Cha-Ching: How Compliance Can Generate Revenue
CIOs have a unique vantage point over their organization. From where they sit, they see efficiencies, pain points, and potential weaknesses across all departments. This level of visibility is invaluable in today’s intricate, technology-driven, and information-rich business landscape.
Traditionally, the CIO role was to focus strictly on aligning technologies within an organization’s business objectives. However, as technologies became more sophisticated and the business landscape more complex, so too did the CIO’s role. Today, the best CIOs are innovators. They don’t just relegate technologies into a predefined mold; they now orchestrate solutions together in a manner that changes the way their organization plays the game. Even still, the value in what they do isn’t always obvious, especially as it relates to compliance.
Compliance efforts are commonly viewed as expenses or “risk securities.” It is true that compliance requires a budget to mitigate information security breaches, and a breach can damage your company’s reputation, incite legal exposure, and cost your company in fines and penalties — none of which add to the health of your bottom line. But compliance efforts actually provide more value than just security alone — they generate revenue and boost efficiency. Let’s take a look at two of the key responsibilities a CIO performs as part of an information risk assessment.
1. Data Mapping
Data mapping helps CIOs keep track of sensitive information. They provide a comprehensive inventory of an organization’s entire IT system, act as a repository for data and information that’s linked to business units, data stewards and custodians, and illustrate the flow of information as it travels through the network. If your organization ever went into litigation, its data map may be a pivotal (and cost-saving) piece of information.
2. Information Governance (IG) Structure
Information governance structures are the processes, procedures, and policies that control how information is used at an enterprise level. It’s a complex, hybrid discipline that involves records management, information security, risk management, legal and e-discovery issues, information technology, big data analytics, privacy, etc. The list goes on. What a well-constructed information governance structure will do is illustrate that IT is properly aligned with business goals and creating value for the organization at large.
Collectively, data mapping and information governance structures provide a high-level understanding of what data exists, where it lives in the network, how it’s used, and what safeguards are currently in place to protect information. Armed with this knowledge, companies can make educated decisions about securities and reduce their risk of falling victim to an information breach (via hacker, competitor or state-sponsored cybercriminal).
But look beyond the traditional purpose of these activities and you’ll notice they do more than just protect organizations from breaches and preserve reputation (which inspires business). Usually, information governance structures are designed to include members from many departments, including IT, executive leaders, marketing, and HR. They encourage departments to share information with one another they might not typically share and in doing so, they bolster collaboration, which ultimately leads to higher productivity levels.
The level of visibility data mapping and information governance structures also makes it easier for organizations to identify opportunities. Decision makers no longer can go on a whim and shoot from the hip. Every decision they make on behalf of the company must be well reasoned, and this degree of consideration requires accurate data. The compliance efforts put in place by CIOs provide the insight necessary to drive better, more cost-effective decisions about securities and technologies. Considering the average IT department per organization in 2013 spent about 5.2 percent of revenue, and another 5 percent of revenue is expected to be spent on IT security this year — information that helps drive these decisions is very valuable.
About RYAN BUCKNER
Ryan Buckner is a Principal and Chief Knowledge Officer at Schellman. Ryan currently serves on Schellman’s attestation leadership team and leads the firm-wide research and development for attestation methodology. Ryan is a CIPP, CISSP, CISA, ISO 27001 Lead auditor, and maintains multiple CPA licenses, among other certifications. Ryan is also an AICPA-approved and nationally listed Peer Review Specialist for SOC examinations. Having directly performed and completed over 1,000 service audits, Ryan is one of the most experienced service auditors in the world.