Does CIO Stand for 'Compliance Information Officer'?

By David Haskin

(Back to article)

Like most technology executives, Zeke Zoccoli acknowledges his job is much different now than it was in the good old days of, say, the late '90s.

"In the 90s, I mostly worried about putting in large strategic systems," said Zoccoli, CIO of LifeCare Management Services, which operates a chain of acute care hospitals. "We were the change agent for the company, so there was a tremendous amount of innovation and fewer controls."

Now, however, CIOs like Zoccoli are spending an ever-increasing amount of time dealing with regulations such as the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley (GLB), which all have provisions dealing with the privacy, security, integrity and accountability of financial, health and other business records and information.

"More and more these days I'm called in almost as a consultant about whether our electronic information is SOX- or HIPAA-compliant," Zoccoli said. "Not a day goes by when that doesn't happen, so I feel a lot more like a compliance guy and less like an innovator."

And this, most CIOs agree, isn't likely to change, given the current political and world situation.

"That's the climate we're in right now," said Mike McClaskey, CIO of Perot Systems. "Complaining would be like standing on a ship in the ocean and complaining about the waves that are coming in. The reality, though, is that this isn't just a one-year phenomenon."

Different Skills

All this emphasis on regulatory compliance has also had the unintended consequence of changing the types of people becoming CIOs.

"You don't see very many people who ran data centers becoming CIOs any more," McClaskey said. "You also have to have run a business unit. The idea that we are all died-in-the-wool 'techies' isn't the case any more"

More specifically, a strong financial background is required because so many of the regulations, most notably SOX, require a solid knowledge of financial records.

"I'm an MBA and a CPA, so I know the issues cold, stuff like all the internal audit controls," said Jim Harding, CIO of Henry Schein, a distributor of health care services. "But if you don't have that foundation, Sarbanes-Oxley could be a scary thing."Keeping Up

Because of the change in the CIO's job, additional training, both formal and informal, is increasingly necessary. Zoccoli, for example, takes three approaches to keeping up with the regulations.

"Software vendors love to sell to CIOs, so I called the major vendors and said I had this (compliance) issue," he said. "That led to full-day meetings where their pitch was that they could cover the whole thing. But it's also a free training course and, by the end of the day, you know all the major issues the software vendors are solving."

Second, Zoccoli said he attended a number of conferences about the various regulations. "Just listening to the experts speak was an education."

Finally, he scans the Internet for as much information as he can find.

"One challenge has been to bring middle level IT managers and directors up to speed," said Harding. "Their background is 100% technical. They're smart people, but we've had to put them through training and education about, say, what a key control is, how you test a key control and how it fits with business process flows."

The Benefits

While the emphasis on compliance has meant less time spent deploying whiz-bang technical projects, the focus on regulatory compliance has many benefits.

"For us, this became an opportunity to work much more closely with the CFO and his staff and become part of their team," said Perot Systems' McClaskey. "The result has been a better trust relationship because we're helping them through a difficult period and they see first-hand the value our team can bring. So, perhaps, the next time we want to take a big project forward, they'll understand that we understand the business and we're not just techies looking for a new toy."

In addition, much of the security, reporting and accountability provisions of the federal regulations are simply good business practices that may not have gotten done without the regulations.

"Without Sarbanes-Oxley, if I told the executive committee that we needed to do that stuff, I wouldn't have gotten the time of day," Harding said. "It's a feeling of comfort to have these systems so well documented."

Want to discuss any of the issues raised in this article? Take it over to our IT Management Forum.