going to be absolutely critical. So, if you're using large data models, you're using a lot of customer information, a lot of proprietary information, a ton of PII information, and you're going to do some very articulate and challenging things with AI with that data, it's paramount that each one of these use cases has its own risk assessment. As a board member you can go back and say, “Well, look. I looked at the use case and the risk assessment with it.” It doesn't have to be a 75-page document. It could be a two- or three-page deck that just says, “For each one of these main use cases we've done a risk assessment and here's what it looks like.” 

I think fourth, you can never take your eye off the ball of third parties. right? You don't have full control of your third parties but in many cases your third parties are either providing you data or you're providing data to them that's going to be part of that AI model in some way. So, it's going to be really, really important that you think about the risks of third parties. That's, Joe, what I would say are the four key aspects for board members to think about.

Joe Kornik: Tony, I'm curious how worried you are about the lack of AI knowledge and capabilities from both the C-suite perspective and the board perspective. Is there enough AI capability out there right now to meet the demands that the future will bring?

Tony Spinelli: No, there's really not. Joe, I think that's the one thing that's different about cyber and maybe even sometimes this risk management view of technology that boards and practitioners really need to think about is that you're going to really need more cyber talent as AI becomes a larger part of your organization, especially if you’re a cyber organization in IT and perhaps you're using less developers or less other types of technology associates. You really want to invest more in your cyber program to make sure around, like we talked about data governance, and having that talent to really understand how AI can be used to protect your enterprise and then guard against AI from an offensive perspective. I think you're going to need more talent in cyber that's much more focused on recovery and response and reaction.

Joe Kornik: Tony, you touched on something there that I think is really important and that's geopolitical developments this year have raised awareness regarding resiliency challenges and keeping core functions up and running in the wake of an attack. We've seen quite a few attacks recently specifically around supply chains. How can business leaders prepare for that? How can they be sure that they can stay resilient amid all the uncertainty right now?

Tony Spinelli: I think you need to really have a test-and-learn mentality and test the resilience and the recovery capability doing both tabletop exercises and tabletop exercises plus, where you're really testing from an attack and penetration perspective your ability to recover from a significant ransomware event or an attack on your supply chain. I think it's absolutely paramount. As you think about the global developments and the global nature of this, you've got massive, organized crime groups, and I do mean massive, thousand people plus in some cases, Scattered Spider, Akira, Medusa, Chilin. All of these are focused on business disruption and supply chains. The reason is pretty obvious. There's billions of dollars that they're extracting from those areas. And you can look at it today. There's a large global manufacturer of trucks and cars that's had challenges for weeks now due to an attack, $60 million a day, a thousand cars a week not being produced. If you think about that from a ransomware perspective and if it's a Scattered Spider or a Chilin or one of those larger organized crime groups, you know if you can disrupt a global manufacturer of that size and scale, you're not only affecting them but the pressure campaign you can bring to bear to get billions of dollars is massive because manufacturers of that size have supply chains of 30,000 companies. They are supporting each one of them to create a car or a truck for example, right? So, if you've got 30,000 vendors that are all supplying something to that large manufacturing company, it could be any manufacturer of that size and scale, the pressure campaign that one of these organized crime groups can bring to bear is just daunting to think about, right? Because if those 30,000 vendors cannot pay their employees, cannot produce capability, you're talking about affecting the economy of small countries as this happens.

Joe Kornik: Thanks Tony. I really enjoyed our conversation.

Tony Spinelli: Oh, thanks Joe.

Joe Kornik: And thank you for watching the VISION by Protiviti interview. I'm Joe Kornik. We'll see you next time.

Morgan Stanley's Rachel Wilson talks cyber strategies in new AI-enabled threat landscape

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re joined by Rachel Wilson, head of cybersecurity for Wealth Management at Morgan Stanley, where she’s responsible for securing all sensitive client data from theft, loss or compromise, as well as for the resilience and continuity of core business processes in times of turbulence. Prior to her nearly nine years at Morgan Stanley, Rachel spent 15 years at the NSA, where she held several executive-level leadership positions. Rachel will sit down today with my Protiviti colleague, Managing Director Sameer Ansari, Global Security and Privacy Lead. Sameer, I’ll turn it over to you to begin.

Sameer Ansari: Thanks, Joe. Rachel, thank you so much for joining us today.

Rachel Wilson: Sameer, I’m so happy to be here. Thank you so much for having me.

Ansari: Rachel, you’ve been in your current role for over eight years now and have spent 15 years at the NSA, so you clearly have a lot of experience and have seen a lot of things. We’d be interested in your perspective in terms of how you see the focus on cybersecurity and resiliency. How has it evolved over the past several years? Not only in your current position and the private sector, but overall, what have you seen companies do to strengthen and really look at the response and recovery capabilities?

Wilson: Sameer, I would bin the evolution over the last five years in the following three ways. One, certainly in the cybersecurity space, banks, financial services firms, and large companies have always been focused on the threat posed by nation-states. So, five years ago, I was very focused on North Korea, Iran, and what we were seeing from Russia. All of that is still going on, but the change in focus around cybersecurity has been all about the increase in what we would call cyber criminal syndicate activity.

If five years ago the vast majority of malicious traffic on the internet was nation-states, now 70% of the malicious traffic we see is actually financially motivated and criminal in nature. So, that has required us to change our tactics, our focus, really to be working on extending that perimeter of protection, which for folks like us would typically have been on our firms, our employees, our network systems and applications. Now we’re focused on extending that perimeter of protection to our clients, our customers, really thinking about that broader ecosystem.

When you think about resilience, I’m so glad we’re talking about this today because resilience, the level of emphasis there from our board of directors, our shareholders, our stakeholders, and from our regulators, has increased dramatically. So, this view that a cyber incident that causes a business disruption, that creates a business continuity issue, the view now is that that is not an if, rather that is a when, which is why your point around response and recovery is so crucial. Firms need to invest in all of that preventative technology in detection, but the focus around response and recovery, I’ve never seen it quite as amplified as it is now.

