There’s a school of thought — one I’ve long dismissed — that you can only consider yourself an executive once you’ve got people working for you who are smarter than you are.
In a real team, each member has their own strengths and weaknesses, which ideally balance themselves out.
Although
clearly even the best employees need some kind of leadership, what’s the point in having CEOs if they don’t contribute something important to the operation themselves? The nature of that contribution will vary by each organization, but there’s one thing the boss shouldn’t need to do, and that’s look after the organization’s IT security. Ernst & Young, which released the results of a survey on the matter recently, would probably disagree with me.
According to the Canadian figures from the firm’s annual international report, only 33 per cent of firms here say security is perceived as a CEO-level priority. Ernst & Young recommends the creation of a security conscious culture (please, no yawning) that has to come from the top.
In the absence of a major security problem, most chief executives are interested in only one thing: improving the company’s performance. What energizes them is the possibility of growing, expanding or better serving their clients, increasing their profits and pleasing shareholders. IT security is like dental hygiene: unless you’re facing a root canal, you don’t get excited about flossing.
As more corporate data moves into electronic form, we have to become more clear about the exact nature of the CEO’s role in regards to security, and how it differs from that of a CIO. The Ernst & Young study, for example, notes that less than a quarter of Canadian organizations check up on their outsourcers to see if they meet security requirements. Given the range of outsourcing going on in large enterprises and the complexity of the relationship, there’s no way CEOs or even some of the senior VPs can micromanage at that level. This is the CIO’s job, or in some cases the chief security officer. That’s why they were hired in the first place. When Ernst & Young conclude that companies place too much “”trust”” in outsourcing partners, they are mistaking trust with complacency and negligence. The more important trust relationship is between the CEO and his staff, including those that manage outsourcing relationships.
If the CEO’s role is one of delegation, though, the study manages to identify one danger zone. Only 35 per cent of those who responded (presumably CIOs and IT managers) provide quarterly updates on IT security to CEOs or their boards. In some cases I suspect that’s because unless the organization has suffered a hit, there’s not much to say.
CIOs could spice up these updates by discussing not merely the breaches (or lack thereof), but potential threats that the organization could face in the form of new worms or changes to Microsoft’s Service Pack 2. Many CEOs are probably not very good at setting the tone on IT security because they don’t know what kind of questions to ask.
CEOs should obviously surround themselves with IT staff who know more about security than they do, but they should still know enough to tell when the issues are not being addressed properly.