Security Strategy and the Changing CIO Role

The CIO, or chief information officer, has traditionally been responsible for ensuring that IT and computer systems support the strategic goals of the organization. However, various factors, including the consumerization of IT, a reduction in the number of homegrown IT systems, and increased use of third-party services, are taking technology spending decisions away from the CIO role.

The consumerization of IT refers to the fact that devices originally designed with consumer needs in mind are increasingly being used for work purposes as their owners consider them to be superior to those issued by the organizations they work for—the so-called bring-your-own-device (BYOD) phenomenon. Those outside the IT department are able to purchase and use third-party applications and services provisioned from the cloud or as web-based services. According to a recent survey commissioned by VMWare, reported by, 72 percent of respondents think that decentralized spending on IT is a good thing, enabling greater responsiveness to business challenges and enhanced ability to harness innovation to make the business more competitive, and providing the ability to position the business for growth. According to Gartner, 90 percent of IT spending will originate outside of the IT department by 2020.

While many feel that the decentralization of IT is beneficial in many ways, not least in providing employees with greater freedom and flexibility to work in the way that best suits them, it is not without its risks. Users may balk at the idea of installing security controls on their devices that degrade performance, and they install apps on their devices for their own personal use, which is increasingly becoming an issue as such apps are often found to be riddled with malware. They also like the idea of using cloud-based services for online storage and collaboration, which increases the risk of unauthorized access to corporate data and could lead to a security breach.

As IT spending becomes increasingly decentralized and more power regarding purchasing decisions and technology usage is placed in the hands of users, the CIO role needs to change from one of delivering IT systems to keep the business running within budget to one that is more business oriented. Today’s CIOs need to facilitate the technology wishes of users while ensuring that IT is aligned with overall operational strategy and objectives, at the same time as keeping security issues in check. They need to provide centralized oversight of technology spending to maximize returns on investments and to take more of an advisory role in terms of what services and devices to purchase and what controls to put in place so that users are not unduly inconvenienced but security goals are met. They need to devise and enforce policies and oversee where rules are being broken. Raising and maintaining awareness of operational objectives and security issues across the organization is essential.

Today’s CIOs need to ensure that not only do they have a seat in the boardroom, but also that they’re fully aligned with the strategic objectives of the business and overall operational risks. They must work more closely with the chief financial officer to maximize returns on investment on IT and to control and have oversight of spending across the organization. They must also align themselves more closely with the chief marketing officer, as new customer-facing business models and sales channels are placing more technology purchasing decisions in the hands of the marketing department. They also need to work more closely with leaders of individual business units to ensure that they have the necessary oversight on what is being spent where on technology.

If the CIO role is given more centralized oversight, the organization can reap the benefits of decentralized IT spending while also feeling assured that security issues are adequately controlled. A CIO that is successful in this new mission can ensure that IT becomes a business enabler, aligned with the overall risk management objectives of the organization.

No Comments