Thursday, July 26, 2012

Five Reasons CIO Falls into Scapegoat

Today's CIO has to be an excellent salesman, a visionary, a fantastic motivator/manager to collaborate with “C” level to get the resources required to do their work systematically. 

Enterprise CIOs, like shepherds, take care of their business’s technology/information assets, however, many pitfalls ahead may make a dedicated, responsible CIO a falling scapegoat. There are many WHYs need be asked, many Hows need to be experimented, in order for an enterprise to focus more on problem-solving than finger-pointing; to make a fair judgment in leadership and talent management and to optimize business governance & discipline. 

Why is the CIO the "fall guy" when a company has data security leaks, business systems go down, critical applications crash, project failure or a technology vendor provides a surprise $10M price increase. 

There are five key reasons CIO falls into a scapegoat:

 1.    Ineffective Leadership & Business Culture

Generally, the causes lie in the camp of the board, C-Level, senior executives and presidents themselves. As risks enumerated above can be thought of as business risks, they are generally managed through a CIO's risk management business plan. CIO is the most visible person managing such risks. However, it should be the whole leadership failure:  

  • Board Responsibility: Board Members are still not setting top-level policies and reviews of security budgets to help protect against breaches and mitigate financial losses. Boards and senior executives still don’t understand that security and IT risks are part of enterprise risk management
  • Statistical Data: from cross-industry survey, 58% of the respondents said their board did not review the company’s insurance coverage for security-related risks; Only about one-third of company boards are focusing on activities that would help protect against reputable or financial losses; Organizations show that they do not have full-time senior level personnel in place to properly manage security risks. Less than two-thirds of the companies have a security management practice that is consistent with internationally accepted best practices and standards.
  • Business Culture: A lot also depends on the organizational culture: finger pointing or supportive? Problem-solving or political play? The "spirit" of top may directly impact business culture as a whole.  Finding the guilty guy, then the CIO is (more or less) the right one to fall. If the organization has more like ‘what did we learn from it' “how to solve the problem’ attitude,  then there is a chance that risk management of IT-related themes can be shared with the board and other CxO executive. organizations may need to cultivate the culture to share the credit when thing's fine, and co-take responsibility when things turn bad and focus on digging root cause & solving the problem radically. 
The culture of trust and transparency are needed, and business/IT governance need be converged and further enforced, it's not only senior leadership team's responsibility but also one of the top agendas for a corporate board.

2.    Look at Symptom, Not Root Cause

Sometimes seems the "plumbing" issues may be caused by construction problems., etc
That said, when the accident happened, the organization may need to trace from the top-down level, not only just symptom but also underlying root cause:
  • Does the board and senior leadership team put business continuity & governance at top priority, well support IT via resources & investment;
  • Does IT & business work seamlessly to build up an effective process to prevent the risk?
  • Do employees not "abuse" the trust from management, not follow through the guideline & corporate policy? 
  • Is accident very isolated one, couldn't particularly blame any single party or each party need to share the responsibility?
  • Does business's governance, risk management, compliance, and security function be interactive enough to bring up a more systematic and structural solution for business as a whole? 
Statistics: As you may know 20 percent of IT problems are caused by technologies, 40 percent are caused by people and 40 percent of them are caused by processes. CIO is responsible for the management of IT processes and IT staff and almost can't affect technologies. It means that CIO is not "fall guy' if the root cause of critical applications crash is software bug recognized by the manufacturer. And he/she may need to take a fair share of responsibility if the root reason of critical applications crash is wrong to change management process or low-skilled developer engineer. Additionally, because of the revolving doors with people coming and going more frequently, the accountability for bad decisions has often left the building. Consequently, the person now in control of IT becomes the scapegoat.

How to fix it: Organizations would have enterprise-wide active risk management and/or business continuity plan. When the thing's OK, all cross-functional teams can share the credit, when bad thing's happened, each party may also share their piece of responsibility. The senior leadership team needs to take initiative to build up a more solid GRC framework and discipline. The CIO has the responsibility to review and mitigate the technology risk to the firm. This is done in the form of Vendor contracts, Business Resumption planning, communication of policy and procedures to the firm.

