Editor's note: The following is a guest article from Eric Johnson, CIO of Talend.
In the past, IT was seen as a cost center, but today IT isn't just a place to spend money — CIOs are in the driver seat proactively helping other business units and figuring out how to generate revenue.
But with the shift comes an increased amount of stress to balance new responsibilities. One of the biggest challenges? New expectations to represent the face of risk and compliance: two high-stakes duties that can make a company profit — or lose hundreds of millions of dollars.
So what are CIOs to do in today's new world order? How can we mitigate the stress and manage new responsibilities well? Here are three tips to help balance new expectations that come with the role, with practical ways to reduce sleepless nights:
1. Avoid a fear-based approach to compliance
It's not uncommon for CIOs and CSOs to leverage scare tactics as a way to drive more governance and funding. This is the wrong approach — instead there should be a greater effort in developing transparency and education than fear.
With a transparent approach, CIOs aim to provide a clear outline of business tradeoffs that align to different levels of compliance and security.
What are the costs of providing different levels of compliance and what are the risks? How do certain security strategies incur costs and what would be the correlated perception on brand reputation if we do or don't undertake certain initiatives? What will costs be for a new or revised approach and what results can be expected?
This is the type of transparency CIOs should be providing other executives to ensure a business makes the right, strategic decisions. The goal isn't to simply get your way based on fear tactics, but to turn compliance into a conversation and align on the right short- and long-term strategies.
Other executives need to be in the position to provide the right input on strategy, especially as an approach to governance and compliance may change as businesses shift growth strategies.
2. Communicate clear alignment within the executive team around levels of risk tolerance within the organization
Too often, assumptions are made and it isn't clearly articulated or documented what risk tolerance actually is.
Risk tolerance can vary wildly between organizations — it can change by size, industry and stage of growth of a company — and even then the definition and approach can change over time as a company enters different phases of growth or as market conditions change.
The big question you should be asking is: How do we best balance growth vs. governance? While in a hyper-growth stage, companies tend to have a lower tolerance for governance while companies with less hyper growth tend to be more governance oriented.
Regardless of growth stage, you still need some level of governance — and you may need to sacrifice some growth to ensure your governance program can withstand unexpected audits/regulators.
It's important to regularly calibrate risk tolerance on an ongoing basis, to ensure the business is operating with an optimal approach. If you assume too high of a risk tolerance, you may leave the company susceptible to a security or compliance issue. But, if you assume too low of a risk tolerance, you may overinvest in security and risk and potentially slow down company growth because you're overbuilding the program.
Governance and growth is a delicate balance to maintain, and it has ramifications on the company that can't be decided upon in a vacuum. Make sure to understand the tradeoffs, communicate options with the broader executive team, and come to a collective agreement on the level of risk you want to be at and what it takes to get there.
3. Stay up-to-date on evolving compliance and global risk policies
The world is constantly changing, and new regulations and policies are constantly emerging as we become more privacy- and consumer-centered.
As a CIO, you need to stay up to speed and keep tabs on evolving compliance and global risk policies. If you aren't regularly educating yourself and your teams on what's new, you risk falling behind and putting your company in a sub-optimal position to capitalize on market trends.
With that in mind, here are a few final tips to keep yourself — and your teams — well educated:
Partner with the legal team early in the process: It's crucial to have a good partnership with the legal team and regularly seek their help and the help of external auditors. They work often with different companies around regulation and compliance, so they're a good go-to source.
Consider different perspectives: CIOs have to understand compliance and risk from legal, audit, systems and data, and process perspectives to ensure everything runs smoothly. You'll need to tailor your approach for, say, internal executive teams and business stakeholders — who won't care about legalese but will want to know how it will change their job — and understand how different dimensions impact internal jobs.
Invest in your employees: Perhaps the most critical piece of compliance is to keep your employees well-educated about what they should and shouldn't do. You can't underestimate the importance of your people. You can have all the process in place you need, but if you have just one person who didn't know what they were supposed to do with sensitive data, you can open up a world of trouble for you and your organization.
There is no such thing as a perfect security program, so you need to have a strong education program because you can't do it by yourself. Everyone in the company needs to be a compliance and risk expert in their own area.
Burden or opportunity? It's all in your outlook
Being a CIO is a challenge in today's business climate, especially with the number of expectations and burdens we must shoulder. While new changes in regulations like GDPR can seem like a hassle that slow you down and add to your to-do list, it's helpful to recognize these changes cause you to do a lot of good hygiene.
With them there are new opportunities to improve processes and streamline efficiencies, and it can become a positive multiplier that can potentially improve legacy systems and technologies.
While there may be a lot of stress at times, there's an opportunity to leave a lasting legacy within the business and lead the way to brighter days through successful business initiatives.