Would you accept the CIO role at your company if the offer were made today? Perhaps it would be tempting, but you have no idea how to be a CIO. Amit Sinha, president of Zscaler, gave a valuable course on skills IT executives need to survive in his Zenith Live presentation, The Evolving CIO Mandate. During this discussion, Amit introduced a half-dozen current and former CIOs who shared how they are successfully adapting to their swiftly-changing roles.
Changing focus from costs to outcomes
Traditionally, a CIOs primary responsibility was cutting costs by creating or maintaining information systems that increased productivity. Today, cost-cutting is still a factor, but CIOs must also align with and support the direction that leadership is taking the organization. Savings are good, but how a CIO is saving may be more important than how much they are saving.
CIOs must consider the way their results will appear when seen through the lens of their organization’s cost base and fiscal timeframe. They must understand a company’s financial drivers – is the business trying to maximize shareholder value or achieve a specific P&L for the fiscal quarter? Cost can be reduced in many ways, which ones deliver results most important to the stakeholders?
Imagine a CIO who has three specific ways they can reduce IT expenditures or increase productivity. Perhaps exercising options A and B will save their organization the most money. Yet, options B and C save less money while greatly improving other outcomes. The optimal decision depends heavily upon which metrics the company is trying to achieve. Understanding this larger picture is key, and it requires a continuous effort. New ownership can completely change the direction of a company, and a CIO must be ready to adapt to new metrics and goals.
Managing security effectively
Another important CIO role is establishing security level agreements with other stakeholders in the company. This can be as easy as asking “how much are you willing to pay to secure resource X”? There is no reason to guess at these answers. Consulting with stakeholders provides CIOs an accurate map of which assets are considered most valuable, and therefore demand the highest levels of security. With this information, CIOs can make security decisions tailored to meet the organization’s needs and expectations.
Some organizations leave these decisions up to the security team, as if they would instinctively know how much to spend on protecting each resource. In fact, the security team does not know, nor do they control the resources typically selected for maximum protection. CIOs should only let direct stakeholders determine the correct allocation of security investments, and then proceed according to their guidance.
Framing security favorably
Increasing end-user awareness through cybersecurity training is essential. Training initiatives are also an opportunity for CIOs to present security practices as a benefit to business objectives, not a deterrent. Security is often seen as a department of “no”, within an organization. The CIO needs to transform it into a department of “yes” - yes we will get it done, yes it will be secure, yes it will be easy for the end user. The key is to make security as frictionless as possible so it is not seen as a roadblock to productivity.
Of course, accomplishing these goals is easier said than done. CIOs must be prepared for unexpected events. Take the current economic downturn, for example. When money gets tight, cybersecurity spending may be deemed discretionary and subjected to cuts. This is due to many organizations equating cybersecurity with insurance. One common line of reasoning CIOs encounter is “we keep paying for cybersecurity, and nothing has ever happened. Let’s cut most of these costs”.
Of course, viewing cybersecurity as insurance ignores significant differences between the two. Yes, both are precautionary investments intended to protect the organization in the event of a disaster. Yet, cyberattacks are vastly different from earthquakes, fires, general liability, workers’ compensation, etc. For example, 67% of businesses that suffer a cyberattack will endure a repeat attack within 12 months. Once attackers find a way into your infrastructure, they are likely to return again and again. Cybersecurity is not a hedge against unforeseen calamity. It is a proactive defense erected against known and actively hostile actors.
Ensuring good times don’t lead to bad times
Problems also arise for CIOs during good economic times, when companies enthusiastically embrace cloud-first strategies, modernization, and workplace transformation. Sometimes an organization gets swept up in the euphoria of change. They charge boldly forward into new systems and technologies without giving a single thought to security. In these cases, CIOs must get their teams involved in workplace transformations early.
In fact, doing security correctly from day one can lead to compounding benefits. Consider the case of cyber insurance costs. Many organizations look at the price of cyber insurance and balk when they see the deductible. A $5-10 million deductible on a policy can convince businesses to risk cyberattacks, reasoning that a breach would cost as much. Yet, these premiums may come down when organizations demonstrate they have robust security practices in place. By implementing strong security policies from the start, additional cyber protection can become more affordable.
CIO like a champion
Being a CIO is not easy, and many of the skills must be learned through experience. However, conferences like Zenith Live 2022 give attendees an incredible opportunity to learn valuable lessons from experienced CIOs and other executives. Understanding how these professionals successfully navigate challenges while executing on their responsibilities can better prepare IT professionals for the trials of tomorrow. If the role of CIO is something you are interested in pursuing, check out the CIO Evolution podcast.
What to read next