Home > Risk > When a technologist is a business leader

When a technologist is a business leader

September 28, 2020 Leave a comment Go to comments

I have had the privilege of working with and for a number of superb technologists, many of whom were Chief Information Officers (CIO) or equivalent.

I am going to pick just one: Ron Reed.

I first met Ron when I was a vice president, internal audit, for a large financial services company. He was the senior vice president for IT (i.e., CIO) for the insurance subsidiary.

Although it was polite and professional, our first contact (a data center audit of that organization) had friction. He didn’t believe the facts behind our finding; but, we worked together to understand and then appreciate the reality and he then moved quickly to implement appropriate corrective actions.

A year or so later, he moved to the primary business unit as senior vice president responsible for all IT functions apart from application development and maintenance, where I got to work with him closely. (I ended up working for him.)

Now Ron’s background is deep in technology. He probably knew more about the operating system and related products than our systems programmers. But he was able to rise to leadership within the company because he also made sure he had a deep understanding of the business.

Ron spent time with the business leaders, getting to know them, the operation, and how it was run.

By understanding the business and knowing what it needed to be successful, he ensured the leaders of the business had the right IT services and functionalities.

He didn’t try to sell them what they didn’t need.

A friend of mine told me that I should buy a Tesla. (He owns one and loves it.) He gave me several reasons, including:

  • It’s fast – he can beat any car from a standing start at a traffic light
  • It’s fast – he can safely pass other cars
  • It’s economical because you don’t have the expense of gasoline
  • It’s green
  • It’s fun
  • You can afford it, Norman

I continue to drive my Acura TSX.

I don’t need a Tesla and cannot justify buying one when I don’t drive a lot now that I am (mostly) retired.

Having set the table, let’s place a dish on it.

The Harvard Business Review is an excellent source of challenging and insightful thought leadership. In November, they published Companies need to rethink what Cybersecurity leadership is.

The author (a senior manager with Boston Consulting Group) is clearly a smart guy. As far as I can tell, he has lived within the technology field and has not led an IT or business operation (other than consulting).

The article gets a number of things right, such as:

  • Yet for all the investments they’ve made to secure their systems and protect customers, companies are still struggling to make cybersecurity a vibrant, proactive part of strategy, operations, and culture.
  • Cyber leaders have the monstrous and all-important goal of securing a business, but when companies make big, strategic decisions — about business models, digital strategy, product mix, M&A — cybersecurity is an afterthought.
  • Business leaders must thoroughly analyze their “why” for cybersecurity and be very clear regarding their choice.
  • …your best cyber leader might be a proven non-cyber executive who knows the business, has key relationships throughout the company, and has a general appreciation for technology.

But, I have a serious problem with his solution.

  • Today’s cyber leaders must be able to embed security throughout the company’s operations, rapidly respond to threats, and influence fellow senior leaders. In short, they must be able to lead.
  • Giving the cyber leader and program proper authority is … vital; they must have political sway and a top-level mandate to orchestrate change across the business.
  • …business leaders need to incentivize the right stakeholders to work closely with the function.

The solution reminds me of the Tesla salesperson.

A better approach is for the CISO (or the CIO, to whom I believe the technologist CISO should report) to have a deep understanding of the business and help them with the information security they need. Give them what is justified on business terms, not what is fast, green, and sexy.

Help them understand, from their business point of view, how much security they need, why, and what it is worth spending on it.

Forcing people to buy stuff they don’t need, or costs more than it is worth, will not get you accepted by them as a business partner.

Boards and executives have some tough choices to make, including how much money and resource to allocate to cyber.

Is $100 million too much? How about $75 million, $50 million, $20 million, or even just $5 million?

Does it make sense to invest $50 million when there is only a 5% (hypothetically) chance of a breach that causes losses of that amount or more?

It’s a business decision that business leaders should make, not the CISO. (Even better, it’s a decision made together – recognizing that the business leader has the casting vote.)

If the CISO, perhaps in partnership with the CIO, can work with the business leaders to give them the security they need (an Acura instead of a Tesla), they will be given a place at the executive table.

People only get invited to participate in strategy and other discussions when they make a positive contribution to the decision-making process. That requires understanding what they really need, not trying to sell them what they don’t believe they need and are unwilling to invest in.

Companies are not giving the CISOs the support and resources they want because the leaders are not convinced it’s a good way to spend their limited resources.

Talk to them about the business, not about breaches and vulnerabilities.

Sometimes, leading requires understanding and listening more than anything else – but that is not what the author suggests.

For him, leading starts with authority and incentives for others to listen.

I welcome your thoughts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: