On IT Security
CIO Harold Peeples: Remember the CRM system we implemented, Ben?
CFO Ben Courtanes: How could I forget? The personal data of 2000 customers was posted on the Internet.
CIO: Exactly. And I took the hit for it. But I still don't think I deserved it.
CFO: Didn't deserve it, Harold? How was a huge hole in our CRM not your fault?
CIO: The hole was there because I was told to go live by the beginning of the holiday season. Well, suppose I had come to you in August and said, sorry, Ben, but we have to do some more security work. That's going to add four months and $4 million to the schedule. And even then I can't guarantee it'll be completely secure.
CFO: What would I say? I'd say, why wasn't this in the original plan? I'd say, here we go again! Just like the steel in the buildings.
CIO: Then I'd say, it wasn't in the plan because our CEO had already made up his mind what the deadline had to be. You know what happened, Ben. He had lunch with a consultant who had just helped Rival Pty Ltd do a huge CRM implementation, so he decided we had to have that system and we had to have it yesterday.
CFO: Look on the bright side, Harold. At least he doesn't think IT's a commodity.
CIO: No, he thinks it's a light switch. All we have to do is turn it on. And if I suggest that getting a CRM system up and running might be a little more difficult than the consultants and the white papers make it sound, I'm the bad guy. I'm preventing us from staying competitive.
CFO: But this is security. This is our brand, our reputation. You have to be the leader. You have to be the guy who tells us that the project's not ready, even if it means we miss the holiday season. Saying someone made you do it just doesn't cut it, Harold. Where does this buck stop?
CIO: You can only rain on a parade so many times before your bosses get tired of having you around, Ben.
CFO: So your job security comes before the good of the company? You can't believe that.
CIO: No, of course not. But I could name a half-dozen CIOs who did lie down on the tracks. And you know what? They're looking for work right now. It's hard to tell everybody we need extra time, and it's hard to tell you we need extra money. This isn't just my problem, Ben; this is the state of IT security. It's not too good. So I end up looking ineffective, even if putting the brakes on a project is the smartest thing I could do.
CFO: What you just described to me is an unquantified risk profile. Put some numbers behind it and I'll buy everything you're saying.
CIO: It's not that easy, Ben. We're talking about massively complex programs operating in massively complex computing environments. I'm not convinced risk analysis applies.
CFO: See, this is my biggest problem with IT. It's all black magic. When the going gets tough, IT says it's too special to have the rules of business apply. IT is not special. Nothing could be more appropriate to risk management than software security. Even if the curve shows huge, unacceptable risks in getting a project done before the holidays, that's information I could have used. It's information I would have loved to have had before 2000 credit card numbers were exposed.
CIO: Come on, you don't really believe a few charts and graphs would have stopped us from trying to finish the project by the holidays? The big guy would have said get it running and secure it as we go.
CFO: Maybe. Maybe probably. But at least we'd know the relationship between the dollars we spend on security and what we might get from them. That's what risk analysis does. That way we work out cost-benefit and decide - based on the data - how much time and how much money is absolutely necessary to spend.
CIO: What I'm hearing, Ben, is that you're asking me to become a junior CFO for IT. If I'm hiring a bunch of risk managers, spending all my time and budget trying to get these numbers to justify my existence, how am I supposed to focus on the projects that'll help LargeCo make money? No offence, but I don't want your job.
CFO: None taken. I'm not asking you to become a CFO, and I'm not trying to take away your decision-making authority. Risk management isn't designed to make decisions for you, Harold; it's designed to inform the decisions that we're counting on you to make.
CIO: Are you willing to approve extra funds to allow me to hire some risk analysts?
CFO: If that's the only way to do it, absolutely.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.