When you hire or promote, do you think that person needs actual front line experience in the area they may now be assuming a leadership role in? I ask that question in the wake of the departure (firing/resignation?) of Target Corporation's Chief Information Officer, Beth Jacob. Despite having no previous IT experience, Jacob was named the top IT person at the $72 billion company in 2008, and was in charge when they fell victim to a massive data breach compromising millions of customer credit and debit card accounts.
Getting rid of the CIO doesn't get rid of the problem though. The company recently reported its fourth-quarter profit fell 46% after a significant revenue decline following the hacker attack.
Target believes the hackers came in via a vendor, possibly an HVAC contracting company that does work for them. One cyber security expert said simply that Target chose to allow a third party access to its network, but failed to properly secure that access, and that it wasn't anything particularly sophisticated or fancy.
Could a more tech-savvy CIO have spotted Target's vulnerability?
Is this the type of vulnerability a more tech-savvy CIO would have easily detected? Consider that Jacob joined Target’s department store division (Dayton’s) as an assistant buyer, and returned to Target in 2002 as director of guest contact centers. In 2006, she was promoted to vice president, guest operations. She was promoted to the CIO position in 2008.
One of the things Target is deciding to do differently this time around is look outside the company for a chief information security officer and a chief compliance officer. Before the overhaul, information security functions were split among a variety of executives, too many some say, and the new chief information security officer will centralize those responsibilities, according to the company.
Do bigger - and bolder - steps need to be taken though, and not just by Target, but by every company operating in this fast-evolving digital environment?
"The digital era calls for a major paradigm shift among business owners in terms of how they secure, harmonize, and leverage vital proprietary information."
Gopal Khanna, Principal at The Khanna Group, Senior Fellow at the Technological Leadership Institute at the University of Minnesota, and the first CIO for the state of Minnesota, says the digital era calls for a major paradigm shift among business owners in terms of how they secure, harmonize, and leverage vital proprietary information residing on their respective IT platforms.
"Securing commercial assets is not a new business undertaking," said Khanna, a long-time professional acquaintance and personal friend. "However, with the commercialization and unlimited access of the open Internet, the invisible cyber space facilitated the spread of information and transactions within organizations, and externally without any of the previous boundaries. The new 'Digital Global Public Square' as I call it is vast and open, and presents new opportunities, as well as new challenges. This lawless frontier has rendered all organizations susceptible to crippling consequences."
Crippling consequences indeed, such as 40 million payment card accounts hacked, and millions more having their addresses, phone numbers and other information compromised.
So as cyber crime becomes more commonplace, do we need uncommon IT talent sitting in the CIO chair?
Chris Curran wrote a post in the CIO Dashboard asking that question; if a CIO can be successful without IT experience (that's his table below).
"On the list of desired attributes in a CIO is a hands-on technology background, and experience in running successful IT infrastructure operations."
Among his list of desired attributes in a CIO is hands-on technology background, and experience in running successful IT infrastructure operations, both of which the recently deposed Target CIO lacked.
What though of the football coach who never played the game, or the sales manager who never pounded the pavement or worked the phones? We all know instances where they found success without front line experience.
Can't it be the same with IT? Or is it different? Do you need strategic leadership skills, PLUS the ability to "speak IT" with your team, and translate that across other teams in commonly used technical terms they can understand? Do you need to be both?
Are there too many blind spots for the non-IT CIO in terms of hardware infrastructure and operations, systems management, development and governance?
Dr. John Sviokla is a principal and US Advisory Innovation Leader with PwC and is also a former professor at Harvard Business School in marketing, MIS, and decision sciences. He made this comment on Curran's blog post:
"What makes this complicated is the fact that IT is the only department that is both staff and line. Finance is staff only. Sales is line only. But, the leader of IT is both a staff person (support) and often a line person (e.g. runs the bit factory). It is because of this unique role that he or she needs dual experience. It is not important to have a CFO with line experience, but it is essential for a CIO."
Interesting to think about anyway. Here are Curran's elements that each type of person would bring to a CIO position:
|Function||CIO with Business Experience Only||CIO with IT Experience|
|Strategic Use of IT||Business context, market needs, customers, partners||What’s possible with technology|
|Business Alignment||Business measurements, objectives, motivations||How to link business needs with technology|
|Planning||Business cycles, prioritization of business capabilities, budgeting||Dependency management, resources, knowledge of what is realistic, systems architecture|
|Execution||End user perspective, business trade-offs, training needs||Program and project management, cost-schedule-scope tradeoffs,|
|Operations & Management||End user perspective||Vendor management, technology components, IT team building|