Data Security. There I said it. It sorta lays there like a big lump of coal and everyone in the company stands around looking at it wondering who’s responsibility it is to do something about it. Nobody, including CIOs really wants to touch it for one very simple reason: it’s a losing proposition.
How To Make Friends With Your CFO
Data security, despite being big, heavy, and ugly, always seems to end up in the CIOs lap. Since you really can’t do anything to prevent this, it sure looks like this is a great opportunity to try to turn a liability into an asset. Ericka Chickowski over at Baseline magazine has taken a look at this issue and come up with some interesting ways to help CIOs work more closely with CFOs. It all starts with compliance. Now compliance is just about as exciting as security; however, firms are willing to spend the big bucks on making sure that they are compliant because they know that there are potentially some big financial penalties if they don’t. It is the clever CIO that sits down with his / her CFO and explains that the company’s data security program can be thought of as an extension of its compliance program. What this means is that you don’t really need a separate program and your costs should be much lower. What CFO wouldn’t be interested in hearing that?
Get Your Priorities In Order
One of the things that the CIO can learn from the compliance side of the house is that a critical first step is to make sure that you prioritize the company data that you are going to be protecting. All data is not created equal! What’s interesting here is that the importance of any single piece of information is based on two things: its value to the company and its role in keeping the company compliant. If your firm was a hospital, then clearly an electronic patient record would fall into the “top priority” bucket .
Act On Your Priorities – Not Necessarily Your Compliance
The level of protection that the IT department needs to surround a given piece of information with will depend on the result of this prioritization. I hope that you realize that this is just a fancy way of saying that there is some company data that you DON’T have to protect (or at least not very much). Just about now you’d expect me to say that you should always go all out to protect ALL of your company data that is involved in a compliance program. But I’m not going to do that. Chickowski points out that not all regulations are created equal. In fact, some have fairly weak “teeth”. These are all things that the CIO and the CFO need to understand as they create a data protection plan / compliance program for the company. Spend those limited budget bucks to make sure that the important data is secure and then do what you can for the rest
Final Thoughts
Within the company, the CFO ALWAYS wields more power than the CIO – money talks. Folding a company’s data security program into its compliance program is a great way for a CIO to work closely with the CFO and end up saving the firm money (always a good thing) and ensuring that it is both compliant and its data is secure. In addition to providing a CIO with a reason to talk to the CFO that doesn’t involve begging for more money, an agreement about securing the company’s data can allow CIOs to apply IT to enable the rest of the company to grow quicker, move faster, and do more.
Questions For You
Does your company have separate compliance and data security programs? Does your CIO talk with the CFO about how best to secure the firm’s data? Do you prioritize your data or is it all treated as being at the same level of importance? Leave me a comment and let me know what you are thinking. 
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
What We’ll Be Talking About Next Time
The role of a CIO is to find ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more. As part of this task a CIO needs to take steps to ensure that nothing happens that would prevent this from happening. This side of the job is not nearly as glamorous; however, it is at least as critical. What can a CIO do to ensure that nothing bad happens to a firm’s IT systems?