Should there be a financial penalty for ignoring IT?

When enterprise IT leaders get ignored, it’s a risk-free event for everyone else. Do line-of-business chiefs get punished if they ignore IT instructions and a predicted massive data leak happens? No.

Let’s reframe this. Assume a fire department inspector tells an apartment building owner to fix a list of 11 things or people will potentially die in a fire. The building owner ignores the order. Two months later, a fire breaks out and a half-dozen people die. That building owner will likely be obliterated in a civil courtroom and might even face criminal charges. That’s the only reason they make those repairs. 

That scenario is what needs to happen when IT instructions are ignored.

The IT department — along, perhaps, with the CISO’s office — is alone among enterprise departments in terms of being ignored with no risk. If the head of manufacturing is told not to make a purchase by the CFO and the manufacturing head makes the purchase anyway, what do you think will happen? 

Nobody ignores the CFO.

What if the corporate general counsel emails the head of marketing and declares that a proposed ad campaign is legally dangerous and should not be launched. If the marketing exec does so anyway — and the company ends up getting successfully sued — what do you think will happen to that headstrong marketing chief?

What if the head of investor relations tells the sales chief that a proposed flier will infuriate the US Securities and Exchange Commission and can’t be used? 

And yet, if IT directors deliver an instruction that something is far too dangerous, few people worriy about ignoring them. 

How about something more interesting? What if the IT Director tells the CFO that certain systems need to be immediately upgraded or else sensitive healthcare data could leak and cause all manner of expensive headaches? If the CFO rejects the request— which the CFO is fully empowered to do — who gets the blame when something goes wrong?

Let’s get some skin in the game. But first, let’s be honest about what’s really going on. Most enterprise CEOs pay lip service to the need to protect data, deal with compliance, respect customer and employee privacy and lots of other niceties. 

But whenever there is any decision that involves boosting revenue, market share or profits — and someone paints the IT position as undermining that money goal — the dollars argument will win every time. 

Wall Street is not helping. A company with a data loss is met with a wagging finger and a not-so-stern voice saying “Now, now. You know that was a naughty way to handle customer data. Don’t do it again or I might have to send a sternly worded letter. Maybe.”

CEOs who want to actually have your people protect data should try this:

“To all employees, this company takes data protection very seriously. It has a material impact on our operations. The CIO and IT Director are in charge of those policies. If one of them comes to your business unit and gives you an instruction, take it as seriously as you would instructions from any other C-level, including myself. As of this date, know this: If you disregard or otherwise violate any IT instruction, you better pray that they are wrong. Because if they tell you that you are risking a major data disaster if you don’t do what they say — and you disregard that and what they predicted actually happens — it will be the heads of your group that will feel the financial pain. Bonuses, head count and everything else will be subject to financial penalties. Do what they say. That way, if something bad happens, you are off the hook. But if you disregard their messages , you now have skin in the game.”That one memo — assuming it is serious and will be backed up by the threatened actions — will likely do more to truly protect your data than almost any other single act. 

The second thing aCEO or top-level IT decision-maker should do is tell the world what you have done. Signal to investors, regulators, potential customers and your competitors that you are now taking data safety seriously. 

In today’s environments, where privacy nightmares and data leaks are  rampant and getting worse, you might be surprised to see revenue and market share gains. Treated properly, IT might not be the cost center you think it is.Should there be a financial penalty for ignoring IT? – ComputerworldRead More