I’m in Amsterdam this week for the RSA Europe conference. Tuesday morning, I went down for breakfast and picked up a USA Today in the restaurant, and saw an article from Michael Wolff on “How CEOs are nearly illiterate about technology.”
Needless to say, it got my attention. For the most part, I agree with the article and I want to build on it with some ideas that could help make things better.
Sometimes, Business Leaders Don’t “Get It”
The article (which has a slightly different title in the online version) picks on President Obama for not sounding comfortable (or accurate) when speaking about the issues with Healthcare.gov during the launch of the Affordable Care Act’s online exchange site.
I won’t rehash it all here – you can read it for yourself – but would like to call out some things from the article:
“He said the product — these health exchanges that few could get access to — was good; it was the process that was problematic. He seemed genuinely to have no idea that for most Americans steeped in digital behavior, the product is the process. (His distinction is like an airline saying planes are remarkable feats of engineering, so pay no attention to the fact that you might be delayed for hours on the tarmac.)”
OK, the President missed the importance of the process for end users, but how many times do executives throughout the corporate world miss something that we, as IT professionals, think is as obvious as the nose on our faces?
Understanding is a Two-Way Street
I think there are two important aspects here: the messenger and the receiver, and both bear a responsibility.
- We need to insure we describe the importance and impact of the key relationships between our IT services, the business, and our customers and to do so in a way that enables business executives to understand them well enough to feel comfortable. Getting the message to sink in is not always easy, but complaining about it after the fact without doing something about it won’t help.
- We need to test for comprehension to make sure we’re coming across the way we think we are. I don’t mean a pedantic sort of quizzing, but getting the executives to engage in a conversation about the topic in a safe environment (with us) can help. We don’t want to find out they didn’t understand what we mean after they’ve already tried to deliver the message to another, perhaps hostile, audience.
As non-IT executives:
- Don’t make it seem as though you understand if you don’t get it yet. The concepts are important for you to understand and you shouldn’t feel shy about pushing your techies to explain (and re-explain) things in terms you can follow. Often, this means comparing it to something in the physical world, since the concepts are similar in the logical world even if the terms are different. If you understand supply chains, ask them to explain things in terms of how supply chains work. If you understand financial controls and business risk, ask them to help relate the concepts in terms of controls, risks, and mitigation strategies. A diagram may help, as well.
- If you have to explain the concepts to someone else, such as your board or your audit committee, enlist the help of your IT executive to help you practice the terminology and explanations until you feel like you have it down.
Create understanding to drive investment and value
My CEO often paraphrases Warren Buffett by saying, “A business person invests in that which a business person understands.”
Investing in our IT initiatives (security or otherwise) is no exception – and both the IT executives and the business executives have a lot to lose if they don’t create a common understanding of what’s important for the organization’s success and the critical role IT plays in that success.
- The Conditional Complexity of Risk Models
- Amar Singh on How CISOs Can Connect Security to the Business
- Michael Santarcangelo on the Value Imperative Mindset in Security
- Four Things You Should Teach Your CEO about IT Security
P.S. Have you met John Powers, supernatural CISO?