The C-suite is welcoming more and more CIOs and CISOs, but the leadership structure at many organizations ranks IT and information security leaders below other executives, weakening their ability to effectively drive change, wrote Mansur Hasib, former CIO, public speaker, author on cybersecurity culture and compliance and cybersecurity faculty for University of Maryland Baltimore County and Carnegie Mellon University in Pittsburgh, in an Information Week report.
Mr. Hasib conducted a national survey of healthcare organizations and found nearly half of CIOs reported to CFOs and other executives, but not the CEO. He finds this problematic for several reasons. First, if the CIO is reporting to other C-suite members, the CIO's rank is lessened and is unable to participate in organizational strategy meetings, which Mr. Hasib wrote is troublesome because of the integral importance health IT strategy plays in the industry today. "IT is the lifeblood of most organizations today," Mr. Hasib wrote.
Because of this leadership structure, CIOs and CISOs don't have a final say on IT or informatics decisions, yet they are often blamed for any IT or informatics failings, according to Mr. Hasib. He wrote, "the CIO becomes an ideal whipping post for any failures, but other executives are well-protected, even though they make the final decisions."
Additionally, if CFOs and other executives are in charge of IT and cybersecurity, CIOs' pay is lower and healthcare organizations will find it increasingly difficult to recruit and retain top talent, he wrote.
Mr. Hasib also wrote CIOs' strategies are undergoing an evolution. Instead of approaching cybersecurity as its own entity as some healthcare organizations do, cybersecurity should be embedded within the larger IT strategy, according to Mr. Hasib.
"Some CEOs and boards are engaging their IT and cybersecurity staff to 'make sure this does not happen to us' — without really understanding what cybersecurity or cybersecurity leadership is," Mr. Hasib wrote. This approach separates cybersecurity from the overall IT strategy and isolates it as a standalone priority. Mr. Hasib suggested this approach, pursuing compliance instead of developing an overall culture of cybersecurity, is akin to planting annual flowers.
"They look great for a short while, then they die and get more expensive each year" he wrote. "We should invest in a cybersecurity culture and gain the benefit of perennial flowers. They improve in quality, abundance and size each year, and you can even divide them and spread them around your garden. It is time for cybersecurity leadership."
More Articles on CIOs:
From Advancement Opportunities to Coffee Bars: 3 CIOs Share Their Best Tips for Attracting, Retaining Top Talent
Dr. Raymond Gensinger Appointed CIO of Hospital Sisters Health System
Survey: CIOs Getting More Respect in the C-suite