Post 11 – The CIO Pleads His Case

The CIO requested a meeting with the CEO in the afternoon. The CEO’s assistant snuck a meeting in towards the end of the day.

The CIO came in sat down and showed the CEO a list of potential fixes and projects for the security breach. Many of these had been found after being ignored. He leaned forward and said,

“I know it is a tough time to spend, but with a few added applications, an update to the internal network, and an additional talented person we can upgrade our security dramatically. Then, we’ll need more people resources to perform more surveillance, monitoring, and protection tasks.”

The CEO sighed deeply.

“So you’re asking for more money at a time when we are hemorrhaging cash. So, no. There is no way we’re going to sink lots of cash into this. You just took out the Director of Security and reassigned two leads.”

The CIO saw where this was going.

“We are executing on our plans. What I’ve just described delivers fixes and keeps this from happening again. Even if we change priorities this requires future increases in spend just to go back to what we are already committed to delivering.”

Without committing, the CEO went on to say

“The general counsel tells me our security record keeping does not meet regulatory scrutiny. That discussion is going to cost us a lot of money by itself. You said you need more money for the future. Can you explain how we’re not meeting guidelines?”

“Oh. You mean the recommendations that aren’t regulations, just vague ‘guidelines’ that don’t translate to any specific level of actions?”

“It may not seem fair, but it’s your responsibility for the hospital.”

The CIO fidgeted and looked down at his hands.

“I’m going to bring in an ace security architect, someone with both technical and regulatory reporting experience. More tools would be good too. The plan is to repair our deficiencies and to move up to the next level of cybersecurity protection.”

The CEO gave the CIO a steady gaze.

“You need to bring recommendations and alternatives for spending, priorities, and impacts on existing commitments from IT. Get with the CFO and bring back more than just a plan to spend a lot of cash. We need to execute a workable plan ASAP. I think that getting a new talented person inside will be a part of any plan.”

“A lot of good things will happen if you can get that person inside by executing the search quickly. I need to see progress within the next two weeks. The hospital’s credibility needs progress in that time window. The credibility of IT will be severely damaged if a clear path going forward doesn’t get buy-in from other departments. The plan alternatives are mandatory but focus on the search. Let’s get together for a one-on-one every week so I know what’s going on before the next Board meeting.”

The CIO could see where this was going. “Not much money” meant not getting deliverables done credibly. “No credibility” meant no job. No breach plan fixes meant getting stuck with the blame.

The search would be tough under any circumstances, but the message from the CEO suggested it was also going to have a lot of constraints on it as well.

Next up – Starting a tough search