Ansari: That’s a great perspective. Piggybacking on that, obviously, given some of the recent geopolitical events, and obviously, you’ve mentioned the shift from the nation-state aspect to more of those that are there for financial gain. It has obviously increased awareness amongst business leaders and boards in terms of understanding cybersecurity and the resiliency challenges. How can business leaders better understand and fulfill their roles in addressing these challenges, especially when it comes to a crisis and they’re in the middle of a situation or a cybersecurity event?

Wilson: Well, Sameer, that’s exactly it. The last thing we want is leadership and boards trying to figure out their cyber response playbook in the throes of their bad cyber day. So, we see a lot of emphasis now on tabletop exercises, on actually training like you’re going to fight and doing that all the way up to your board and C-suite level. So, increasingly, this idea that while cybersecurity as a tactical exercise is the domain of technologists like us and is the focus of our chief information security officers, it’s this broader recognition, exactly to your point, that business leaders need to be deeply engaged here.

The questions that I ask the companies that I support are, “Does your CFO understand their role in a cyber attack? Has your general counsel thought about whether you are a company, an entity, or an institution that would pay a ransom if you found yourselves in the midst of a ransomware attack?” Those big existential questions are not questions for your technology teams. They are questions that we really want to see having been practiced, having been rehearsed, so that again, when that if, not if, but rather when a cyber attack occurs, leadership understands those roles and you’re not having to learn in public in the midst of those exercises.

Ansari: Yes, that makes a lot of sense. Also, shifting a little bit or maybe an adjacent topic there is, obviously, I think, while executives understand their role in terms of protecting their enterprise, obviously, the continued reliance upon third parties and their overall supply chain of their organizations. I would love to hear—because the conversations we’ve been having with our clients are really around how they are handling third-party risk management—I’d be curious to see what you’re seeing there, as companies, I think, sometimes think of it more as a check-the-box activity. How can organizations really think about this as managing their risk?

Wilson: Well, Sameer, it’s crucial, and I sadly agree with you that all too often, historically, companies have viewed their third-party risk program as a box-checking exercise, right? We’re going to go through the motions. We’re going to do that due diligence, but are we really thinking about material risk reduction? Of course, we’ve got to think about this along two vectors, right? There is the fact that many, many companies, mine included, entrust our vendors, our third parties, with huge volumes of customer, client, and frankly, employee data.

When you think about the degree to which customers and clients that all of us have, very appropriately, and for all the right reasons, outsourced many of our critical functions to third parties, if that outsourcing comes with a whole bunch of employee or customer data, are we really confident that those third parties are meeting our cybersecurity data protection, even fraud prevention standards, Sameer? So, I would argue that companies need to go well beyond that box-checking exercise.

Then, when you add the resilience components, think about those vendors, those third parties in your environment that we would consider air-and-water services, that your business cannot function without. Have we really thought about the opportunities for resilience enhancements there? Do we have true disaster recovery planning? Do we have contingency and exit plans for those vendors that maybe provide that crucial service and for which there really is no alternative?

Again, I think about those air-and-water vendors in that way, but the point you made in your question that I think is particularly crucial is the question around streamlining. The answer to improved vendor due diligence is not an infinite process. If your vendor onboarding process now consists of a thousand questions and takes a year for you to execute in the modern era, companies are not going to be successful if those are the timelines they’re looking at for onboarding a new critical vendor.

That’s the challenge, right? That’s the juxtaposition, Sameer, of how do we recognize that our vendors present potentially tremendous risk, but at the same time, streamline those risk management processes, those onboarding processes, so that our businesses can truly be agile and dynamic. I will tell you, personally, I don’t see many companies that have cracked the code on this, and it’s a question that I think we are all adding and asking of our advisors, our supporters, our consultants. We’re not there, and I don’t think I’ve seen any case where someone is really getting that balance right today.

Ansari: Yes, it really is a balancing act in terms of managing the risk and being thorough, and also balancing, obviously, the impact of third parties. I don’t think I’d be able to get through this entire conversation without turning to the next topic of the day, which is clearly around AI. So, we would love to hear your perspective on AI’s impact on security. What are some of the biggest opportunities and threats posed by AI in the cybersecurity domain, and how do you balance innovation with risk?

Wilson: Sameer, I feel like balance is our big theme today, and you’re totally right that that’s the example and really the exemplary post that we have to talk about here. What we talk to our board of directors about is this idea that the proliferation of artificial intelligence, and I would argue, combined with the democratization of very advanced nation-state-level cyber capabilities, has essentially lowered the barrier to entry to being a reasonably sophisticated cyber actor.

Sameer, we know from our history that five years ago, if you wanted to be a capable hacker, you needed an advanced degree in a technical field, you needed access to covert infrastructure, you needed a nation-state toolkit, and you needed training. There was a pretty significant learning curve to becoming a reasonable, scalable hacker. Today’s environment, we see the opposite, right? A little bit of ChatGPT, a little bit of Gemini, throw in some YouTube videos on how to use those capabilities, and these layman hackers are off to the races, quite capable in a matter of weeks.

Then, when you add AI to the overall cybersecurity landscape, what we’ve seen is that it has been a real catalyst and a real amplifier. So, now cyber attacks are at a scope, a scale, a velocity that I don’t think those of us who’ve been in this space for a long time could have imagined even three years ago. Now that’s what we’re seeing at scale. So, AI lowering that barrier to entry, increasing that scope, scale and velocity, these are attacks both on us as firms and on the customers and clients we support.

This, of course, gets to your balance. I’m increasingly of the view that the only way we defeat all of these AI-enabled threats is by leveraging more AI in our environment. So, one of the metrics that we’re increasingly holding ourselves accountable to is the idea of what percentage of the cyber attacks, attempted cyber attacks that we see at our perimeter, as loose a term as that might be, are we successfully detecting and preventing through solely automated means.

