Posts Tagged ‘compliance’

First Things First: 3 Questions Every New CIO Needs To Be Asking

Wednesday, February 2nd, 2011
Image Credit
CIOs Need To Have A Plan In Order To Get Started On The Right Foot

CIOs Need To Have A Plan In Order To Get Started On The Right Foot

No matter if you’ve just been made CIO at your firm or if you are joining a new company as its CIO, you are going to be facing the same problem: what do you need to do first? Make the wrong decision and your time as CIO may be very short. Make the right decision, and everything else will be that much easier. Maybe we should take a closer look at what 3 questions you need to be asking right off the bat…

What’s Going On Here?

One the very first day that you become CIO, you need to start to ask questions. The right questions. One of the most important questions that you are going to have to ask is at this company, what is IT’s reason for being?

There are three basic categories of existence that an IT department can find itself in at any given point in time. There is no one “right” answer, but rather any one of these can be applied to the IT department that you find yourself in charge of now.

IT departments can be in sustaining mode, turnaround mode, or realignment mode. If the IT department’s focus is simply on sustaining things the way that they currently are, then you have your work cut out for you – all you are going to have to do is keep costs low and make sure that there are no hiccups.

IT departments can find themselves in turnaround mode because either things aren’t going correctly (problems meeting customer expectations) or because large portions of the IT infrastructure have reached the end of their life and need to be replaced. If this is the situation that you find yourself in, then you are going to have to step in and take charge of the situation. This won’t be the time to get group buy-in for your ideas, instead you need to tell everyone what they need to do quickly.

Finally, an IT department in realignment mode is facing the challenge of changing how they do business today (which is working well) and adjusting to support major new company initiatives. The department may have more time to adjust to this type of change, but the long term impacts of it are going to be dramatic.

What Is IT’s Role In The Company?

Just what does IT do in the company today is another question that you are going to have to be asking. This question basically boils down to finding out if IT is a “utility” that simply exists to support the rest of the company by keeping things up and running or if it has a higher purpose.

An IT department with a higher purpose can take on several different roles depending on just how important IT is viewed within the company. It may be viewed as a “supplier” which means that IT develops the applications that the rest of the company uses. Or it may go one step further and become a “partner” where IT is responsible for creating the strategic innovations that permit the company to move forward faster than its competition.

Just How Risky Is This IT Thing?

Although not talked about as much as that sexy corporate strategy piece is, the role that IT plays in managing the company’s risk and compliance needs to be well understood by the new CIO. These risks can be spread throughout the company and can include such diverse areas as operations, information security, and regulations related to the industry that your company participates in.

As a CIO one of the first things that you are going to want to do is to make sure that you have an up-to-date risk assessment of the various challenges that the company is facing. The last thing that you want to happen as you are coming on board is for there to be a risk related event that you get blamed for.

What Does All Of This Mean For You?

Becoming a CIO is a fantastic and challenging assignment. There is so much that you can accomplish; however, first you need to get a feel for the IT department as it currently stands by asking the right questions.

There are 3 types of questions that all new CIOs need to ask. These questions include what does the IT department currently do, what is IT’s role at this company, and what does IT currently do about managing risk?

CIOs who know how to ask the right questions will be well positioned to be successful. Take the time to get the answers that you need and you’ll then be able to focus on the reason that you were given the CIO job: how to make the company even more successful by using IT to move faster and do more…

- Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that a CIO should work to change the role that an IT department plays in the company or is this the job of the CEO?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

When you become CIO you are going to discover one of the realities of IT life: you are not in complete control of the IT department. Rather, you are in charge of determining how to spend the money that the company allocates to IT. It turns out that how and how much money gets allocated is controlled by non other than the CFO. Are you ready for a corporate battle?

Tags: , , , , , , , , , , , ,
Posted in management | 2 Comments »

Poisonous Snakes, Sharp Knives, And Angry Natives: How Much Risk Can You Handle?

Monday, October 19th, 2009
CIOs Know That Security Threats Can Strike At Any Time

CIOs Know That Security Threats Can Strike At Any Time

Ok CIO wannabe, we’re right in the middle of a global financial crisis and your IT budget has gotten slashed so much it looks like Freddie Krueger has come back and had his way with it. What are you going to do about your spending on security programs: cut ‘em, hold the line, or spend more. Whoops – that was a trick question: all of the answers will get you in trouble.

What The Other Guys Are Doing

Before making any big spending decision, any self-respecting CIO will do what all leaders do – try to find out what the other guys are doing in the hopes that you can just copy them. Well, in this case you’ll be getting mixed signals.

A survey done by Information Week magazine revealed that 19% of CIOs are cutting their security spending. On top of that, only 27% of the surveyed CIOs are planning on increasing their security budgets – that leaves roughly 50% doing the same old thing.

Its starting to look as though the final remaining sacred cow of IT budgets, spending on securing the enterprise’s IT assets, has finally fallen under the budget trimming axe. This is an excellent opportunity to learn how to be a better CIO: cut too little and the company goes under, cut too much and the company may get sued when your defenses are breached.

What’s Worse: Poisonous Snakes or Sharp Knives?

Here’s another part of your CIO quiz: when your security budget comes under fire and you know that you’re not going to be able to save the whole platoon, who do you pick to live and who do you let die? Tough call eh? That Information Week CIO survey revealed that most CIOs have decided that any security program that deals with compliance in some way, shape, or form needs to be saved.

