August 24, 2016

Don’t think the CIO is your usual scapegoat

Markus Melin

Head of Tieto Security Services, Tieto

One out of three CIOs feel that cybercrime is the biggest threat facing their organisation. No wonder: every third CIO also admitted that their organisation had been targeted by a major cyber-attack during the last year.

This is the reality that was revealed by KPGM in the report about the role of Chief Information Officer in modern organisations.

It's not a secret that the importance of cyber security is – still – increasing. This has organisational implications: thanks to digitalization of all industries, a CIO’s role is getting more strategic.

One out of three CIOs report directly to the CEO and that share keeps on rising. This clearly indicates that the CIO role has been uplifted from “that IT guy” to a business decision-maker. To support the trend, many CIOs have got additions and extensions to their title or roles to their teams: head of business transformation, head of process change, head of service delivery, etc.

Thus, the CIO is now the guy who applies technology to the increasingly digital business. An up-to-date organisation understands that IT is not just a cost of running business but probably the most important asset along people and their expertise.

Unfortunately there is a severe recruiting problem. One of the most common reasons why capable people hesitate to take the position of CIO is the fear factor: they fear that the job includes the role of a scapegoat. I.e. when things go wrong, they are the one to blame, no matter how much it is their fault.

Here is what to do if you are a CIO or considering taking that position in near future: 

  • Be aware. Periodical security audits are simply not enough because threats and attacks evolve all the time. You need a real-time, bird-eye view to all your business assets. 
  • Educate other executives. In a previous post, we showed a huge disconnect between how security executives know security is run and how other executives and board members think it is handled. A smart CIO educates other management about cyber security and makes them understand that is’s a complex beast that can’t be tamed by any single technology or person and involves the other executives into decision making process. 
  • Utilise best technologies and services, be it in-house or external. Build up and maintain an ecosystem of best possible security technologies, components, people and services. Make sure that all "security silo" products also integrate well together to provide high level view.With managed security services model, it’s possible and even quite easy.
  • Play war games. Simulate cyber-attacks and other security issues and see how you and your organisation responds and follows agreed processess and policies - practise makes perfect.

It’s impossible to prevent attacks with a 100 % assurance but it’s perfectly possible to minimise the harm to your organisation – and save the CIO from finger-pointing.


Stay up-to-date

Get all the latest blogs sent you now!