Jacobs had been on the job about six years, putting her right at the average CIO tenure according to CIO magazine's 2014 State of the CIO survey. That's a fact worth noting because behind it lies a darker truth: Most CIOs assume they're always one big tech failure away from losing their jobs. "I don't know if she did a good job or not, but she got fired," Heiser says. "In practice, if something breaks, they'll go looking for a scapegoat." Because CIOs face that reality, he adds, it's easy to see why most of them are motivated to make "extremely conservative decisions."
"We have encrypted our systems and we audit stuff regularly," one CIO confides. "We've done our absolute best to make sure there is never a breach. Still, just like the Target CIO, if I stay here long enough, there will be a situation that I get blamed for."
2. Stop Asking the Wrong Questions
"I get a lot of questions from Gartner clients who want a definitive read as to whether some cloud system is 'secure' or not," Heiser says. "It's the wrong answer and the wrong question."
To begin with, there's no such thing as a perfectly secure system. "Inevitably, something will go wrong because you're a goalie and sometimes people will score," says Matt Powell, CIO at Kirshenbaum Bond Senecal + Partners, an advertising agency headquartered in New York. "What we do instead is talk about relative risk." Powell says he has read that the National Security Agency's standing posture is that all its systems have been compromised 100% of the time. If a government agency with legendary technical proficiency makes that assumption, he suggests, everyone else should too. Once you adopt that mindset, he says, "it's a matter of how much is at risk, and for how long."
Unfortunately, Heiser says, "there's no way to conceptualize risk." Even though many organizations, including Gartner, have tried to put a finger on risk profiles and scenarios, "there's no good way to quantify that," he says. "If you could tell the business there's a 5% chance in any year that your competitor could gain access to your data through this service and that was backed up by statistics, you could base a decision around that, but it's still going to be an emotional decision."
3. Start Weighing Risk vs. Reward
There's no reasonable way to make a good decision if all you're looking at are the bad things that can happen if a new system leads to a data breach or malfunction. A wise approach to IT management requires weighing that increased risk against the business benefits of adopting a new technology, as well as the business risk of not adopting it and losing an opportunity or a competitive edge.
Sign up for CIO Asia eNewsletters.