So, whether you want to call that AI or machine learning, whether you want to call that pure process automation, I’d argue that a strong cybersecurity program today is detecting and preventing 99.9% of their incoming cyber attacks all through automated means. Many vendors are getting better and better in this space, but you’re right that it’s a balance.

Then, when you add that third component, obviously, I have to give my employees AI tools in their toolkit. That’s the only way we’re going to continue to be competitive in this environment. Morgan Stanley has really leaned into artificial intelligence as an enabler for our workforce, but enabling those capabilities comes with risk in its own right, whether you’re thinking about data quality, privacy rights, all of these downstream impacts of leveraging AI in our environments. Folks like me in the governance and risk management space have got to look at all of those components to balance that innovation with risk mitigation.

Ansari: Yes, I think balance is going to be the continued theme through this discussion, because the next thing I wanted to discuss with you was really around, obviously, you mentioned AI three years ago wasn’t really as much of a topic. A lot of our attention from a cybersecurity profession perspective was around things like quantum computing, which I know Morgan Stanley is getting quite involved with as well. We’d love to get your perspective on that balance for CISOs and cybersecurity professionals in terms of balancing your basic blocking and tackling and focusing on that versus keeping your eyes forward-looking in terms of new technologies that are coming with things like quantum computing and obviously AI.

Wilson: Well, Sameer, that’s exactly it. I think your thematic here around balance is what I’m hearing from the entire ecosystem, the entire community right now. This is exactly it, right? We cannot lose sight of that basic hygiene, that blocking and tackling. I mean, even some of the vulnerabilities that we’ve seen disclosed in the last few weeks, all things that you and I have been talking about.

If we’re not responding appropriately to these critical vulnerabilities in our environment with that basic blocking and tackling, that patching cadence, that employee training, all of that table-stakes, brass-tacks stuff that we were raised on as cybersecurity professionals, I hear all too often cyber teams getting distracted by the sexy stuff. Of course, I love to geek out on the sexy stuff too, but if we’re not doing those basic things right, if we don’t have identity correctly managed, if we’re not thinking about those core table stakes controls in our environment, we’re going to miss the boat.

Now, all of that said, I think when you look at the environment around post-quantum readiness, we are absolutely in a call-to-action state. So, at Morgan Stanley, this is going to mean, for the next two years, really getting our arms around an inventory of all of our cryptographic algorithms. What I hear CISO saying is that the first step is really understanding the size and shape of your risk when it comes to post-quantum readiness, once we’ve got that inventory—and of course, Sameer, that’s at all levels, right? Our hardware, our networks, our applications, and even how we interact with customers and clients—getting our arms around that inventory so that we can really get to the hard work of upgrading those algorithms, that’s a long-term project. I know this really speaks to that balance, but I am really encouraging CISOs that we work with, don’t delay on at least getting your arms around the size and shape of your post-quantum problem, while, of course, to your point, not losing sight of that basic cyber hygiene.

Ansari: Yes. I think we’re also seeing increased conversations, obviously, with regulators as well, Rachel. So, I’d love to get your perspective on: regulators always focus on data and security, and the loss of data, but now they’re focusing a lot more on resiliency and the business continuity side of things. How do you think about business leaders’ ability to demonstrate their ability to really look at overall resilience in a way that is not just from a compliance perspective, but also adds value?

Wilson: Yes. Well, Sameer, to your point, I think this is an area where the Europeans are way ahead of us. Just a few weeks ago, we were at a regulatory conference in Europe, with regulators from all around the world, and they were asking exactly this question. So, you bring together all of these ideas, data security, cybersecurity, what does it mean to be preparing? We’re having to help our regulators understand how to regulate us when it comes to asking questions about the implications of quantum computing. Then the focus on resilience, and again, especially from the Europeans, is higher than we’ve ever seen it before.

The focus, and I think this is very appropriate, Sameer, is going beyond having a written business continuity plan and really getting to a place where you are testing those plans and assessing them for viability. That’s what I’m hearing from regulators. Don’t just give me a piece of paper that says what you would do in the event of a significant third-party outage, in the event of a significant business continuity issue, whether that’s geopolitical in nature, weather in nature, all kinds of manner of things. Show me that you’ve really exercised your game plan and that your teams understand how they would react to that, whether that’s transference, whether that’s fallbacks, or whether that’s manual processes. They want to see that you’ve actually walked the walk, not just written the white paper.

Ansari: Yes, makes a lot of sense. Last question for you, Rachel. This would be a good looking-ahead question. As we think about 2026, what do you see as the most critical areas for investment in cybersecurity? How do organizations start to prepare for that next wave of advances in technology, things that we’re not aware of today? Like three years ago, as you mentioned, we weren’t maybe even thinking about the impact of AI. So, how should business leaders and cybersecurity professionals be thinking about what the future holds?

Wilson: Well, so much of this for me, Sameer—and in this case, I’m putting on a little bit of my fraud prevention hat as well—I think it will be thinking about a world in which we all cannot be confident that the person we’re talking to on the phone, over Zoom, through a video conferencing platform is really the person we think we’re talking to. This undermines all kinds of things that I think are really existential to humanity, right?

If I can’t be confident that the customer I’m talking to, the client I’m talking to, the vendor, the third party, the interview candidate, that any of these people are really who they appear to be, that is going to be a fundamental change to how all of us do business, how we do business internally, how we do business with our vendors, and how we do business with our customers. So, I think we’re going to see a lot of investment around, really, identity-proofing all of our various channels. Whether that’s calls to the call center, whether that’s how we conduct interviews remotely over various platforms. All of that. When you look at the risks and threats in the environment, a lot of that is going to have to change.

Then you add to that these next-generation technology enhancements. So, quantum computing is an example, but many more things. When we think about wanting to leverage AI to improve the efficiency and effectiveness of our workforce, recognizing what risks and threats that potentially poses. This is certainly a time for investment. I would also say, Sameer, that this is also a crucial time for partnership. Even companies, large companies, Fortune 50, Fortune 100 companies, none of us can be doing this by ourselves. So, that reliance on third parties, I think, is only going to increase, both to support innovation and to have us responsive to all of these emerging threats.

Ansari: Rachel, this has been really a great conversation. Your perspective, obviously, from your experience at the NSA and clearly from the financial services experience, has really been beneficial. Thank you for your time today. I really enjoyed our discussion.

Wilson: Sameer, this was wonderful, and I look forward to more. Thank you so much for having me today. This was great.

Ansari: Thanks. Joe, I’ll turn it back to you.

Kornik: Thanks, Sameer, and thanks, Rachel. Thank you for watching the VISION by Protiviti interview. On behalf of Sameer and Rachel, I’m Joe Kornik. We’ll see you next time. 

ACT Group CFO: Finance partnering with sales and marketing creates strategic advantage

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik, Editor-in Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C- suite and executive boardrooms worldwide. Today, we're exploring the future of customer experience, and I'm happy to be joined by Michael Vigario, Chief Financial Officer for North America at ACT Group in New York. He is also a board member of Green Project Technologies. Today, Mike will sit down with my Protiviti colleague, Heather Hall, Director, Digital Customer Experience and Digital Transformation Strategy, to discuss sales strategy and customer experience through the lens of the CFO. Heather, I’ll turn it over to you to begin. 

Heather Hall: Thanks, Joe, so Mike, thanks for being a willing victim in this. People are probably wondering what you and I are doing talking when you're a CFO, and we're talking about sales strategies. So, you and I have had a number of conversations over the years about the role of finance with sales, and the role that plays in acceleration. And as I thought about it, I wanted to pull the curtain back on the conversations that we’ve had out in the public. So, to set the stage, I want to talk a little bit about the role that you've played with your sales organization and how sales can collaborate with finance on go-to-market strategies. 

Mike Vigario: Yep, awesome. Thanks, Heather… and I’m a willing victim. So, all good there. Yeah, I think finance has become more and more working shoulder to shoulder with sales, which I think has been really my experience over the past eight years and even before that. It's a way for finance to show that their data-driven strategies and all the access to information that finance has can turn into actionable insights. So I think finance has, just in general, moved beyond just reporting the past and now helping to shape the future and the whole strategy of the organization. So bringing the data lens to some of those questions that you mentioned there, you know, which segments are the best potential, how pricing impacts margin and win rates… we want to win, but not at all costs, as there are bad deals, right? 

And so you may want to have a loss leader here and there, but overall, in general, that doesn't make sense. That's not sustainable business. And then how do you allocate territories for maximum impact? Does it make sense that a salesperson cover Florida and Minnesota? Probably not. Setting things up just in a smart way, so we can also be cost effective, and making sure the go-to-market strategy is built on opportunity, of course, but then sustainable business. And then, most importantly, I think we always need to remember to be able to change based on the data. So, as we take in more data, maybe it makes sense to make some changes, to make some updates. And so, I think that's important, to be able to be agile and change things when necessary. 

Hall: And it's interesting you bring that up because that's a substantial pivot from what historically has been maybe more of a lagging point of view. I think of sales historically being the one pushing and driving, whereas finance would be more “well, this is how you perform. This is the margin we’ve got,” right, as opposed to taking that proactive lens? So with that shift, how can you partner with sales to bring that level of discipline, you know, the introduction of data? And thinking about the classic things like pipeline health, the forecast accuracy. You know, you started to talk about deal prioritization, too. It's a very different role. How did you introduce that in the world?

Vigario: Yes. And kudos also to the sales team that I've been working at the table to take in some of this data and be open, which is really important. If the sales team is not open to it, then you can't really go very far. But the sales teams that I've been working with have been open to it, and so they're open to looking at pipeline data, and they understand the importance of forecasting with pipeline data, because, you know, we ultimately, we are basically PE-backed, and so having insight into our numbers and forecasts and being able to predict what's going to happen, not only talk about what did happen, is really important to us as a company and to our equity disciplines, as well. So, I think the whole organization really sees that this is important, but it all starts with data. 

So trying to get the sales team to actually put data in the easiest way possible—so removing friction through apps, through plugins, through all these different ways, so that our CRM system does actually contain the information that we need it to contain, and so it does actually have predictive ability from our conversion rates, our time to conversion, all these different types of things, and that helps us validate forecast accuracy, but also have a forecast, just in general, right? So, I think some of these things are really important. 

And then, to your point about deals, I mean, there are more and less profitable deals. And when we're looking at the customer cost of acquisition, I think that's an important metric for us to understand where we're getting profitable deals from. And maybe it's logo driven and not necessarily deal profitability driven, and so that logo can help us get more logos. And, you know, there's that whole thing, but I think for the most part, we want to prioritize having deals that do make us a healthy margin in order to be a sustainable business.

Hall: I find the role that you play at ACT really interesting because you're so integral into the entire selling process, from the point that you're concepting where to go next, as well as how people are getting onboarded through the commodities purchasing process, the whole thing; you're an integral part of the puzzle. How do you get there? And I'll strike it from two lenses: How did you, Mike, get there? How'd you build that trust in that relationship, but extending that to your peers… how should they think about becoming more integrated in with sales and with marketing too?

Vigario: Yeah, so I think it's not always easy to sell the sales people on the value finance is bringing because, I think traditionally, finance sends the invoices and collects the money. You go do your thing, and that's kind of it. But I think what we've tried to do is show that we can enable deals by, you know, if I look at the trading side of the business, enabling deals through cash usage, enabling deals through knowing what our stock levels are and exactly what type of stock we're holding so that we can go to the market and sell that, and maybe it's sell it for a particular period of time, or, you know, being able to optimize what inventory we do have.

