Cloud for Finance: Security aspect
Security is the first question any lead of any company should consider when thinking about Cloud. Finance lead is no exception. Let's take a look at three sides of Security CFO should think about.
Data loss. This "physical" aspect is not traditional for security discussions, but is very important for Finance due to purely financial consequence: extra working time spent which implies higher labor cost. Employee's PC might get stolen or broken - I've personally experienced HDD breakdown at least twice in my life, and I personally know 2 colleagues who's PCs were stolen or lost. One of the solutions is setting up regular backup - then you limit the loss to the work done between backups. However, the issue might also be related to employees - think how many times you failed to get some file because one of your people is on vacation, sick leave, business trip or left the company. Better solution is rebuild your processes in such a way that all important files are saved in public Cloud with reliable provider or private Cloud in your server room.
Work block. I might be heavily impacted by working in IT companies, but many times I've seen those crowds in the kitchen saying in chorus "Internet down, coffee time!". Almost regardless of the business you're working in, there's a global trend of "IT dependency" when operating is impossible without access to some IT solution. Regardless of the reason (malware, server burnt down or arrested, wires cut, etc.) for Finance any serious problem in IT immediately transforms into loss of working time and labor cost, plus loss of revenue (customers unable to purchase on website, for instance) - not to mention the cost of repair, of course. Cloud here increases the dependency on Internet (which is nowadays very high in most companies anyways), but decreases dependency on local server room and personnel. Naturally, that only works if your Cloud provider is reliable, with strong SLA driven by reliable hardware and processes setup.
Data leakage or unauthorized change. Financial consequences here could be much worse, depending on the data substance. For instance, it could be related to upcoming deal, and if you lose it due to leakage, you simply write off all expenses related to preparation (time/labor cost, pilot project, inventory excess, etc.), not to mention the revenue loss. It could also be related to new product or service your company is planning to land on the market - then you present a great advantage to your competitors, and the profitability of your new product goes down dramatically. But the biggest impact happens when the data of your customers and partners are leaked, as then your loss is reputation which transforms into dollars really quickly these days. For instance, after Yahoo! disclosed data breaches in 2016, Verizon Communications that was planning to purchase company's core Internet business has immediately re-negotiated the price by $350M down. Data leakage could be intentional and unintentional. In my view, no technical solution can prevent the intentional ones - when there's a will, there's a way. Yet, Cloud helps here to some extent due to more structured access control system: you can always check who had access to the file, who reviewed or downloaded it, etc. It's mainly about choosing who should have access to all data - your administrator, or the Cloud provider staff (naturally, your data should be encrypted, but trust is still the key). And the choice might be tough, as your administrator is someone you know personally, but the Cloud provider would normally have more structured controls and procedures, and strong reputation. And, this control system is really good for unintentional leakages: for instance, you can send your file over e-mail to wrong recipient, but if you send the link instead - that recipient won't have access to the file.
Thus, generally security threats exist whether you keep your data on PCs, in your Server room or in the Cloud. Which way is more secure is a case-by-case matter. If you ask your CIO, he would probably give you zillions of technical reasons (and you'll never understand any of them) why the way he does it now is the most secure. Finance answer is simple: you get what you pay for. Meaning, normally the more money a company invests in security, the more secure it is. And from that standpoint any reliable Cloud provider should be more secure than private server room as by design its level of investment in security should be way higher than that of a non-IT company, allowing at the same time massive economy of scale. Hence, for me Cloud solution is more secure, but only as long as the Cloud provider is reliable and has good reputation.