Peter Cochrane: Security needs a seat on the board
On the continuing communication gulf between IT and management, and its root causes
Imagine attending a main board meeting of a major company, only to discover the CFO had no basic understanding of finance or economics? It would be untenable and alarming! And yet, it is not unheard of for a CTO to be lacking in any deep technology appreciation. In extreme cases, they may only have an MBA and a scant knowledge or technical education with no hands-on practical experience - i.e. they never designed or built anything!
Paradoxically, we might argue that the risks from major technology judgement errors pose a far greater risk to a company than any financial error. Almost weekly, we hear of major companies suffering cyberattacks and failures that put customers at risk, shake market confidence and damage reputations.
In the extreme, companies can fold, or become so disadvantaged they cannot recover their former position in the market. And yet, it is not uncommon to see the CTO, and certainly the Chief Security Officer (CSO), relegated to guest appearances at board meetings to give briefings and present cases for modernisation investments and increased cybersecurity spend.
The CTO/CSO may suffer a fundamental inability to descend to the necessary simplicity of board speak
Alarmingly, board members are unlikely to understand anything of technology, and indeed, cyberthreats and cybersecurity will appear as a mystery. Coincidentally, the CTO/CSO may suffer a fundamental inability to descend to the necessary simplicity of "board speak".
And so, this perverted communication channel will see very little understanding conveyed.
The inherent risk to the company is further amplified by a refusal to provide the necessary funding and resources. Given the scale and growing capabilities of cyberattackers, and the publicity they attract, it seems incredible that the CTO/CSO seldom enjoy a seat on the main board.
Arrogance and ignorance
How did we get here? It appears we can thank a worrying mix of arrogance and ignorance, supported by a detachment of academic achievement and practical experience, leading to bold assumptions that an MBA imbibes a capability to manage any form of business, irrespective of background and inherent knowledge.
Having presented guest lectures at business schools worldwide, and attended countless business conferences, I have witnessed numerous briefings by technologists and engineers, observed audience reaction and level of interest, and I can't believe that so many company boards appear devoid of any relevant IT/product education and support.
Conversely, engineers are often subject to business lectures during their graduate and postgraduate years. In my case, fundamental economic theory and practice was a part of the engineering curriculum.
What never seems to be addressed are the basic communication skills required. But a day at any conference provides outstanding examples of how not to present a briefing at any level. Diagrams that are far too complex, acres of incomprehensible text of unreadable font size; perverse colour combinations; white-on-yellow, blue-on-purple, etc. A perfect way to switch an audience off whilst giving them eye strain and a headache!
Even 50 years ago, poor company communication was cited as a major impediment to economic performance. I would posit that since then presentation skills have deteriorated as people have lost the ability to tell a story and descended into a "Death by PowerPoint" mode! And all accelerated by schools and colleges that no longer teach report writing and presentation skills.
Communication at every organisational level must be clear, concise and readily digestible. At the core of this challenge is the technology that makes it all fundamentally complex. But we never enjoyed such great technology to help us, and it is time for people to become more professional and grasp a wider understanding of the company metabolism.
After all, the net is awash with tutorials, presentations, explanations and examples, and more recently AI. It isn't rocket science, it really isn't!
Peter Cochrane OBE, DSc, University of Hertfordshire