The DNA of a High-Performing CIO

DNA is inherited from our parents, and impaired genes may limit our potential regardless of effort. In much the same way, a Chief Information Officer’s (CIO) performance is influenced by organizational factors beyond their control.

Reporting structures, governance practices, and leadership ethics act as the corporate DNA of an organization. When these elements are healthy and aligned, CIOs can thrive. When they are flawed, even the most capable CIO may struggle to succeed.

There is much discussion about a CIO’s qualifications, experience, and track record, but far less about the conditions that influence job performance. Is there a myth behind why a hand-picked CIO, selected through an extensive search, fails to meet expectations?

Dismissing a CIO for reasons ranging from insufficient business and strategic insight to perceived technical or operational shortcomings may not be justified until there has been a close examination of the reporting hierarchy, corporate governance, and professional ethics—the organizational DNA that shapes CIO performance.

Misaligned Reporting
A CIO is doomed to fail when reporting into a siloed function with no mandate over business units. It is like a race car being given no fuel to power the engine.

Resistance to change is pervasive in many workplaces. Common causes include labor constraints, a lack of urgency, fear of failure, and, more often than not, the risk of opening a can of worms. Business units acknowledge that untangling and migrating a heavily customized Enterprise Resource Planning system to a new software suite can be as delicate as a heart transplant. Such initiatives may uncover years-old payment errors, misinterpreted HR policies, orphaned privileged accesses, and other irregular practices ­­— potentially exposing the leadership responsible. Consequently, maintaining the status quo is often preferred, creating the impression that the CIO is making little progress.

Corporate politics frequently come into play. Mandatory business justifications for technology projects are portrayed as bureaucratic hurdles. Clunky interfaces, disconnected workflows, excessive approvals, and inconsistent reports are often disguised as technology problems. Important digital initiatives such as shared IT services, enterprise architecture, and the rationalization of shadow IT may be diluted or blocked by business units seeking to protect their own interests. Some business leaders choose to procrastinate, make excuses, and preserve the status quo, leaving legacy problems and technical debt in anticipation of leadership changes.

CIOs cannot operate solely by consensus because every stakeholder has blind spots. Decisions reached through consensus are not always in the best interests of the enterprise, particularly in non-profit organizations. A CIO without executive authority over business change is effectively handicapped. Without a mandate to drive process improvements, establish digital priorities, and enforce accountability, the foundations of business efficiency and growth are very much weakened.

Disengaged Governance
A CIO is reduced to a support role when IT is treated merely as a utility, where system uptime becomes the dominant key performance indicator. When coupled with the absence of a CIO’s voice in the boardroom, their strategic relevance is further diminished.

Operating largely in a defensive posture, CIOs are summoned to Board whenever necessary to defend cyber breaches, project failures and service disruptions. Over time, the discussion becomes dominated by bad news, creating bias and prompting questions about whether the right person is leading the technology function.

An increasing number of progressive organizations are establishing dedicated Board Technology Committees (BTCs). These committees function much like Audit Committees by providing independent oversight of governance, compliance, and technology risk matters.

A BTC provides the CIO with a politically safe forum to present emerging strategies, policies, and technology initiatives for candid discussion. It is not intended to bypass the CEO or CFO. Rather, it serves as an executive platform connecting independent directors and the CIO, helping to identify issues that warrant the full Board’s attention.

Unethical Leadership
Whether we succeed professionally often depends on our managers or reporting officers (ROs). Beyond conducting performance appraisals, exemplary ROs empower, support, and mentor their teams.

For CIOs, however, these qualities are less critical. As experienced senior executives, CIOs operate independently with minimal supervision or coaching. They are results-oriented and guided by Board-endorsed strategies. They engage their ROs at the appropriate moments to ensure alignment without burdening them with operational details.

“The biggest risk is not taking any risk,” famously said by Mark Zuckerberg. Technology, by its very nature, involves risk. Failing to embrace it may ultimately become the greatest threat to an organization’s survival. Significant risks include technology investments that generate poor returns, failures of mission-critical systems, and the accumulation of technical debt. CIOs should therefore be evaluated on the opportunities they identify, the risks they mitigate, and the digital advancements they deliver.

