By Dr. Mansur Hasib, CISSP, PMP, CPHIMS
I just heard another story today of a Chief Information Security Officer (CISO) who was fired for pointing out to his CEO that their business processes for handling protected health information was wrong. The organization was transporting protected health information via US Mail on CDs – with no encryption! He pointed out that the laws had changed and if their practices were discovered by regulators, they could face serious consequences. So the CISO got fired! This is not an isolated incident. CIOs and CISOs are being fired for exercising due diligence all over – even though they never had the empowerment to do the right thing. My question is, when will the real people responsible for the mess be fired? Why are we firing the very people who can and want to fix the problems?
It appears to me that top level executives are more interested in covering up the issues and blaming other people rather than accepting their accountability, admitting their culpability and then taking sincere steps to fix the issues. And the very people who are trying to do the right thing are being fired. This is simply crazy! We can never fix an issue unless we are willing to admit culpability. I am not calling for the firing of executives who admit errors and then take concrete steps to fix the issue. People do make mistakes and true leaders learn from mistakes, admit the errors, learn from them and then work hard to fix the problem. Executives who are more focused on blaming someone else will never be able to fix the issue. These executives do not belong in the roles we have entrusted them with.
I think that the era of finance-minded CEOs is over – we need a new era – an era of technology strategists who are ethical leaders, willing to do the right thing, and are willing to use the right technology and cybersecurity strategy to power their organizations forward. Moving a company forward today is not about finance – it is about technology and cybersecurity strategy because without technology no organization can thrive in the modern era. Technology can reduce costs, increase productivity and efficiency, increase collaboration and teamwork, and dramatically increase innovation. This is why I think strategic minded CIOs of the world need to seek CEO positions.
At the same time, strategic CISOs of the world should seek to become modern CIOs. CIOs who do not understand the importance of cybersecurity or do not have the skills to implement a cybersecurity strategy need to move aside. These CIOs who are mostly interested in perennial technology refresh cycles without a clear technology strategy which drives the mission of the organization have justifiably earned the title of “money pits”. CIOs who are simply interested in “keeping things running” are not real CIOs either. CIOs who report to Chief Financial Officers or other officers are not CIOs! So let’s stop calling them CIOs. They are tainting the CIO job title and profession. Real CIOs only report to CEOs and are fully empowered to implement the right technology and cybersecurity strategy for an organization.
I do admit my own temerity in being a polite about this issue in the past. But when Canadian journalist Mark David and community manager Hibah Ahmed asked me recently what was the most dangerous cybersecurity threat organizations face today, I could think of only one answer – the organization chart. Ineffective CEOs have already breached the confidential information of about one-third of the US population – including mine. The problem is likely to be even bigger since many organizations are probably hiding the truth. So finally I decided to let loose in my recent article in Enterprise Tech – which appears to have resonated with a lot of people. At several recent conferences, I was hugged and congratulated by my peers who thanked me for having the courage to write the piece. They all pointed out that if they raised the issue too strongly in their own organizations – they would be fired!!
Some wondered if I was committing career suicide – they were afraid I might never again be hired as a CIO. I told them, after 12 years as a CIO – and with the scars of reporting to a CFO early in my career, I was more interested in being a CEO than a CIO again. I had already experienced the frustrations of not being able to implement the right strategy because the wrong people were in charge of the organization – and yet made twice the money I did. I had also decided long ago that I will never again work for a Chief Financial Officer or a CEO who does not believe that technology and cybersecurity strategy is the key driver of the modern organization. So the CEOs who will be offended by my remarks are not the right CEOs for their companies anyway – and we would never see eye to eye.
The right CEOs would not only embrace what I have to say, they will also do the right thing by implementing my ideas. They will not only protect the information their clients and customers have entrusted them with, they will also drive long-term profitability and innovation in their organizations by engaging all the workers in their organization through ethical leadership. They will not wait for the law or regulators to catch up with them to do the right thing. Leadership is a state of mind – not a position!
About the Author
Dr. Mansur Hasib is the only cybersecurity and health information technology professional in the world with 12 years experience as Chief Information Officer, a Doctor of Science in Cybersecurity, and the prestigious CISSP, PMP, and CPHIMS certifications. A global thought leader, Dr. Hasib has led technology and cybersecurity strategy for almost 30 years in healthcare, education, biotechnology, and energy. He is a frequent speaker at local, national, and international conferences. He currently teaches and mentors the next generation of organizational executives at several US universities Contact Dr. Hasib via his website: www.cybersecurityleadership.com or follow him on LinkedIn and Twitter @mhasib