Without question, all businesses are dependent on the successful operation of their IT systems and infrastructure. The way that networks and systems have become embedded into business processes has meant that the role of the CIO which initially was to protect this investment and ensure that the companies were able to fully harness the new and available technologies has substantially changed over time.
The CIO’s responsibility extended as the organisation’s dependence on IT systems grew. The infrastructure became an issue as users had to share networks, systems and storage devices and, very importantly, the business information. Thus the emphasis was on ensuring the systems serviced the business when it was operating. In today’s world of the global economy, this means that we must have our systems fully operational 24 hours a day. So a secure and trusted infrastructure has become a prerequisite, supporting multiple sites and meeting the technological requirements of policies such as disaster recovery. In the process, the IT department’s role has created lines of responsibility with the business units for whom the IT services are being provided.
Impact of regulations and compliance
Business information held within the computer infrastructure has exploded over the last few years and is still forecast to grow at 60+ percent per annum. Boards of Directors are coming under greater scrutiny in how they manage their businesses, how they protect the interests of the investors and shareholders and how they set their operational policies. Governance, in its many facets, is of key concern, whether this relates to the activities of the Board or how the line managers and employees of an organisation function.
To this end, industry regulators and government bodies are establishing laws and regulations that recognise that computer-held information must be diligently managed. Examples of such laws and regulations include the Companies Bill, Freedom of Information Act and the Data Protection Act. In addition, to prove that data is securely stored and managed in digital form there are standards such as:
- MoReq, Model Requirements for the Management of Electronic Records, an EU standard
- ISO15489, developed to standardise international best practice in records management and
- BIP0008 (formerly PD0008), a code of practice for legal admissibility and evidential weight of information stored electronically.
There are also issues that relate to controlling access to systems and information. This must be an integral element of the system infrastructure if it is to stand up to legal scrutiny.
Manager of the information assets
The outcome of this is that the role of the CIO is extending to managing the information assets of the organisation. That is, the policies and practices that are deployed must be laid out at the infrastructure level as well as relating to individual applications or processes. These processes include functions such as setting the data retention policies related to how long information is kept, how it is secured and how quickly it can be retrieved.
Recent Macarthur Stroud International research tells us that the CIO and his/her staff are always involved with the business units in setting the data retention policies. To be compliant, these processes must be documented and clearly understood by the business. This is also reflected in such quotes as:
“If we are not compliant, it is damaging with regard to image, prestige and credibility of the company.”
“We are in the process of redefining our storage data requirements with regard to technical and legal aspects.”
In the same way that the CIO’s role evolved to ensure that the system infrastructure is secure, trusted and available as required, the remit will also evolve to encompass all aspects of information governance, ensuring that all the information relating to the business is secure, protected, trusted and available as required.