Extended Accountability of the CIO

Extended Accountability of the CIO - hands typing on keyboard
Author: Luigi Sbriz, CISM, CRISC, CDPSE, ISO/IEC 27001:2022 LA, ITIL V4, NIST CSF, UNI 11697:2017 DPO
Date Published: 1 September 2023
italiano

The role of the chief information officer (CIO) is no longer that of a simple IT manager. The CIO is now responsible for the sustainable management of all enterprise-related information and must, therefore, provide the means to process information, guarantee the continuity of related services, ensure the protection of information, comply with applicable laws and regulations, and supervise all these activities to ensure that they align with enterprise objectives. In effect, the role of the CIO has evolved. The CIO is now the main person accountable for the fair treatment of all business- related information, rather than merely the person responsible for containing the costs of technology.

If the CIO’s role is limited to compliance with technology objectives and cost containment, not all current business expectations will be appropriately or sufficiently addressed. Governance, risk and compliance (GRC) practices require the CIO to have the skills to link information processing technology with the value of that information for the enterprise. A governance role that is active and integrated into internal processes allows the creation of value for the enterprise by effectively and efficiently linking organizational needs to operational aspects of the business. A CIO focused only on economic savings or technology objectives does not have the skills needed to correctly interpret the evolution of business needs.

In corporate governance, the classic organizational structure considers the CIO to be a C-level position oriented toward the governance of information technologies, with the ability to analyze costs and benefits and the authority to dispose of operational resources. However, the CIO also has the privilege of interacting directly with other senior managers and taking an active part in the broader process of governing organizational risk. This is an undoubted advantage because it allows the CIO to govern information and technology (I&T) with a perfect understanding of the value and role of information while acting in full compliance with the objectives of the enterprise.

To add new and recognized value to this role, CIOs must evolve from being simply observers of business strategy to being aware of the consequences of their decisions on organizational performance as a whole. They must balance technological knowledge of operational processes with organizational skills that allow them to understand and preserve the value of the enterprise’s assets. They must be able to guarantee the ability to preserve the value of information by ensuring its appropriate treatment, guarantee the availability of information in accordance with business needs and guarantee the continuous protection of information.

Guaranteeing the Appropriate Treatment of Information

The CIO must be able to meet business expectations in terms of providing adequate technological infrastructure, applications and services as well as proposing and providing suitable solutions to support the enterprise’s objectives. The IT function must be based on a holistic vision of business processes, which includes designing, releasing and governing operational processes; allocating the necessary resources at acceptable costs; and monitoring operations. Using business objectives as a guide, it is first necessary to understand the enterprise’s information processing needs-that is, the critical requirements-to develop the proper implementation, delivery and control of the requested services.

For CIOs to propose and ensure the delivery of technological solutions that align with business objectives, they must have adequate knowledge of planning and control methodologies, available technologies, the management of operational processes, and the services offered by the market. This knowledge need not be at the expert level, but it must be sufficient to allow CIOs to consider and consciously decide on appropriate solutions. They must be able to grasp the elements that create value for the enterprise and recognize those that lead to unacceptable risk scenarios. CIOs should be supported by technology officers in planning and operational matters.

Guaranteeing the Availability of Information

Information must be available based on the service requirements defined by the enterprise, such as when and for how long information is needed, in compliance with a preestablished quality level ascertained by continuous monitoring. Business needs must not be a mere imposition on IT services; they should result from a combination of business processes, internal controls and technological services.

A risk analysis evaluates decisions, and it requires the participation of the CIO as an enabler of actions that create value, such as holistically assessing the critical need for technological change and engaging the appropriate resources.

An interesting aspect of information availability is the outsourcing of processes. Outsourcing the management of IT services is sometimes justified as a simple means of saving money; however, this paradigm needs to be reversed. The consequences of violating the confidentiality, integrity or availability of data must be evaluated by a risk analysis before making any decision about outsourcing. In this, the CIO should be supported by specific IT managers dedicated to business process needs and other operational specialists.

[The CIO] must be able to grasp the elements that create value for the enterprise and recognize those that lead to unacceptable risk scenarios.

Guaranteeing the Continuous Protection of Information

Access to information must be controlled in a manner consistent with the corresponding data security classification. Information protection is largely a function of the IT department, even though it may not own the data. In such cases, depending on their organizational position, CIOs should possess the necessary knowledge related to the information’s value and should take action to evaluate the effectiveness of the security strategy, verify the operational plans and promote improvement.

This perspective of the CIO’s role, which encompasses some of the typical attributes of the chief information security officer (CISO), is justified by the CIO’s position in the organization. The CIO is responsible for achieving I&T process objectives, has the authority to allocate the necessary resources, and is a member of top management. This position, centralizing all decision-making and verification flows, offers the best overall business vision and ensures the person has the opportunity to understand and respond to problems. In contrast, the CISO is vertically focused on security issues and does not have the same big-picture perspective as the CIO. The CIO must continuously balance I&T objectives with organizational, operational and control issues, which allows the CIO to face risk scenarios with a greater critical sense. The CIO should be supported by the CISO in operational matters.

Aligning With Business Goals

The activities constituting the I&T process should be evaluated on a regular basis to ensure that they align with business objectives. To verify the results of I&T process management from a global business perspective, the mastery of GRC-related skills is required. The issues CIOs must deal with are distinct from each other but necessary for the governance of I&T. Information represents the value to be protected, while technology is the means of doing so.

Risk
To manage information-related risk, it is essential to have the active participation of those with global accountability for infrastructures, systems, services and information technologies, not just security. The CIO’s role should allow for an understanding of the value of the information processed, the critical nature of the technologies that manage it, and the consequences of the decisions made. In this way, the management of the I&T process will be guided by a systematic approach based on risk awareness.

