Chief information officers have some things down pat. For a start, they’re good at working with a business to find out how information technology can automate processes to improve productivity and efficiencies.
But if those information processes are so important, why are CIOs often removed from enterprise risk management and, in particular, ensuring that the board and senior leadership team understand the risks of something — either internal or external — interfering with those productivity and efficiency gains? After all, the board and senior executives have a due care and due diligence responsibility to protect vital company information. But do they really understand the information and the systems that move that information and how critical they are to business continuity?
There is an over-reliance on whiz-kids as a technical panacea
Put simply, IT security is really just a sub-set of information security. Practically any technology solution can keep information flowing through a network, but its confidentiality and integrity hinge on something less tangible: Enterprise-wide security awareness and a policy framework to support it.
“Too often IT and information security do not upwardly communicate to the CIO to the point where the CIO fully understands all the risks facing the business,” says director and principal of Black Swan Consulting and national director of the Australian Information Security Association, Keith Price.
“There is an over-reliance on whiz-kids as a technical panacea. You need smart propeller heads but a propeller head isn’t going to understand the business, and if in turn a CIO doesn’t fully understand the business they’re not going to be very effective in marketing how IT adds value to that business.”
Price has 25 years’ experience in IT and specialises in information security strategy, governance and assurance. Before starting Black Swan he was principal consultant with Telstra’s consulting team and previously information security manager at Westpac. He says that if CIOs are to effectively demonstrate the value of ICT to the business as a whole, they need first understand the information of value that could be at risk.
“One of the areas CIOs have failed in is conveying the criticality of certain information and information systems to the business — and that’s business operations, meeting and satisfying the needs of customers, and the reputational damage that could result from confidential or private information being hacked or released,” Price says. “As ‘chief information officer’ they need to be able to identify — right off the bat — the most mission-critical information in the organisation.”
They must also communicate that information effectively to the company’s leadership team.
“CIOs have traditionally struggled with the fact that we have not been well understood by our executives, and as a consequence we wondered why our value wasn’t recognised,” says CSC CIO, Ben Patey.
“Ultimately, that has been because we haven’t marketed ourselves. They didn’t value us because they didn’t know what we did. And that’s not their fault — it’s our fault.
“We need to constantly remind people of what we do. Ultimately, that is the purpose of marketing. As a CIO you have to recognise that your customer is the internal business. You are in a crowded marketplace, with your customer probably also trying to work out what HR and finance are doing. Once that is understood you can build a marketing approach around raising the value and visibility of IT. It is imperative to articulate clearly and in simple language the value you bring and how it can improve the bottom line. We can very quickly regress into technical speak that will alienate these people. They are not usually technically oriented. They want to get to the point quickly and we need to be able to talk at that level.”
Patey, a member of the CIO Executive Council, emphasises the importance of measuring customer satisfaction. He uses customer loyalty metric, Net Promoter, and dedicated a team member to customer collaboration.
“We have an engagement matrix where we plan who I am going to engage with in the business, how regularly and what we are going to talk about,” he says.
“We also create case studies so we can demonstrate on a regular basis referenced solutions as to what IT has been able to achieve.”
Patey breaks down his customer base into two areas: The executive and people who support the company’s external customers, and everybody in the organisation who logs onto a desktop or laptop. “I need to provide those two groups with support and solutions to show the value of IT,” he says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.