And if I look at the SAS piece of ACT’s business, we also look at what our pricing should be. I look at competitor pricing and see when we should get discounts, when we shouldn't, and how we can continue that moving. And look at also our historical business. So historically, we've traded with 1,000 companies, and now this year, only 750 have come up so far. Why? Or the amounts we've traded with, or volumes, or the regions we've traded in, and try to get more out of those particular spots. And on the SAS side, what industries are we working with the most, and so what industries need help on this, on this carbon accounting journey that they're on? 

So we’re thinking about how we can do this with customer behavior and with the sales cycle in general, and looking at where we are now versus where we expected to be in our budget, and how can we bridge that gap? What assumptions were in the budget that were underlying, that were helping us get these numbers in the first place? And so where are we compared to that? And I think working with sales has been really powerful for me, also just in understanding how salespeople think and how I can show that I'm providing value and actually prove that point out, rather than just say “You have to listen to me,” because that doesn't really work very well. I may work once or twice, but that's about it. So, it's really partnering and showing the sales team that you do have valuable data for them. It takes a little bit of time, of course, but I think it becomes powerful in the future.

Hall: Flipping the question, and I think back to my time in industry. I wanted to stay out of finance’s office. That usually meant I was having to deal with the PO or something had gone sideways. Right? What can someone in sales or marketing do to improve their relationship with finance, collaborate, better establish those channels of communication?

Vigario: I think for us in finance, you know, we've talked a lot about data so far already, and  transparency and data is so important for finance. To pull a fast one over on finance is not really going to work, because ultimately, the buck stops here… literally. And so I think it's really important to just be transparent and collaborative, you know, sharing or even jointly constructing some pipeline data, or maybe it's the underlying CRM system has to be designed jointly. Or, you know, if we're talking about marketing campaigns and tagging customers and tagging leads, then jointly create things like that, and that helps everyone, right? Because, from finance, I can see more top of the funnel, and from marketing, we can then measure what actually works versus what doesn't work, and we can hopefully ratchet up what does work and increase our conversion rates. 

And so I think designing things like that together, focus on on what metrics, what KPIs, we actually want to monitor not only shows marketing what's successful, but shows sales what's successful, and ultimately, shows finance and our executive board what success really looks like. And the predictive ability of those KPIs—so not only your current customer base, but also what's in your pipeline and what your time to convert is, so that we can then look three, six, nine, months into the future and have some expectations of where we're going to land. 

Hall: How do you think about that balance of finance with go-to-market investment? So you guys are growing green project, and there's a lot of things going on there from a carbon accounting perspective. How do you balance that aspiration of, I think, that I can grab that next great piece with other priorities in the business, because there's a lot of other things that are going on. What's that model look like for you? 

Vigario: I think for us, it's all about ROI. So what we've done for the past 15 years, 16 years, was build the business on mostly riskless trading platform. And so that kicks off a good amount of cash. And so what can we do with that cash? How can we reinvest it into the business in order to grow the business and allow access to our core products to more and more and more customers in an efficient way? 

And so that was the Green Project play, which we worked on about two-and-a-half years ago. I was acquiring Green Project technologies in order to now go a little bit further up upstream and be able to meet our customers before they necessarily have a CSO or they necessarily have a built out sustainability function, and so helping them measure their carbon footprint, whether that be on Scope 1, Scope 2, or, which is a bit more difficult, Scope 3. And so that's really what we’re focused on, is how can we go further up the chain and be able to offer these same clients, which we already deal with, differentiated product, but also clients that we haven't even touched yet.

Hall: So let me hit you with a parting thought. Let's say that I plunked a CFO down in front of you, and I said, “Mike, I want you to look at this peer of yours and tell them what you think the most important evolution is  and how finance is going to support go-to-market strategy, with the intent of helping the CFO have the same type of impact on your on their business? What would you say?

Vigario: Yeah, I think the most important evolution has been that finance is becoming a strategic partner. And I think without that, I don't know that finance would be as exciting for me personally even. And so, it's really been an exciting evolution that I've gotten to see a good amount of, and just evolving to that strategic partner, the days of just backward-looking financials and the variance analysis and saying, “Oh, we predicted we were going to do 10, and we did six,” is hopefully kind of done. I think with AI, which we didn't really talk much about, but I think with AI, a lot of that is going to be done for you, and you're going to be looking deeper and deeper, more detailed into it and more into the future. Because ultimately, insights rule. It's no longer about just looking back and having clean financial statements, that's par for the course; it's now adding that second layer of value. 

So, I think finance now helps to underpin and drive growth initiatives, both with a view of profitability and sustainability from a business perspective. And so that's what I think has been the biggest evolution, at least for me, and has been the most exciting part, honestly. Looking at measurable KPIs, looking at predictable KPIs, we've just really moved on from looking in the past—although having clean financials and looking in the past and reporting what happened is still incredibly important—but moving to predicting the performance and really underpinning how we get there. And so, that's what I would say the biggest evolution has been. 

Hall: Awesome. Thank you for carving out the time. As always, it's great to catch up! Joe,I'm going to hand it back to you. 

Kornik: Thanks, Heather and thanks, Mike! And thank you for watching the VISION by Protviti Interview. On behalf of Heather and Mike. I'm Joe Kornik. We'll see you next time.

Security expert Tom Vartanian: Amid all the chaos, boards need to refocus on cyber and AI

Joe Kornik: Welcome to the VISION by Protiviti. Interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, where we focus on issues that will impact the C-suite and executive boardrooms worldwide. Today, I'm joined by Tom Vartanian, Executive Director of the Financial Technology and Cybersecurity Center. Tom's nearly 50-year career as an attorney, author, regulatory expert, CEO chairman and expert witness on financial regulation and technology makes him uniquely qualified to advise business leaders on economic uncertainty, geopolitical risk and ongoing cyber threats and AI, among the many challenges facing business leaders today. Tom, thanks so much for joining me. 