3. Poor/insufficient investments for managing risks 

The business usually makes the decision on how much resources are allocated to address the risks, and if the resources are simply inadequate, then there's dual accountability to be addressed. 

Statistics: On average, CISOs are allocated a consistent 2 percent of their organizations’ IT budgets for security spending. If IT budgets are dropping, then we can conclude that associated security budgets may be dropping as well, in real dollars. The gap between afford-ability and actual needed could be one of the root causes to keep system down or lead other unhappy surprises, it may also reflect the ineffectiveness of today's annual IT budget scenario, it's not distributed by real need, but by static formula

Tradeoff (Cost saving / higher risk) can be taken and then need to be managed jointly in case of challenges. The blame game quickly starts if the execs are a team only on paper but there are hidden aspirations/power games.

Solution: The CIO has justified the need for increased resources to address vulnerabilities, but the resources are simply not available. So it becomes a managed risk, by and with the business. As long as there are awareness and acceptance of the plan for addressing those risks (or not), then there should be no "blame game"

4. Ineffective Decision-Making Scenario

If an IT project or IT initiative fails, business seems never to be held accountable for their role in contributing to the failure. Even though they may have been the catalyst or cause for failure due to poor pre-implementation business planning, flimsy C-level IT investment decision making or abdicating their responsibilities to IT. More specifically:

  • First, because often the business executives lack visibility of critical business architecture information and business intelligence upon which to base vital project planning decisions.
  • And secondly, the strategic decisions to invest in IT systems are always made at the top level of an organization, but without CIO participation. For example, due to CEO or CFO alliances with certain Vendors or systems implementers, or based upon the cheapest solution, often the CEO or CFO may choose based upon their own selection criteria.

  • Who makes Decisions: The CIO needs to co-make investment decision or at least point out in a documented way to the decision makers that if they don't spend the money to follow good security practice, there will be specific bad consequences.
  • How to Make Key Decisions?  What's the formal IT investment decision making process flow/document management, how to build an effective framework to enforce more fact-based decision management scenario? 
  • How to get further Advice: Besides leadership team, does business have a specialized talent such as EA or analyst to act as business Quality professional to verify business/IT investment. Does business process management office help oversee the decision-making process, and make a suggestion on optimizing business capabilities. 
  • Monitor: Communicate the risks to the rest of the Executive staff, and lock down what you can, monitor what you can't lock down, and also collaborate with Legal to  make sure policy covers the things you can't lock down or monitor so you'll have legal recourse if all else fails

5. Innovation Experiment Takes Risks 

  • Taking this scenario: The company has a proper risk management process in place and potential risks have been weighted on the cost vs. potential risk /loss of revenue, reputation, customers.
  • Risk vs. Innovation: If a CIO is strictly following corporate rules for data security, best practices for IT operations, etc, she or he becomes “no no” leader for new ideas, In essence, CIO is expected to become Chief Innovation Officer. With a desire to eliminate all risk you also kill all the opportunities. A balance is needed between
    - risk appetite/innovation (early adopting of new technology)
    - cost containment (requiring a solid state-of-the-art operation)
    - optimizing customer satisfaction   
Moreover, when the risks were fully explored, understood, and then taken around the 'C' table. The 'blame' rests with the management team, although it still might have been a reasonable choice. So WHY take out the CIO? Convenience and easily explained outside of the executive chambers. And as the saying goes, “A good scapegoat is nearly as welcome as a solution to the problem.." 

The ENTIRE NOTION of “taking the fall” is wrong-headed. 

Learning Lessons for CIO:  Today's CIO has to be an excellent salesman, a visionary, a fantastic motivator/manager to collaborate with “C” level to get the resources required to do this work and inform them of the risk and to be politically adept in managing crisis which will occur during their watch also At the same time the CIO has to keep track with the rapidly changing landscape of IT developments.


I'd like to use your quote, "20 percent of IT problems are caused by technologies, 40 percent are caused by people and 40 percent of them are caused by processes.".

Can you provide me the source for that?

Thank you.

Thanks for comment, I did read it via one of industry studies, but forget the exact source. thanks.

Post a Comment