An RO who is evasive, ambiguous, and unwilling to address sensitive issues can be highly disruptive to a CIO, who depends on clarity and certainty to perform effectively. Misunderstandings can easily arise when critical decisions are communicated verbally rather than documented through email or meeting minutes.

Performance DNA
High-performing CIOs are forged through years of experience and practice. Nevertheless, some may succeed in one organization and struggle in another due to differences in culture and operating models.

An enabling environment is created through a clear business mandate, an engaged Board Technology Committee, authentic and risk-savvy RO. Together, these elements form the corporate DNA that enables sustainable CIO performance across industries.


Copyedit: ChatGPT

Becoming an Effective Board on Cybersecurity

A board directorship is a prestigious appointment, signaling public recognition of an individual’s industry expertise, business acumen, and leadership qualities. According to PwC’s 2024 Annual Corporate Director Survey, 13% of board directors reported that their boards had added someone with cybersecurity expertise in the past year. Given a typical term of five years, most corporations should have dedicated board oversight of cyber matters. However, what does it take to be effective?

Among the many cybersecurity challenges, some argue that the board should focus on governance and strategy rather than technology and operations, even though these are integral to cyber safety. Certainly, a sensible approach is that the board neither interferes with daily operations nor loses touch with on-the-ground realities. However, an overly narrow focus on governance and strategy can backfire, overlooking volatile business and operational changes that leave the organization more vulnerable.

In the aftermath of a security breach, every cybersecurity chief is prepared to address the board’s anticipated inquiries: How did it happen? Who is affected? What are the damages? While the report may highlight technical missteps and lessons learned, it often sidelines underlying office politics and unclear risk ownership. To uncover these issues, the board must cut through technical jargon and probe deeper.

Given its fiduciary role, the board is best positioned to confront the most insidious aspects of cybersecurity, such as near misses, risk ownership, peer comparisons, and even the probability of being hacked—critical issues that rarely make it onto the agenda.

Focus on Near Misses
Today, many boards mandate incident updates within 48 to 72 hours. Some require the same for significant cyberattacks on critical services and infrastructure. Analyzing these cases helps identify weaknesses, refine security controls, and prevent future incidents.

Learning from actual incidents, however, is costly and painful, often reflecting poorly on performance. Instead, the board can learn from near misses—situations where threats were detected and mitigated before causing harm. Near misses are positive indicators, encouraging staff to strive for improvement rather than fear repercussions. When risk owners feel less defensive and more receptive to issues raised, the organization benefits. After all, understanding near misses confirms that safeguards are working as intended—or that luck played a role, prompting further scrutiny.

Identify the Risk Owners
Who owns cybersecurity risk? This is a compelling question for the board, yet it has no straightforward answer. While many assume the cybersecurity chief is the risk owner, this perspective is incomplete and can obscure deeper accountability issues within an organization’s hierarchy.

Cybersecurity is a long-tail risk, with repercussions that can span years. Consider a massive personal data breach: the organization could face prolonged lawsuits, hefty regulatory penalties, job losses, and the need for fresh capital to overhaul its defense strategies. Restoring reputation and customer trust could take years. Clearly, no single individual can bear full ownership of these risks.

According to ChatGPT, a risk owner in cybersecurity is responsible for managing and mitigating risks associated with a specific asset, process, data set, or business function—a definition I fully support. For example, corporate infrastructure is a tangible asset, payroll is a financial process, staff training is an HR function, and regulatory compliance falls under legal purview. These risks span multiple business leaders across technology, finance, human resources, and legal and compliance—each of whom is responsible for ensuring compliance and security within their domain.

By setting the tone from the top and clearly assigning ownership, the board can break down silos and prevent disputes over responsibilities in data protection, security controls, and cybersecurity exigencies.

Ask for Peer Comparisons
We are accustomed to grading systems in school, where a pass mark is 50 out of 100. It is appealing to think that cyber risk could be similarly quantified, scored, and benchmarked against peers. Doing so would help align board assessments, track progress, optimize security spending, and negotiate appropriate cyber insurance coverage.

There are tools and services that assess cybersecurity posture by simulating an external threat actor scanning for vulnerabilities. However, since organizations vary in industry, size, technology, risk treatment, and appetite, the self-determined passing mark should be taken with caution. Nonetheless, benchmarking against peers in the same industry provides valuable insights.

