Why is the CIO the "fall guy" when a company has data security leaks, business systems go down, critical applications crash, project failure or a technology vendor provides a surprise $10M price increase.
There are five key reasons CIO falls into a scapegoat:
1. Ineffective Leadership & Business Culture
Generally, the causes lie in the camp of the board, C-Level, senior executives and presidents themselves. As risks enumerated above can be thought of as business risks, they are generally managed through a CIO's risk management business plan. CIO is the most visible person managing such risks. However, it should be the whole leadership failure:
- Board Responsibility: Board Members are still not setting top-level policies and reviews of security budgets to help protect against breaches and mitigate financial losses. Boards and senior executives still don’t understand that security and IT risks are part of enterprise risk management
- Statistical Data: from cross-industry survey, 58% of the respondents said their board did not review the company’s insurance coverage for security-related risks; Only about one-third of company boards are focusing on activities that would help protect against reputable or financial losses; Organizations show that they do not have full-time senior level personnel in place to properly manage security risks. Less than two-thirds of the companies have a security management practice that is consistent with internationally accepted best practices and standards.
- Business Culture: A lot also depends on the organizational culture: finger pointing or supportive? Problem solving or political play? The "spirit" of top may directly impact business culture as a whole. Finding the guilty guy, then the CIO is (more or less) the right one to fall. If the organization has more like ‘what did we learn from it' “how to solve the problem’ attitude, then there is a chance that risk management of IT related themes can be shared with the board and other CxO executive. organizations may need cultivate the culture to share the credit when thing's fine, and co-take responsibility when things turn bad and focus on digging root cause & solving the problem radically.
The culture of trust and transparency are needed, and business/IT governance need be converged and further enforced, it's not only senior leader team's responsibility, but also one of top agendas for corporate board.
2. Look at Symptom, Not Root Cause
Sometimes seems the "plumbing" issues maybe caused by construction problems., etc
That said, when accident happened, the organization may need trace from top-down level, not only just symptom, but also underlying root cause:
- Does board and senior leadership team put business continuity & governance at top priority, well support IT via resources & investment;
- Does IT & business work seamlessly to build up the effective process to prevent risk?
- Do employees not "abuse" the trust from management, not follow through the guideline & corporate policy?
- Is accident very isolated one, couldn't particularly blame any single party, or each party need share the responsibility?
- Does business's governance, risk management, compliance, and security function be interactive enough to bring up more systematic and structural solution for business as whole?
Statistics: As you may know 20 percent of IT problems are caused by technologies, 40 percent are caused by people and 40 percent of them are caused by processes. CIO is responsible for the management of IT processes and IT staff and almost can't affect technologies. It means that CIO is not "fall guy' if the root cause of critical applications crash is software bug recognized by manufacturer. And he/she may need take fair share of responsibility if the root reason of critical applications crash is wrong change management process or low-skilled developer engineer.
Additionally, because of the revolving doors with people coming and going more frequently, the accountability for bad decisions has often left the building. Consequently the person now in control of IT becomes the scapegoat.
How to fix it: Organizations would have an enterprise-wide active risk management and/or business continuity plan. When thing's OK, all cross-functional teams can share the credit, when bad thing's happened, each party may also share their piece of responsibility. Senior leadership team need take initiative to build up more solid
GRC framework and discipline. The CIO has the responsibility to review and mitigate the technology risk to the firm. This is done in the form of Vendor contracts, Business Resumption planning, communication of policy and procedures to the firm.
3. Poor / insufficient investments for managing risks
The business usually makes the decision on how much resources are allocated to address the risks, and if the resources are simply inadequate, then there's a dual accountability to be addressed.
Statistics: On average, CISOs are allocated a consistent 2 percent of their organizations’ IT budgets for security spending. If IT budgets are dropping, then we can conclude that associated security budgets may be dropping as well, in real dollars. The gap between afford-ability and actual needed, could be one of root causes to keep system down or lead other unhappy surprise, it may also reflect the ineffectiveness of today's annual IT budget scenario, it's not distributed by real need, but by static formula
Tradeoff (Cost saving / higher risk) can be taken and then need to be managed jointly in case of challenges. The blame game quickly starts if the execs are a team only on paper but there are hidden aspirations / power games.
Solution: The CIO has justified the need for increased resources to address vulnerabilities, but the resources are simply not available. So it becomes a managed risk, by and with the business. As long as there's awareness and acceptance of the plan for addressing those risks (or not), then there should be no "blame game"
4. Ineffective Decision Making Scenario
If an IT project or IT initiative fails, business seems never be held accountable for their role in contributing to the failure. Even though they may have been the catalyst or cause for failure due to poor pre-implementation business planning, flimsy C-level IT investment decision making or abdicating their responsibilities to IT. More specifically:
- First, because often the business executives lack visibility of critical business architecture information and business intelligence upon which to base vital project planning decisions.
- And secondly, the strategic decisions to invest in IT systems are always made at the top level of an organization, but without CIO participation. For example: due to CEO or CFO alliances with certain Vendors or systems implementers, or based upon the cheapest solution, often the CEO or CFO may choose based upon their own selection criteria.
- Who makes Decisions: The CIO needs co-make investment decision or at least point out in a documented way to the decision makers that if they don't spend the money to follow good security practice, there will be specific bad consequences.
- How to Make Key Decisions? What's the formal IT investment decision making process flow/document management, how to build an effective framework to enforce more fact-base decision management scenario?
- How to get further Advice: Besides leadership team, does business have specialized talent such as EA or analyst to act as business Quality professional to verify business/IT investment. Does business process management office help oversee the decision making process, and make suggestion on optimizing business capabilities.
- Monitor: communicate the risks to the rest of the Executive staff, and lock down what you can, monitor what you can't lock down, and also collaborate with Legal to make sure policy covers the things you can't lock down or monitor so you'll have legal recourse if all else fails
5. Innovation Experiment Takes Risks
- Taking this scenario, the company has a proper risk management process in place and potential risks have been weighted on the cost vs. potential risk /loss of revenue, reputation, customers.
- Risk vs. Innovation: If a CIO is strictly following corporate rules for data security, best practices for IT operations etc. she or he becomes “no no” leader for new ideas, In essence, CIO is expected to become Chief Innovation Officer. With a desire to eliminate all risk you also kill all the opportunities. A balance is needed between
- risk appetite / innovation (early adopting of a new technology)
- cost containment (requiring a solid state-of-the-art operations)
- optimizing customer satisfaction
Moreover, when the risks were fully explored, understood, and then taken around the 'C' table. The 'blame' rests with the management team, although it still might have been a reasonable choice. So WHY take out the CIO? Convenience and easily explained outside of the executive chambers. And as the saying goes, “A good scapegoat is nearly as welcome as a solution to the problem.".
The ENTIRE NOTION of “taking the fall” is wrong headed.
Learning Lessons for CIO: Today's CIO has to be an excellent salesman, a visionary, a fantastic motivator/manager to collaborate with “C” level to get the resources required to do this work and inform them of the risk and to be politically adept in managing crisis which will occur during their watch also At the same time the CIO has to keep track with the rapidly changing landscape of IT developments.