"I've been in places where risk compliance does fall on IT's shoulders," says Michael Statmore, CIO at Post University in Waterbury, Conn., which has 800 on-campus and 16,000 online students. "We have a culture that does understand that we share the risk. It's grown over time, and it's been a concerted effort on my team's part to stress that and really appeal to their common sense."
Statmore uses that shared responsibility to enforce decisions when necessary. "If someone wants to do something and we tell them it might be insecure, they may still want to do it," he says. "But if I ask them, 'Are you prepared to sign your name on the dotted line next to mine for the risk?' then 99 times out of 100, they say, 'No, I am not.'"
7. Go Beyond 'No'
It's easy for busy CIOs and executives under pressure to perform to stand firm in their opposing views over a disputed piece of technology. It's important to avoid giving in to this temptation, and the best approach is to find alternative solutions that solve the business problem without creating a security risk.
At Kendra Scott Jewelry, a jewelry maker with about 200 employees that operates stores in Scottsdale, Ariz., Newport Beach, Calif., and Baton Rouge, principal technology consultant Nathan Toups faced a dilemma when the finance department asked him to block Spotify because its bandwidth use was hampering transmission speeds. But the music service turned out to be highly valued by many Kendra Scott employees. So Toups came up with a solution: He installed a high-speed connection completely separate from the financial system and asked employees to use the new connection for such services as Spotify. The move solved several problems at once, since the company's Web and marketing teams had also been clamoring for additional bandwidth.
Taking a problem-solving approach keeps everyone engaged and talking. When faced with a request from a business team, your initial answer might be no, but you can follow that with "if that's what you want to do, what can we do to make that happen?" Statmore says. "And then we figure it out. It comes from their confidence that the conversation's not going to stop there."
Having that confidence in place is a key to success, says Bart Murphy, CIO at CareWorks, a workers' compensation plan management company in Dublin, Ohio. Murphy has insourced many of CareWorks' formerly outsourced functions and gained a lot of trust from his business colleagues in the process. "We've done a lot from a delivery perspective to get that seat at the table and not be missed on an email or meeting — or honestly, be purposely bypassed because getting IT involved is going to slow down the process," he says. "We move extremely fast. We're fairly responsive, and the business runs IT. If there's a need, the need has to be met."