Know Your Hacking Probability
When the board is satisfied with regular cybersecurity updates, existing mitigations, and business-as-usual operations, one critical question remains: What is the probability of being hacked in the next 12 months? Since perfect security is unattainable, a data-driven approach offers insight into the likelihood of a breach, potential attack vectors, and staff preparedness.

Simply put, the probability of a successful cyber breach is a function of attack vectors and defensive controls. For example, to model a takeover attack on an administrator account with privileged access, one must consider prevalent attack vectors such as social engineering, malware infections, and password spraying. Then, mitigating measures such as endpoint protection, two-factor authentication, and privileged account management must be factored in. Running simulations with repeated interactions can yield probabilities of an event occurring within a given timeframe. Nowadays, AI models can further refine risk assessments in complex environments with interdependent variables.

Conclusion
An effective board is not confined to governance and strategy. It plays a crucial role in fostering a collaborative environment where the cybersecurity chief and risk owners work together cohesively. It must be willing to challenge the status quo and trigger critical thinking. It drives a cultural shift, emphasizing that the best time to strengthen cybersecurity is during periods of stability, rather than waiting for a crisis. We must remain vigilant, ensuring cybersecurity always remains a priority.

Just Too Many Digital Chiefs

Like a medical specialist providing in-depth and expert care in a specific area, the tech industry has seen a similar shake-up in recent times, resulting in a plethora of high-sounding titles such as Chief Analytics Officer (CAO), Chief Artificial Intelligence Officer (CAIO), Chief Data Officer (CDO), Chief Digital Transformation Officer (CDTO), Chief Information Officer (CIO), Chief Information Security Officer (CISO), Chief Knowledge Officer (CKO), Chief Machine Learning Officer (CMLO), and Chief Technology Officer (CTO). This trend is ongoing, as evidenced by the myriad of executive programs offered by Ivy League colleges and training schools for those keen to qualify.

The rapid tech advancement has caught many enterprises off guard. The surge of chief titles like CAIO and CMLO appears to be a knee-jerk reaction to the phenomenal growth of generative AI. In the past few years, many CISO appointments were fast-tracked to comply with regulatory mandates in some parts of the world, requiring a dedicated chief for cybersecurity amidst escalating cyber breaches and privacy invasions. On the other hand, the once in-demand CKO hiring of the late 1990s is fast-fading, likely ousted by the CDO and CAO amid a shifting focus to big data and analytics. Lastly, the de facto tech chief, the CIO, has seen its technology portfolio mostly taken over by the CTO, often to spare focus on technology.

Obviously, we do not need a management professor to tell us that too many chiefs without a chief of the chiefs would be a grave mistake in corporate governance. For instance, should the CISO be accountable for the security of an AI system? Intuitively, yes, provided the CISO has veto power over the AI because accountability requires control. From frivolous data to business insights and invaluable knowledge, should the CKO be rejuvenated and made responsible for all these seemingly discrete domains, thus offloading responsibilities from and right-sizing the CIO and CDO? Ironically, does the CDTO really fit the bill of a digital chief with goals to transform business? Realistically, must all the chiefs bear the same titles and compensations if their job sizes differ?

Nobody would argue if the Chief Executive Officer (CEO) were to be the overall digital chief, given how tech has been transforming industries and businesses. A level closer to the head of the organization allows for more direct communication, level brainstorming, and faster decision-making. However, this is impractical given the day-to-day management chores. For non-tech, non-profit, and end-user enterprises, IT is mostly a tool, not a strategy, and an expense rather than an investment that hardly creeps into the KPIs (Key Performance Indicators) of the CEO. Also, it takes more than a tech-savvy CEO to oversee the work among the digital chiefs, dealing with operational issues and personnel conflicts.

It is an opportune time to rehash the chiefs’ departments if you have close to a double numeric of digital chiefs, especially when some have no direct reports. The CIO debuted in 1980, and the CTO in 1990, when the first batch of CIOs had already been functioning well for a decade before relinquishing their tech function to the CTO. The CIO nomenclature has suffered from a birth defect with a missing specific – Technology – despite it being a substantial part of their roles. Given the continuous advancement and escalating reliance on technology, it makes perfect sense for a new chief function, the Chief Information Technology Officer (CITO), to take on both portfolios. In fact, the CITO role has emerged in recent years as a response to the increasing importance of technology in organizations, likely evolving from the CIO and CTO roles.

