What Boards and CEOs Should Be Asking CIOsWhat Boards and CEOs Should Be Asking CIOs
Boards and CEOs are more tech-savvy than they once were, but they still don't always know the best questions to ask CIOs. With the push for digital transformation they need to be armed with the right questions at the right time.
September 10, 2018
As a board member, CEO, or other member of the C-suite, executives should have a solid relationship with the CIO. In fact, the CIO should be their strategic partner.
There was a time when CIOs fought to have a place at the executive-level business table. They wanted to help boards and members of the C-suite plan and implement strategic business change, but they weren't considered business-savvy.
As organizations evolved from technology users to technology-driven businesses, the relationship between the business and IT changed. Now that digital transformation has become a mandate, those relationships are evolving even further. In the process, boards and CEOs have become more technology-savvy while CIOs have become more business-savvy. Still, directors and CEOs don't always know what questions they should be asking CIOs.
Following are a few timely ideas for questions from the C-suite to the CIO:
#1: How are you protecting the most critical aspects of our business? Boards, CEOs and even CIOs tend not to know the actual number of security vulnerabilities lurking in the systems and software the company uses. In the bigger picture, internal and external threats need to be considered, including social engineering and phishing. Most companies lack complete visibility into all of their vulnerabilities so they can't address them. Even if they could identify all the vulnerabilities, it would impossible to address them all, so the vulnerabilities need to be prioritized.
Boards and CEOs need to work with CIOs to identify those priorities. What would have the most severe impact on our ability to conduct business? What would tank our stock price? What could lead to jail time or get the CEO fired? Assuming those questions have been answered and agreed to, then it's a fair question to ask the CIO how the associated vulnerabilities are being addressed, including in AI and intelligently automated systems.
#2: What is our digital strategy in the context of IT? "Business as usual" and technology have evolved considerably over time. As a result, established companies tend to have a mix of traditional IT assets and newer digital assets that were born in different eras by people with different mindsets. The bifurcation is causing angst because traditional IT and digital IT move at different speeds.
"Enterprise CIOs either have this chief digital officer mantra or the maintain-the-enterprise mantra," said Woody Driggs, America's Advisory Digital Transformation wavespace Leader at global professional services firm EY. "They have enterprise capabilities like ERP, mobile platforms, and data platforms, yet the idea of innovating and delivering new, digital services and having the IT capability to deliver on those digital services is left to someone else."
Boards and CEOs should understand how the CIO plans to handle "dual-speed" IT. Some CIOs have become chief digital officers. Others have a digital counterpart. It is wise to understand the benefits and detriments of organizing one way versus other possibilities.
For example, one of EY's agriculture customers recently established a separate entity that is more innovative, iterative and nimble than its parent company. To affect that, the CEO decided to depart from the parent company's traditional IT function in favor of a new digital function. The head of technology serves as CIO and chief digital officer.
#3: How will your relationship with the business evolve to support rapid, continuous innovation? The competitive landscape has changed dramatically. Not so long ago, first movers could gain a competitive advantage that lasted 18 months or two years. Now, some breakthroughs are commoditized in six months.
"You need to understand how IT's role is changing to support this rapid innovation, this need for continuous change, this need for continuous updating of the customer experience from the outside in," said EY's Driggs. "[That compares to] waiting for the business to make decisions, being a good partner with the business, telling the business what's possible and trying to implement that."
Bear in mind that the CEO, not the CIO, is ultimately responsible for ensuring continuous innovation at speed. Having the right technology stack in place helps, but technology only facilitates culture, it doesn't define it.
"You need to have a culture of yes versus no," said Driggs. "You also have to look at risk and funding new services and products in a different way."
#4: How are you working with people from across the business to develop and maintain strong information security practices? Cybersecurity is a company-wide challenge. Since technology procurement no longer flows only through IT, CIOs find themselves unaware of IT assets such as databases and the SaaS services various departments are using.
"CIOs need visibility into the organization’s risk exposure level," said Steph Charbonneau, CIO at heating, ventilation and air conditioning (HVAC) solution provider TITUS. "They need to know where the hot spots are, and how they will be addressed."
Managed service provider Triton Computer Corp. CEO Trave Harmon said his company confronts boards and businesses that aren't asking the right questions.
"An organization’s first and last line of defense against data loss and breaches is its people," said Harmon. "Data and information security is everyone’s responsibility, and responsibility starts from the top. Board, CEOs, and senior leaders need to set the example and help develop and maintain high standards for information security, one that empowers people to stop, think and consider the business value of the information they create and handle on a regular basis."
#5: What protocols are in place should there be a data breach? There are two types of data-related dangers: breaches and vulnerabilities. In the case of a breach, time to identify and time to remediate are critical.
"Business leaders and CIOs should understand the different types of data that exist and where the data is located," said TITUS' Charbonneau. [CIOs should] bring business unit leaders together to work through a risk assessment that specifically talks about data ownership."
To understand what the vulnerabilities are, organizations need to have better insight into their IT assets, data assets and whether employees are adhering to security policies.
#4: How separate is the data layer from the applications? Historically, applications have been tightly coupled with data. Organizations can drive more value faster by decoupling the application and data layers.
"Enterprises doing that become nimbler and get more insight," said EY's Driggs. "Your CRM, ERP and procurement systems used to provide insights before. Now you have social media information, feedback, and natural language processing that's going to be able to parse all your telephone calls and the interactions you're having with people."
There are also outside data sources that provide insights about weather, traffic, and where customers go that create opportunities for new products and services. The application and data layers need to be decoupled to take advantage of internal and external data simultaneously.
#5. Which types of data would you place in third-party cloud infrastructures and how would you ensure that data is not compromised? People have differing views about on-premises security versus cloud security. If your CIO is telling you anything needed for mobile access should be stored in the cloud for security reasons, it's a bad answer, according to Gene Lloyd, director at Lloyd Research Institute.
"A better answer would be to maintain the most sensitive company and client data on the internal network accessible only through a VPN, while storing less-sensitive data in the cloud, all of which should be stored in an encrypted state," said Lloyd.
#6: Given that traditional security methods have failed to protect major organizations from having large amounts of personal data stolen, how do you intend to protect this organization’s data? Since the defense-in-depth (multiple layers of defense) method failed highprofile victims, Lloyd considers that response substandard.
"A better answer would be to discuss creative ways to limit hacker access using internal enclaves, encryption, whitelisting or mass blocking of specific nations, hosting web and email on external platforms, limiting VPN access, and not allowing BYOD programs, as some examples," he said.
Hackers will get in at some point, the question becomes one of limiting what they can get access to.
About the Author(s)
You May Also Like