Is the CIO Just an IT Manager?

Luigi Sbriz
Author: Luigi Sbriz, CISM, CRISC, CDPSE, ISO/IEC 27001:2022 LA, ITIL V4, NIST CSF, UNI 11697:2017 DPO
Date Published: 7 November 2023

In an organization, the chief information officer (CIO) is often identified in different ways. From the perspective of general staff, the CIO is seen as the main IT manager, while for top management, the CIO is a technical figure who must align technology costs with the economic forecasts of the business, and for IT department staff, the CIO is responsible for evaluating their own professional performance. None of these perspectives are wrong. However, the CIO should aspire to be a different and more valuable role for the organization and for themselves.

The methods of processing information in an organization have changed over time, and they continue to adapt based on technological evolution, with the consequent need to adopt new organizational models. Likewise, the roles of organizational positions must adapt to these changes. If previously, having technically well-trained personnel represented the best choice for organizing the IT department, today new skills are equally required, such as knowing how to work in a group, work in cross-functional teams, communicate effectively, assume one's responsibilities, understand organizational policies and the consequences of noncompliance. In this context, the role of the CIO also needs to be reviewed.

The technological evolution and the new market services require the CIO to choose the right balance between IT activities carried out internally versus those outsourced and to identify which controls to apply to effectively protect the organization. For the organization, it means adapting operating processes to seize the best opportunities, activating training plans, and, above all, knowing how to face the risk emerging from technological change. The CIO must have the ability to evaluate scenarios from different perspectives and make decisions to maximize business value while containing risk. Therefore, the CIO needs to have skills that go beyond pure technological knowledge. These are necessary to understand the context of issues but must be complemented by a thorough understanding of the business objectives, strong communication skills and knowledge of risk management techniques, security techniques and the laws and regulations applicable to the organization.

Of course, CIOs do not act alone. They provide executive guidelines to the IT process, supervise its implementation and participate in strategic business decisions. In practice, the CIO governs the means for processing information, with full awareness of the value for the business of the information processed. They may have to acquire new skills, but it will lead to a CIO that provides greater value to the organization. Technological evolution must be followed by the evolution of the role of the CIO.

Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent Journal article, “Extended Accountability of the CIO,” ISACA Journal, volume 5, 2023.

ISACA Journal

Additional resources