Tom Vartanian: Thanks, Joe. It's pleasure to be back.

Kornik: Thanks for coming back. Tom. So, where do we start? How about current events: economic uncertainty, tariffs, trade wars, so much facing business leaders and boards these days. What's your advice for managing through all the chaos? 

Vartanian: Yeah, that's a terrific question. I'll answer it, both as a lawyer who's advised boards and management on how to avoid liability, because that's obviously a baseline that everybody's concerned about, and then also as a business strategist, after 50 years of advising companies in doing what they're doing and staying out of trouble, but in also creating financial strategies that work. First thing, I think you have to try to figure out is what kind of economic environment we're in. I mean, there's a U-shaped one, there's a V-shaped one, or there's a straight-line economic distress period much as the depression represented. And so I think the first thing you have to ask yourself is, what's the nature of the chaos? And I think right now, I think you define the chaos as at least involving tariffs, changes in economic policy and changes in the federal bureaucracy, and those, I think, are roiling the markets in ways that we understand they did not anticipate—because if the markets did anticipate this, they wouldn't be moving the way they're moving. And so I think there's an enormous amount of uncertainty. 

I think one of the problems I see in running a business these days is the 180-degree swings we get when you go from Republican to Democrat and Democrat to Republican. That makes it almost impossible to run a business. You know, you can't tack left for four years and then tack right for four years. And that's a problem, I think, of the highest degree here. But it's not a pass for directors to say that policies are changing so quickly we don't know how to manage the company. It's not a pass for CEOs and executives to say, gee, it's hard to manage the company. That's just life. You got to be able to manage the company. So when I talk to management and boards of directors, what I've always emphasized is, to be able to sort of balance a number of things at the same time, or juggle more than three balls. And what that means is, you have to have a defensive strategy. The defensive strategy has to be, how do we make sure, if we get these unanticipated financial consequences, that we don't fail, that we don't have a tremendous downturn in our business, that we're not surprised by the fact that we have to move manufacturing from one country to another? You ought to have plans that at least defend against any of the possible, reasonable and worst-case scenarios happening. And if you haven't been doing that, it's a little late now, frankly. 

But what I always tell management and boards of directors is to have both a defensive and offensive strategy. The offensive strategy here is, obviously, in times like this, there's opportunities. There's always opportunities when the markets are forced downward so rapidly and in such a volatile fashion. There'll be opportunities and investments, in real estate, in mergers and acquisitions, and if you're if you're one of the companies that that's ready to take care of those, take advantage of those opportunities, you're going to be in as good a shape, I think, as you can possibly be. But again, there's a defensive strategy you have to articulate, and there's an offensive strategy.

Kornik: You know, companies, Tom, have relied on traditional risk management in times of distress. But this feels different. What messaging should the C-suite be communicating up to the board right now? 

Vartanian: Yeah, I don't know what traditional risk management is anymore. Things have changed so dramatically, and to the extent that you have not been able to anticipate what's going on, I think it really, really taxes your risk management. But it seems to me, what the C-suite wants to be communicating to the board is, we are on top of this, as much as we can possibly be, we are on top of this. We may have missed A, B and C, but with the rest, we're on top of it. And here's how we're on top of it, and here's what we're doing. And that means responding to the velocity of political swings, the velocity of economic swings, the velocity of technological swings, which I think we'll get to in a little bit, the velocity to globalism versus isolationism, and what that means in terms of what's happening throughout the world. But again, I think it's up to management to tell the board, communicate to the board, “We've identified the risks, we have accounted for those risks, or we are accounting for those risks in the following ways, and we've identified the opportunities, and here's where, how we're going to take advantage of those opportunities.” 

Kornik: How about the boards themselves? Where should the board be focused, and what steps should they be taking right now?

Vartanian: What I always tell boards of directors is, it's your job to ask the right questions. And in my mind, the right questions fall into three different categories these days. First, economic; second, cybersecurity; and thirdly, artificial intelligence. I think those are the three most pressing issues that boards of directors are going to have to confront. And the problem with some of this is, I think boards of directors are pretty familiar with the economy issues, the financial issues, these things. They know the glossary of terms, and they know accounting principles are important. I'm not so sure they're as up-to-date on cybersecurity and artificial intelligence. And I think those are the risks that can sneak up on companies and boards of directors, particularly given the fact now that the government seems to be pulling back in terms of what the Trump administration is doing on people, processes, overseeing cybersecurity and what's going on in the cyber world.

Kornik: Tom, you mentioned cyber and AI, so let's go there. That's where you spend the majority of your time these days. Amazing, right? How we've sort of stuck a pin in those two issues in 2025 with everything else going on, but they're still as important as ever, right? 

Vartanian: You know, after helping companies for 50 years, or at least now the last 30, get into get into cyberspace, do business online and offer new technological products—you know, I spent another three or four years researching my book, The Unhackable Internet—and putting together my experience with what I was researching and learning about, cybersecurity, artificial intelligence algorithms, large language models and the whole thing, I really began to scare myself in terms of what I saw in practice, which was a pretty understated approach to cybersecurity by most companies, and where that could lead in terms of cyber-attacks, intellectual theft and the like. And so I really believe that we are at a tipping point here in cyberspace. Because, look, if the Trump administration pulls back on some of those areas, I know what the watch words are, because the government has written about this for the last 20 years, and that is, let technology be technology, so we will be number one in the world. The problem with that is, there needs to be a balance. Because while there are enormous benefits to technology in everything from healthcare to traffic control, enormous benefits that will that will make the quality of life so much better for people, there are enormous detriments. 