In the end, CIOs are finally starting to realize that an effective corporate IT security policy consists of just two things:

  • Managing Risk
  • Protecting Data

Don’t Forget About The Angry Natives -
How CIOs Prioritize

If the job was easy, then anyone could be a CIO. The CIOs who get it, those who understand what effective IT security is really trying to do, know that the first thing that they have to do is to determine the company’s overall appetite for risk. If the company has an appetite for a lot of risk, then the CIO can trim the IT security budget to the bone. Otherwise, cut with care!

Successful CIOs realize that the right way to go about setting up an IT security program is to start by realizing that you can’t protect everything to the same level and so you need to identify what IT assets are the most valuable to the company. Once you know this, you need to take the next step and estimate the likelihood that those assets might be lost.

Only after you have both of these pieces of information can a CIO have the IT team start to create security programs and put systems of controls in place to protect what needs to be protected. Although compliance programs are on everyone’s minds in these tough economic times, CIOs need to keep in mind that such programs are not always in line with security best practices.

Final Thoughts

If you want to have any hope of ever being a successful CIO, you’ve got to learn to be able to make the tough calls when it comes to funding corporate IT security programs. Although putting measures in place in order to make sure that the company remains complaint with regulations is good, it’s not nearly enough.

Taking the time to properly value your corporate IT assets and identifying what kinds of risks this data faces is the critical first step that too many CIOs skip over. Take the time to do this correctly and you’ll be well positioned to deal with poisonous snakes, sharp knives, and angry natives. Now if we could just find some way to deal with those pesky rampaging elephants…

What do you think should be a CIO’s #1 security concern: remaining in compliance or dealing with the security threat that comes from outside?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

Ok all you CIOs wannabes, guess what one of your first problems is going to be once you assume control of the IT department? No, not that innovation thing. Nor will it be finding new ways to cut costs. Somewhat amazingly considering that we are living in the enlightened 21st Century — you will need to find more women

http://www.theaccidentalsuccessfulcio.com/wp-admin/

Tags: , , , , , , , , , , , ,
Posted in security | 2 Comments »

Protecting Company Data Is How CIOs Can Make Friends With CFOs

Wednesday, July 1st, 2009

Securing A Company's Data Provides CIOs With An Opportunity To Work With The CFOData Security. There I said it. It sorta lays there like a big lump of coal and everyone in the company stands around looking at it wondering who’s responsibility it is to do something about it. Nobody, including CIOs really wants to touch it for one very simple reason: it’s a losing proposition.

How To Make Friends With Your CFO

Data security, despite being big, heavy, and ugly, always seems to end up in the CIOs lap. Since you really can’t do anything to prevent this, it sure looks like this is  a great opportunity to try to turn a liability into an asset. Ericka Chickowski over at Baseline magazine has taken a look at this issue and come up with some interesting ways to help CIOs work more closely with CFOs. It all starts with compliance. Now compliance is just about as exciting as security; however, firms are willing to spend the big bucks on making sure that they are compliant because they know that there are potentially some big financial penalties if they don’t. It is the clever CIO that sits down with his / her CFO and explains that the company’s data security program can be thought of as an extension of its compliance program. What this means is that you don’t really need a separate program and your costs should be much lower. What CFO wouldn’t be interested in hearing that?

Get Your Priorities In Order

One of the things that the CIO can learn from the compliance side of the house is that a critical first step is to make sure that you prioritize the company data that you are going to be protecting. All data is not created equal! What’s interesting here is that the importance of any single piece of information is based on two things: its value to the company and its role in keeping the company compliant. If your firm was a hospital, then clearly an electronic patient record would fall into the “top priority” bucket .

Act On Your Priorities – Not Necessarily Your Compliance

The level of protection that the IT department needs to surround a given piece of information with will depend on the result of this prioritization. I hope that you realize that this is just a fancy way of saying that there is some company data that you DON’T have to protect (or at least not very much). Just about now you’d expect me to say that you should always go all out to protect ALL of your company data that is involved in a compliance program. But I’m not going to do that. Chickowski points out that not all regulations are created equal. In fact,  some have fairly weak “teeth”. These are all things that the CIO and the CFO need to understand as they create a data protection plan / compliance program for the company. Spend those limited budget bucks to make sure that the important data is secure and then do what you can for the rest

Final Thoughts

Within the company, the CFO ALWAYS wields more power than the CIO – money talks. Folding a company’s data security program into its compliance program is a great way for a CIO to work closely with the CFO and end up saving the firm money (always a good thing) and ensuring that it is both compliant and its data is secure. In addition to providing a CIO with a reason to talk to the CFO that doesn’t involve begging for more money, an agreement about securing the company’s data can allow CIOs to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your company have separate compliance and data security programs? Does your CIO talk with the CFO about how best to secure the firm’s data? Do you prioritize your data or is it all treated as being at the same level of importance? Leave me a comment and let me know what you are thinking. Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

The role of a CIO is to find ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more. As part of this task a CIO needs to take steps to ensure that nothing happens that would prevent this from happening. This side of the job is not nearly as glamorous; however, it is at least as critical. What can a CIO do to ensure that nothing bad happens to a firm’s IT systems?

Tags: , , , , , , , , , , ,
Posted in security | 1 Comment »