Are your CIO and CISO locked up in the dungeon?

Author: Michiel Jonker


Times past

Traditionally, the role of the CIO (Chief Information Officer), was confined to presiding over the IT dungeon. 

As chief warder of the sacred cache, designated the task of building the system and installing it, the role, for all intents and purposes, required a defined, yet removed functionality – an insular kind. 

In time, companies pared down their in-house development teams, and started outsourcing many, if not most, tasks to independent contractors, service organisations, and software providers.

Times present

The CIO is back in vogue, however, to reclaim a hallowed position. The difference is that the demands of business have shifted. 

Today, the CIO is engaged as an integral part of the strategic framework of the organisation, along with the most sought-after expert in the IT and digital industry – the CISO (Chief Information Security Officer). 

Prompted by a sharp spike in cybercrime and the acknowledgement that inadequate preventative policies leave organisations vulnerable to attack, the expertise of the CIO and the CISO, as individuals, or as a pair, are relied upon by an organisation to provide the best line of defense against cyber-attacks, cybercrime, and cyber-terrorism. In the very least, to manage the situation, ideally, to protect the company’s assets by adapting solutions to identify and thus, combat a growing problem.

The South African IT and digital landscape

Within the South African IT and digital landscape, the role of the CIO and CISO is largely undermined in relation to stakeholders, shareholders, and executive committees. 

Often, the titles, CIO and CISO, are broadly aligned within an operational framework. Referred to as even IT Managers, corporate security officers, security managers or information managers, the function of the title appears to be vague, at best. It seems irrational to reduce a fundamentally important role, if not the most important, in whom the entire business’s future lies, to managerial level. The CIO and the CISO may or may not be afforded a seat on the Board.

Michiel Jonker, director at Futura International (and former partner at two multi-national audit firms), has strong opinions to impart in relation to the role of the CIO and the CISO. 

‘There’s a lack of empowerment,’ he says, ‘accountants are seen as business people, so are marketers and departmental managers – IT (and even digital) is considered as purely operational, not as a strategic enabler, which is short-sighted, bordering on bizarre.’

‘Times have changed. Business strategy has expanded.’

It’s a topic on which he speaks passionately, with some frustration, convinced that the lack of corporate cohesion is bound to have a profound impact on the health of South African organisations, and the future on which they rely. 

‘The system is likely to cave in on itself without a concerted effort to put paid to paradigm thinking and its effect on the high incidence of project collapse. Failed projects are commonplace. Not to mention cyber incidents.’

Before launching into a lengthy explanation of the situation the IT and digital industry faces, he explained how and why the new brand of IT executive has developed into something much more than a mere cog in the wheel. 

A new dispensation


The new brand of CIO

Michiel Jonker, like many prominent leaders, campaigns for IT and digital leaders to challenge the Executive. 

He shares an opinion with the now-retired CIO of Union Pacific, Lyndon Tennison. After a forty-year tenure among industry giants, Tennison said in an interview with the Wall Street Journal that he feels that attitudes have reversed – the enterprise mindset has shifted back from outsourcing to developing strategic in-house functions.

CEOs are famously afraid of tech, and have always bowed from a problem, rather than collaborating with IT and digital experts to identify problems and find solutions. 

The steering of the IT and digital landscape has traditionally been left in the hands of the ‘technical team’. 

Perhaps, a lack of personal knowledge has contributed to the situation as we find it. Today, many younger company leaders are far more tech-savvy than their counterparts of yesteryear. In spite of this, the rift endures, no matter the reasons behind it. 

With the imminent threat of cyber criminals seeking to infiltrate and seize or destroy an organization’s assets, a desperate scramble has evolved. The need to consolidate and re-structure is more important now, than ever.

Jonker is emphatic: ‘The days of IT handing over a fully functional system to the various departments that run the company on a daily basis, are over. Disappearing to the basement bowels should be a thing of the past, along with flawed business thinking.’

The new brand of CIO campaigns through a strategic business lens, and from a cost-sensitive platform. This includes having a say in how R&D funds are distributed, how intellectual property is guarded, and how new and existing flows are navigated within a constantly changing scenario.

Business decisions are no longer the domain of the CFO and the CEO to configure. Purposeful, business-centered proof of concept, with an eye to distribute funds with the organization’s most valuable assets as the foremost consideration in the decision-making process, should reflect a keener understanding of the business as an organic entity.

‘Why,’ says Jonker, ‘would you leave the crown jewels to the mercy of marauders? However, the plan to guard your assets has to be ever evolving, and capable of adapting to a change in tactic.’

While the new brand of CIO has become a team player, one whose input is valued and heeded, the position of CISO is considered the foremost and highest tier of IT professional.

The role of the CISO

 According to the 2019/2020 Official Annual Cybersecurity Jobs Report, sponsored by the Herjavic Group, job opportunities in the cybersecurity space haven risen by 350% between 2013-2021.

A few years back, Cybercrime magazine reported that 3,5 million cybersecurity jobs would remain unfilled at the time in which we find ourselves now – 2021. They’re spot-on – there’s a huge gap to be filled.

An article that appeared in the magazine cited a statistic stating that 58% of established CISOs have expressed concern at the lack of expertise among newer candidates applying for the job. 

Apparently, fewer than one in four are qualified. Robert Herjavic is quoted as saying that all IT and digital professionals need to be versed in cybersecurity and able to protect company assets. 

The minimum requirement to be considered for the position of CISO stipulates that the candidate is required to have graduated with a Masters in IT, and gained an MBA, in order to fulfil the demands of the job. 

Taking into account the time needed to achieve these aims, and the versatile persona the role describes, it’s hardly surprising that most aspiring IT and digital experts burn out at some point during their studies. 

The plot thickens


The role of the CIO and the CISO within the PoPIA framework

PoPIA (Protection of Personal Information Act) was brought into operation in 2020, in spite of having been instituted 7 years ago. While this article does not seek to discuss the framework as a whole, it would seem that there is some confusion as regards the role of the Information (or Data Privacy Officer) – a new addition to the business world.

Official guidelines are clear – it is not recommended that the position be delegated to the domain of the CIO or the CISO.

In fact, the CEO is by default the Information Officer. He or she may appoint a deputy or two, but, in essence, the accountability for the safeguarding of confidential information, ultimately, still rests with the CEO.

The requirements stipulated for the role of Information Officer, or deputies, place the individual or individuals as holding an important position in relation to data collection and processing. However, the terminology used in order to appoint such a person, lacks a definitive expectation.

The Information Officer should have a ‘good understanding’ of IT; ‘basic’ legal training is advantageous; a ‘broad understanding’ of company operations, a ‘strong interest’ in data privacy, and ‘spare time’ to offer. 

The dilemma becomes evident – which restrictions are imposed on data collection and processing, and how much responsibility has been shifted to whom? By admission, the role of the Information Officer still requires some clarity.

Are we shifting even further from the goal to secure processes?

The ever-increasing demands on the CIO and CISO in relation to technological and business functionalities, requires a broader skill set and an ever-expanding set of duties. 

Is it wise to assume that data processes will be further secured, and that cohesive business practice is within grasp?

Is it possible to safekeep that which is unable to be protected without a vested commitment to a new way of thinking about management?

For now, the impending crisis centers on the safety of data as a whole, and the measures required to protect it. 

Time will tell.