I mean, if you just look at something like cryptocurrency, it is now financing the largest scale of crimes across the globe that we have ever seen, and the most heinous sorts of crimes, frankly. And so there's got to be a balance between the good and the bad. And I think that's the role the government has to play. The government can't really control cyberspace, because it doesn't belong to governments, right? If you look at 95% of cyberspace, it belongs to corporations and individuals. So those individuals have to be smart, those corporations have to be smart, and they can't sit there saying, gee, if the government lets this happen, it must be okay, because that's not the answer. If the government lets this happen, someone must be protecting me. They're not. If the government's letting this happen, this is safe. It's not safe. 

And so we started in 1969 with an internet that was handed off by ARPANET to four universities to help them trade information and research, and that is the internet that we've built everything on since 1969. It wasn't secure in 1969, and it isn't secure today. And what I typically say in the number of my speeches is, if we wanted to build a way for our adversaries to take maximum advantage of us, we would build the internet we have. You know, why are we swimming in the same cyber waters with Russia, North Korea, Iran, China? I mean, that just doesn't make any sense to me. And so that's a fundamental problem that's only getting larger, because experts will tell us that we're building invulnerabilities twice as fast as we're building the solutions. 

So where did all that lead? It leads with governments coming together to encourage businesses and individuals to look at cyberspace differently. There needs to be real authentication, there needs to be real forms of government, and there needs to be real enforcement. Until we get that, I think we're all in peril in terms of what we're doing online and who's looking at it and who's got access to it, and that's only getting worse now. Well, the benefits are getting better and the risks are getting worse because of artificial intelligence. 

That's another area where businesses, individuals and the government can't say, let's let it go on there by itself and do what it's going to do so we don't, we don't inhibit its growth. Because at some point AI, particularly when AI is coding AI—I mean, we're now talking about all the coding for AI, and everything software being done by AI. Look, at some point with the emergent capabilities and the generative capabilities that AI has, and to the extent it begins to think for itself, it's going to do what its programmers do in those situations. It's going to take care of itself, right? It's going to look at its own best interests. And we get to that point, and I think we've crossed the line we can't go back on.

So from the point of view of corporations looking at this, I would say you have to evaluate these two things from the risk point of view, not just the profit potential you get from these things, and understand that unless we put in some controls now at the corporate level and at the government level, we may lose control of artificial intelligence at some point. And that's not me saying that. That's the experts in the world.

Kornik: Well, thank you Tom. I appreciate the conversation, and thanks for the time today, as always, incredibly insightful. 

Vartanian: Thank you, Joe. 

Kornik: Thanks, Tom, and thank you for watching the VISION by Protiviti interview. On behalf of Tom Vartanian, I'm Joe Kornik. We'll see you next time you.

Microsoft GM of Global Advertising: AI-driven personalization will fundamentally reshape CX

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the customer experience and we’re thrilled to have Carol Phillips Hutchinson, general manager of global advertising at Microsoft, where she leads a creative team that develops and articulates the overall advertising strategy worldwide. Today, she’ll be speaking with my Protiviti colleague, Greg Hunter, director, digital media, media, experience, and creative. Greg, I’ll turn it over to you to begin.

Greg Hunter: Thanks so much, Joe. And Carol, thank you for joining us today for this discussion. 

Carol P. Hutchinson: Oh, I’m happy to be here. I appreciate you asking me for it. 

Hunter: Of course, it’s fun to be talking with you, you know, for as long as we’ve worked together and partnered together. So this is super fun for me as well. So we’re talking about customer experience and obviously, you know, you’ve been at Microsoft for over 30 years now, which is crazy to see how time flies, right? 

Hutchinson: Yes, that’s for sure. 

Hunter: I’m just curious, how have you seen over time customer expectations have changed, you know, when you consider the customer experience of your customers at Microsoft?

Hutchinson: Well, you know, if you look at kind of the evolution of our—even our products, marketing aside, you know, we used to ship our products in a box and you’d go to the store, you’d bring home a box, you’d upload, ton of floppiness. I’m really aging myself. Then you would have that kind of one-way experience with Microsoft providing you with whatever tools you’re using and you would have that experience within and you might wait a handful of months for an update or a patch or what have you. And we’ve gotten to the point that we have this kind of, we have this relationship back and forth with our customers. We’re not just presenting products and our marketing for them to consume, but we really are having much more of an interactive sort of relationship with them. From product perspective, this enables us to build stronger products to meet our customer needs. From a marketing perspective, it’s incredible. It gives us so much more fidelity in terms of what we know about our customers and what sort of relationship we can have with them when we think about how we want to connect with them from a brand perspective or a product perspective. 

Hunter: Interesting, do you think part of that, those expectations, how they’ve changed, also reflect your ability to do hyper-personalization for those experiences just with the real-time data and just how they’ve experienced the brand and all you know about them? 

Hutchinson: Yes, yes. I mean, we have this level of understanding of our customers that we’ve never had before. We really have an incredible level of depth of who they are. We’re not just reaching them on a very broad basis, but we know if they’re using our products in the office context, or if they’re using it in the personal context, or if they are a healthcare information worker. We have such an incredible understanding based on our ability to touch and understand where our customers are at that we can also have a much more relevant message to them from a marketing perspective. 

Hunter: It’s exciting to see that transformation happening at such a feverish pace and your ability to really develop those relationships, but it also creates this challenge with those changing expectations. So, as I think about the customer experience, it’s increasingly complicated because you’ve got your brands, platforms, channels, technologies, you name it, the proliferation right now of how AI is evolving almost daily in some ways. How do you approach that pace of change being so great with your ability to meet those customers’ needs and keeping up with the adoption of these technologies just to further that relationship? 