There are CISOs reporting to an independent entity, such as the Board, CEO, or a corporate chief on risk management, citing autonomy without being undermined by the CIO or any other chief. Unlike audits, the CISO is not an inspect-and-control function; it is the inherent cybersecurity knowledge and skills that are most valued. The CISO should be an integral part of the CIO department, incorporating security design and operating requirements into any tech development. The CISO should also be the party to endorse tech implementation and operational changes. Checks and balances can be achieved through independent audits, external consultancy, and certifications like ISO 27001 Information Security Management System.

Data does not lie but stops short of saying anything if it is not clean. Like clean water to humans, pristine data is the lifeline to AI, and the CAIO, CDO, CAO, and CMLO, despite each taking a different spin on it. The CDO should define relevant policies for data ownership, cleansing, protection, sharing, and retention, govern and coordinate efforts among the business units to ensure compliance and resolve disputes. Separately, the CAO focuses on data analytics, using tools like Excel, Python, SQL, and SPSS to justify business actions and decisions and subsequently measure performance. Raw data is akin to unrefined ore; it’s abundant and contains potential value, but in its unprocessed state, it lacks clarity and insights. Combining the CDO and CAO functions into a Chief Data and Analytics Officer (CDAO) provides oversight and management controls for transforming raw data into valuable insights.

The CMLO, equipped with strong mathematics, statistics, and coding knowledge, builds algorithmic models for applications such as generative AI, behavior analysis, and pattern recognition. The CAIO, with a similar background, spearheads AI direction, strategies, ethical use, and staff training across the entire enterprise. It is an ecosystem where the chiefs interact and work to embed AI seamlessly in all business functions.

In the context of the CDTO, the latest kid on the block, Tech and Digital are not interchangeable. As the name implies, digital transformation aims to modernize the business by leveraging progressive tech advancements. Transformation is disruptive, often requiring mindset changes, new learning, and critical thinking to debureaucratize the organization. Besides possessing necessary business acumen, having a clear mandate and authority to make decisions is crucial for effectively addressing and overcoming objections. The emergence of the CDTO is timely, fueled by attainable technologies such as Cloud, RPA (Robotic Process Automation), next-generation ERP (Enterprise Resource Planning), and the prevalence of BPO (Business Process Outsourcing) that enable businesses to own their transformation.

Except for the CDTO, all tech chiefs have either a share of operational duties or a high stake in them. In a unified approach, tech-related activities such as strategic planning, manpower forecasting, and budgeting should be integrated and coordinated across the enterprise, rather than being siloed among separate digital chiefs. This collaborative approach ensures alignment, efficiency, and effective resource allocation, enabling the organization to achieve its goals and business priorities cohesively and strategically. As the saying goes, “A house divided against itself cannot stand.” By working together, we can build a strong and resilient organization that thrives in today’s fast-paced and competitive landscape.

Merging the CIO and CTO functions into CITO and combining the CDO and CAO into CDAO are pivotal steps prior to integrating the CAIO, CMLO, and CISO functions into the same CITO office. Partnership hinges on individuals, but an integrated system, once built, will be long-lasting regardless of personnel changes and how technology evolves. Transformation is not a transient function, and the CDTO, primarily a business function, should stay abreast of technological changes and continue to lead the effort.

With the optimized hierarchy, the CITO, with combined functions of CIO, CTO, CAIO, CMLO, and CISO, will report to the CEO or their deputy, as will the CDTO and CDAO with combined functions of CDO and CAO. Knowledge will become on-the-fly with proper safeguards when generative AI becomes more intelligent and widespread, thus diminishing the CKO’s role further.

Organizational changes are risky. Dealing with potentially inflated titles, re-designation, and job resizing may unsettle many incumbents. It reminds one of those heated debates between centralizing and decentralizing tech functions in a large enterprise. Ultimately, organizations persevering through these changes will benefit from agility to cost savings, clarity of ownership, accountability, less politicking, a healthier workplace, and, finally, emerging as leaders in their industry.



*Copyedited by ChatGPT, https://chat.openai.com/chat