What are the top 3 challenges for CIOs
The role of the CIO is to lead your team to stay ahead of the game. The problem is: the game changes all the time. The rules change, the goal posts are placed in new positions and you weren’t even aware of it.
The biggest danger for CIOs is to assume you are on top of your game. Hubris is the Achilles heel of many organisations, especially when all your KPIs and reports are based on lag-indicators forcing you to look backwards at the company’s performance in the past.
The truth of the matter is that you don’t know what you don’t know. And what you don’t know can and will (most likely) hurt you and your organisation
You need smart people in your team who are on the lookout for what is important now and in the future. People who analyse the current situation to be able to project a risk profile moving forward.
However, it may help to know what your team should be looking for. It is important to stay aware of what is being used successfully by peers in the business to be able to make informed and educated decisions for your own company. What are the main topics that your peers globally worry about, work on and create strong analytical data around?
We conducted research amongst C-Level executives and senior professionals in the USA, Canada, UK and Australia to find out what topics are top of mind in 2019. What are the topics they research, invest in and need to know more about.
It’s no surprise that security, risk management and Cyber security are in the top 3, in addition to subjects relating to regulation and compliance. Data Management and Data analysis also featured in the top listing but just fell outside of the top 3.
For CIOs it seems to be most important to understand what the most commonly used applications, methodologies and quality standards are. Finding trends in your industry may help you be more effective and efficient in the way you run your department or company. You don’t want to run the risk that you’re overlooking something and getting caught out on a regulatory or compliance issue, just because you didn’t stay in touch with the latest trends. (After all: “I didn’t know” is not a valid excuse )
1. Security & Risk Management
- ISSEP
- GIAC Certified Forensic Analyst
- Technical Surveillance Counter Measures
- NIST Cyber Security Framework
- Cyber Threat Hunting
Businesses are investing in formal security management training for their staff to improve the skill levels of IT Professionals. This is an ongoing commitment in the understanding of IT security and the growing impact of Cyber security on normal business practices
We were surprised however by the interest in Technical Surveillance Countermeasures (e.g. bug sweeping), however with the intensifying financial pressures in the industry and the opportunity for corporate espionage it becomes more important to ensure that trade secrets don’t get into the wrong hands.
Questions that you may want to ask your team:
- Are there any data/devices that are not backed up?
- Who is responsible in your organization to assist in preparing for and responding to a data breach?
- Are you effectively using existing data to drive your security decisions?
- How much data should you keep and for how long?
2. ( Cloud Based ) Business Applications
- Finance
- NetSuite
- Quickbooks
- Marketing
- Salesforce Pardot
- SharePoint
- Mulesoft
Over the past few years many business applications have moved to a cloud based delivery model. This industry has matured in such a way that Finance applications like NetSuite now support many medium to large size businesses through their cloud based applications, where Quickbooks online is used by mostly small-medium sized businesses. With the addition of QuickBooks Enterprise, more medium sized businesses appear to choose to stay with Quickbooks rather than switching to NetSuite or other ERP applications.
Mulesoft (a salesforce subsidiary) has been around since 2006 but the need for enterprise API connectors and analysis capability is growing with the adoption of more cloud based enterprise applications.
Questions to ask relating to these business applications are:
- Is a market surveillance visit or other special audit required to show evidence of effective
- implementation?
- How does the effort compare to on-premise ERP implementations?
- Does a corrective action plan include the implementation of sufficient and effective controls in
- order to eliminate the cause of similar potential nonconformities?
- Are there related tools that can be easily implemented to gather data?
- How do you get your data out when the contract is done?
3. Regulation, Governance & Compliance
- SOC 2
- COSO
- CGEIT (Governance of Enterprise IT)
A quick Google search tells us that “The SOC 2 report focuses on a business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 18 which is focused on the financial reporting controls.”
Which makes total sense that it is mentioned in this list with COSO which focuses mainly on internal controls. As a CIO you need to be able to sustain the internal controls around security, availability, integrity, confidentiality and privacy of a system and the data that is contained within this system. Out of these, confidentiality and privacy are becoming more important to safeguard with the increase of phishing scams and ransomware attempts. It seems that each week there is a news article about a large organisation being breached and private client date being leaked with various levels of negative impact.
Questions to ask in relation to governance and compliance often revolve around audits and data privacy. For example:
- Do your audit reports contain sufficient detail to facilitate and support the certification decision?
- Is the scope of the audit adequate?
- Is the mandate given to the audit team clearly defined and made known to your clients?
- Do you monitor how suppliers protect sensitive information?
- Do you use contractual agreements to protect confidential information?
- Are information systems subject to periodic penetration tests?
- Do you perform more rigorous background checks on people who will be handling sensitive information?
When you understand the questions to ask, you can uncover the unknown and potential dangerous issues and challenges that would otherwise remain hidden.
When you don’t ask the questions, people will assume everybody understands the importance and that we’re all on the same page. It’s only when we consciously make an effort to ask the questions that the discrepancies become apparent and areas for improvement surface.
Article by Ivanka Menken, CEO The Art of Service
______________