One of the most important roles that IT has had over the years is enforcing certain controls.  This may be in the area of technology standards, budget, and most recently of increasing importance, security. There is no reason to believe that the need to control these areas is going to slacken in the coming years.  In most organizations it falls to the CIO and their staff to provide this control.  This is a serious responsibility and the consequences of getting wrong can be catastrophic.

But there are also consequences to getting it right!

Consider the image that being the “cop” creates.  No one likes the person who is watching them and looking over their shoulder.  No matter how well intentioned, the ‘cop’ role creates a distance between the enforcer and the rest of the organization.  This runs directly counter to another major goal of the CIO – that of being a collaborator with the rest of the organization.

How can you be the cop and the collaborator and be successful at both?

It is unlikely that any one individual can be the face of both roles.  So give each role a different leading figure.  This is where the Information Security Officer comes in.  (Often called the Chief Information Security Officer – CISO – but I question if the term “chief” is warranted here so I will stick to ISO.). The ISO should report to the CIO which means that the CIO retains executive responsibility for security.  But the ISO should be a well-known figure in the organization.  At the best, they will be consulted before any efforts are implemented to ensure that security is appropriately considered.  At worst, they have to investigate and find those guilty of security breaches.  Regardless, they must be able to take a hard line and refuse to allow security, and the organization’s integrity, to be compromised.  An effective ISO can do this without drawing the CIO into day-to-day situations.  This leaves the CIO free to be the collaborator even when the cop is ‘busting’ somebody.
The same can be done with the other areas of control.  For budget, it can be someone from Finance rather than IT who plays the cop.  For standards, a Lead Architect.  At no time does the CIO wash their hands of the responsibility.  But it takes a team to make it all work.