As Glanbia Head of IT Audit he is part of a 10 strong audit team, with three people working exclusively on IT. “My role is to look after anything with electricity running through it,” he points out. “Technology runs everything from the cheese processing plants to the way our products are sold on the internet. We wouldn’t be able to take milk into a plant without technology.”
And it’s used for more than just automation. “It’s vitally important. People want traceability and we need systems for that. We couldn’t go back to doing it manually. IT is vital for quality, health, productivity and a lot more. For example, we use a lot of different channels to get our products to market. It’s not just websites. We have a lot of business to business sales. Without electronics we would probably have to employ 2,000 extra people just to process the orders.”
But IT is more than simply an enabler, it is a strategy driver as well. “When I started worked with EY many airlines, for example, were at the early stages of going onto the internet. They realised they wanted to sell direct to consumers and take back some margin for themselves. That’s just one example of how IT can drive strategy for businesses.”
It’s also a transformation driver. “You definitely see that in operations,” says Findlay. “More and more elements of the process are getting automated. In some plants the raw materials come in the front door, and no one touches any part of the process until the product comes out the other end. IT people now separate it out into operations technology and information technology. Operations technology reduces the cost base of the plants and can even result in changes to the size and design of the plant.”
The switch to JIT operating models has also been facilitated by IT advances. “I worked for Aryzta which is in the bakery business. Using technology, the company knows exactly what each retail customer wants and can take in the orders and deliver them on the same day. In the old days, that simply would not have been possible. The clothing industry used to take a year to get a product from initial design to getting it into the stores. Now the manufacturers are seeing something on Instagram and getting it into the shops within a week.”
But there are threats and risks as well. Noting the recent cloud outage which caused a number of major news and government websites to go offline, he says cloud technology doesn’t get the attention and coverage it deserves.
“Every now and then a major cloud provider has a failure that affects lots of companies, but we tend not to hear about it,” he says. “In the old days, if there was an IT failure only one company was affected. Now, if there is a failure it’s global and you have no agency over it. You’re not in control. Software companies are pushing everyone to move to the cloud and if there is a failure, it is going to affect a hell of a lot of people.”
That loss of control can affect companies without them realising it. “I know of a lot of companies who are doing their online sales through social media platforms. That’s effectively a public cloud service and the platform is tracking all the activity. That’s like giving away the keys to your kingdom. Companies wouldn’t have done that in the old days.”
On the other hand, there has to be an acceptable and manageable level of risk. “I live in a world of paranoia where we are always on the lookout for risks. But companies have to take risks and manage them as best they can. You can’t lock the whole thing down.”
Vigilance is key. “Organisations have all kinds of firewalls and security in place,” Findlay points out. “They are under attack all the time and the vast majority of them are stopped, but you have to remain vigilant. We know that organisations leave things open. Someone can leave an administrator password open somewhere and that can leave the organisation vulnerable to attacks. Lot of times when we hear about an advanced threat it is usually not the case. In a fast moving business it’s very hard to make sure the whole system is constantly updated and patched. It’s all part of risk management. There is only a finite number of IT people, and they can’t do everything. You have to identify the top priority, address that first and work your way from there.”
Education and training of staff is also vitally important. “It probably needs to be a fundamental part of the curriculum in schools,” he contends. “Schoolchildren are using technology in school all the time but there are no courses in good computer hygiene. We used to teach children how to sharpen their pencils and how to draw a straight line and so on. We need to go back to those basics with computer hygiene.”
And his advice to organisations wishing to strengthen their cyber defences? “The best advice is to prepare for the inevitable. It’s going to happen so you should get ready to respond. Have a response plan in place for when it does happen. Nobody wants to make decisions in an emergency. Also, make sure to have a backup in place to restore data as quickly as possible. The better you are prepared, the less the attack will spread, and the quicker you will get back in business.