Hutchinson: Yes, I mean, I think we probably all feel like we are not doing enough and not keeping up enough. Although, when I kind of zoom out and I talk with colleagues across other industries and so forth, I’m like, oh gosh, we really, we are pretty front-footed on all this stuff. But we really look to lean into AI and other technologies to really help us move faster and scale. We have the ability to reach customers in so many different touch points and so many different life stages across so many different platforms, enables us to really get focused on where they’re at and meeting them where they’re at with messages that are relevant to them. But with that comes, as you talked about, an inherent complexity. You have all of these channels you’re leaning into. You have all of these different customers within the channels. You have different product sets within that you want to communicate with. So how do you really keep up with all of that? We’ve really needed—we’ve really leaned into not only kind of internal tools, but external tools and partners to really help us meet kind of the breadth and depth that is necessary in today’s media to be relevant and really connect with our customers. 

Hunter: That’s great. I think, thinking back about a recent conversation that we had, you had mentioned something about inspiring, or these customer use cases being inspired by users. Can you talk a little bit about what you mean by that and how that comes to life with creating a customer experience? 

Hutchinson: Yes, I mean, again, as you had noted at the beginning, I’ve been around for a while. So in the prehistoric days when I started doing this sort of work, we had good thoughts and we had good ideas for how customers would be using our products. And we do user studies and what have you. But we now are able to take a look at our user logs and really get a sense for how these products are being used and how, and it’s these sorts of actual use cases that people are using our products for that really inspire the work we do. We’re hitting these customers, they’re downloading the products and using again, and when we can continue to kind of educate and give them reasons to come back and utilize the product again and again, that’s a win across the board. That’s educating our customers on different things they could do with our products that they may not have known. Also it helps from a business perspective and a product perspective of getting richer usage. And so we find our ability to really connect marketing with product now has increased substantially and it’s kind of a virtual feedback loop to really help us develop better products for our customer needs.

Hunter: So we talked a little bit about personalization. AI clearly has come up in the conversation, but taking the two of those together, I’m curious, how is AI-driven personalization transforming that customer journey? 

Hutchinson: Yes, I think AI driven personalization is fundamentally reshaping the industry. I mean, it’s shifting it from a more generic and linear approach to a much more dynamic and predictive and tailored approach. So whether it’s surfacing the right product or guiding the workflow, it enables us to meet customers in relevant moments and enables us to really scale that engagement as well. But with this sort of power also comes responsibility. So we know that privacy has always been paramount to us, as has trustworthy computing. So that is something that is a part of our DNA. As data is the foundation of AI, our priority is to also ensure that our customer’s data is protected and compliant throughout all of our touch points. So that’s something that is top of mind. We have really, really smart guardrails throughout the process to ensure that we are using everything appropriately. Trust is paramount to what we do. It always has been. It’s not worth compromising that for how we bring customers. 

Hunter: It’s hard to build a relationship with a customer you don’t have trust to begin with. It’s pretty much impossible. So let’s switch gears for a second because I know this is near and dear to your heart in particular is about brand. How do you balance both brand marketing and advertising with product and thinking about the users and conversions? I guess, really focusing on that upper funnel of awareness to the lower funnel of conversion. How do you balance the two? 

Hutchinson: I mean, balancing brand and product isn’t just a marketing challenge. It’s a strategic imperative, right? So we don’t think of brand and performance efforts as separate. They’re really part of that connected user journey. So if we’re doing our product advertising right, we’re also lifting that brand. So that is something that we always keep in mind with the work that we’re creating. But to your point, there’s been, especially in the past couple of years, a definite favor to kind of that performance level and being able to see immediate ROI on everything that you’re bringing to market. We’re no different than I think most any other companies. We love to see that. We love to be able to see those immediate results. But I think the key is this marketing funnel all has to work together. So in order for that to work as efficiently as possible and that performance layer to work as efficiently as possible, it is much more effective when you do have all of the funnels working together, including the upper funnel to kind of build a broader, to speak to a broader set of customers and then ideally pull them through the funnel. But it’s always, it is balancing act.

Hunter: Absolutely. I would imagine too, that it requires advocates at the senior executive level that believe in brand to also fund these activities. 

Hutchinson: Yes, that’s right. That’s right. I mean, I think across any organization, having that leadership that does believe in marketing and does believe in the value of brand building is really paramount to the success of, I think, any marketing team to ensure that, not just the kind of short-term results are in mind, but as we look ahead and look to build for the future of the brand and our future customers that we look past that as well. So again, I think if you can get all of it working simultaneously together, that’s really the sweet spot. 

Hunter: Well, when you figure that out, will you let me know? 

Hutchinson: Yes, you bet, you bet.

Hunter: Working in concert together like that. 

Hutchinson: It will be my next business idea. 

Hunter: Right. [Laughter] So the last question for you before I let you go. So given all that we’ve discussed and you just mentioned, thinking about the future, what should business leaders, and as you think about your leadership team and stuff, what should we expect over the next two years? 

Hutchinson: As I look ahead, I think that personalization and customization of messages are going to be more and more rich and we are going to be able to touch customers in ways we have never done before. I think ensuring that you foundationally are set up well and as you know, the better organized you are and foundationally secure you are, you can use that foundation to really build your AI solutions and your marketing against, that is critical to have that sort of really relevant set of content and assets. It’s challenging to build and learn and build and learn from that. So I think thinking strategically about not just what you need to accomplish this quarter, but what you hope to accomplish five quarters down the road is really critical to that thinking to ensure that you’re prepared for tomorrow.

Hunter: Absolutely. Well, this has been a great discussion. I so appreciate your time.

Hutchinson: Likewise, Greg, as always. Appreciate it and you, and it’s been so incredible to partner with you over the years. So I look forward to more ahead.

Hunter: Thank you so much. 

Hutchinson: You bet. 

Hunter: With that, Joe, I’m going to turn it back to you to take over from here.

Joe Kornik: Thanks, Greg. And thanks, Carol. Thank you for watching the VISION by Protiviti interview. On behalf of Carol and Greg, I’m Joe Kornik, we’ll see you next time.