Technology
CIOs do not carry out any operational tasks related to I&T processes but function only at a management and control level. Even so, they must maintain and update their technological skills so that they can evaluate and explain, in an understandable way, the relative advantages and disadvantages to top management and thus direct the decision-making process. Specialist knowledge can be entrusted to the operational roles in the enterprise.

Continuity
Processes that are critical to the business must meet the operational parameters set by the enterprise. Consequently, continuity plans, the business impact analysis (BIA) and incident management procedures must be verified in terms of the concreteness of the scenarios, consistency in control design, and the adequacy of allocated resources. The CIO should assume a supervisory role to improve the continuity process and make it more resilient-that is, all actions are planned and carried out with respect to business objectives and without distorting the budget.

The CIO must continuously balance I&T objectives with organizational, operational and control issues, which allows the CIO to face risk scenarios with a greater critical sense.

Security
Protecting the use of and access to classified information is not the direct responsibility of the CIO. However, based on knowledge of such information’s critical nature, the CIO can act as a supervisor and provide the appropriate level of attention needed to correct existing measures and for resource finding. The CIO can also act as an enabler of the segregation of duties (SoD) and user revalidation processes.

Privacy
Any processing of personal data carried out by the enterprise falls largely in the realm of information security, even if these responsibilities are assigned to others. Although this topic is not directly pertinent to CIOs, they should have broad knowledge of critical processes and legal compliance requirements and, therefore, have great potential to act as data protection officers or similar figures if the law allows. In this sense, because CIOs are not data owners but have a complete view of the data treatment process, they can effectively support the data controller in protection and awareness actions and implement the necessary controls so that the process complies with legal requirements.

Compliance
Verifying compliance with internal and external rules is generally the responsibility of the internal audit function. Though not directly involved in the verification process, CIOs retain accountability to see that all IT actions are implemented in accordance with operational plans, and that controls are regularly carried out. CIOs should participate in the drafting of both the risk treatment plan and the audit remediation plan. Although these two plans have different origins, both are aimed at improving business processes, including in the IT area.

Evaluating the CIO’s Performance

The CIO’s performance should be evaluated based on four main objectives:

  1. Security—This assessment considers the number and severity of incidents resulting in compromised information and the results of audits and all reports relating to security.
  2. Continuity—This metric considers the number of incidents, near-miss incidents and anomalies found. Severity is used as a weight for a normalized mean.
  3. Quality—This is the ability to meet predetermined demand in compliance with the level of service requested, including release and remediation timelines. This value is the average percentage of the level of satisfaction achieved, the number of anomalies found, the delays accumulated and the additional budget used, compared with the respective target values.
  4. Efficiency—This is the ability to provide requested services with only budgeted resources, possibly limiting the economic component to minimum values. This evaluation considers the value of the resources allocated in the budget and the actual commitment in the final balance.

Evaluating the results of planned activities and projects requires a metric that compares the maturity achieved for each of the four objectives. For example, figure 1 depicts the level of maturity achieved on a scale of 0 to 1 for each objective. This clearly highlights cases where objectives were not achieved.

Figure 1

Evaluating CIOs in this way guarantees a balance between technology knowledge and governance aptitude and between providing strategic direction and verifying regulatory compliance. CIOs produce little value if they focus only on technical issues or cost reduction. A holistic vision of the business is the basis for understanding all the significant aspects of organizational objectives and making informed decisions about potential consequences.

To make I&T management more effective, the role of the CIO must be broadened, which means acquiring greater skills and responsibilities in the GRC area.

Conclusion

To make I&T management more effective, the role of the CIO must be broadened, which means acquiring greater skills and responsibilities in the GRC area and paying the right amount of attention to control from a business perspective rather than basing it purely on technological performance. The CIO must be a C-level position-that is, the level of management that sets overall objectives and possesses the authority to allocate the necessary resources for the sole purpose of achieving those objectives.

The role of the CIO is to provide implementation guidelines and evaluate the achievement of results to ensure that information is processed according to real business needs, that information is available in the manner and at the time required, and that information is protected from unauthorized use or access. For this to occur, the CIO must have the skills necessary to understand business requests and associate them with available technologies, to organize activities with the right roles and responsibilities, to supervise the execution of controls, and to evaluate the current state of the I&T process.

The CIO’s role has become less technical and financial and more GRC-focused. This requires horizontal competence in organizational processes, including risk analysis, compliance assessment and communication skills. At the same time, the role of the CISO has been partially redefined to avoid overlap, such as greater technical and methodological verticalization related to security, with the CISO reporting directly to the CIO.

LUIGI SBRIZ | CISM, CRISC, CDPSE, ISO/IEC 27001:2013 LA, ITIL V4, NIST CSF, UNI 11697:2017 DPO

Is a lead auditor and senior consultant on risk management, cybersecurity and privacy issues. He has been the risk monitoring manager at a multinational automotive company for more than seven years. Previously, he headed information and communications technology operations and resources in the Asia and Pacific Countries (APAC) region (China, Japan and Malaysia) and was the worldwide information security officer. He developed an original methodology for internal risk monitoring, merging an operational risk analysis with a consequent risk assessment driven by the maturity level of controls. He also designed a cybermonitoring tool based on open-source intelligence (OSINT) and an integrated system involving risk monitoring, maturity model and internal audit. In addition, Sbriz was a consultant for business intelligence systems for several years. He can be contacted at http://www.linkedin.com/in/luigisbriz or http://sbriz.tel.