Home Posts tagged questions

Tag: questions

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , ,

Leadership is not something that just happens. Leadership must be measured, managed, and invested in. After all, how IT leaders are selected, trained, evaluated, and compensated materially impacts the future performance of the enterprise.

So, again, when was the last time you had a substantive conversation about leadership with your direct reports? How frequently do you critically examine whether your IT/digital organization is well led? What set of metrics does your organization employ to evaluate IT/digital leaders?

The IT industry is undergoing a crisis of confidence. This is due in no small part to the erroneous presumption that IT and digital organizations have their leadership game in order. Quality leadership is not something that can be taken for granted. It’s time to turn an analytical eye to the state of leadership in our industry — and here are five key questions IT leaders must ask themselves to truly know whether they are successfully leading IT.

Is your focus on point?

Daniel Barchi, Naval Academy grad and award-winning CIO at CommonSpirit Health, explained to me that there are three areas IT leaders can allocate their time: People, process, and technology. Barchi suggests the optimal allocation for IT leaders is 80% people, 15% process, and 5% technology. Unfortunately, many IT leaders — especially those of the order-taker type — invert that triumvirate, placing the lion’s share of their focus on technology.

Are you and your direct reports allocating enough time to leading people?

Are your people primed for success?

In Good to Great, Jim Collins suggests that decisions about people — who is on the bus — have to precede decisions about objectives — i.e., where the bus is going. Several CIOs have shared with me the anecdote regarding how Apple design icon Jonathan Ives typically responds to the question, “What’s the secret to your design success?” Ives reportedly responded, “We fire the A- people.” The point being that a group of passionate high performers is what is necessary to deliver the sought-for end state.

Talent is a differentiator. Are your IT leaders doing everything it takes to attract, nurture, grow, and retain the kind of talent necessary to succeed?

Are you helping your organization ‘see the future’?

Barbara Cooper was the beloved and now retired CIO at Toyota Motors North America. Having served as an IT leader in five industries, she is one of the top CIO “coaches” in North America. Barbara counseled me that it is not enough just to have a vision of the future. Our industry is too full of sic “transformational” CIOs being airlifted into enterprises only to slink away 18 to 24 months later having abjectly failed to create digital value.

Creating IT value requires a team effort. One has to get the organization to internalize and unite behind a collective vision of the future. Barbara jokingly quipped that “as a child of the ’60s” she learned that while you “can’t share the trip” — i.e., one person’s vision is not enough — you can get everyone moving in a common direction. To do this she set her direct reports down one day in the conference room:

“Ok, I want you to think out three years. ’Cuz five is a little much. I want you to pretend that you are driving into the parking lot. You are walking into your office. You are going to go through your day. You are going to have your first meeting of the day. You are talking to somebody in the door. You go and get your coffee. You have a series of hallway conversations. You are thinking about some of the things and the problems you have. I want you to play that out — almost like a storyboard in your head — what is going to be different three years from now?”

These individual visions were shared, consolidated, amplified, and linked to enterprise objectives.

Is that kind of collective vision-making part of your company culture?

Are you emphasizing the value of relationships?

Most of the voluminous academic literature on leadership focuses on the traits/idiosyncrasies of the individual leader and not on their relationships with key associates. As an IT leader, do you have a track record of helping or hindering colleagues in fulfilling their career objectives?

Vince Kellen, a digital force of nature and CIO at University of California San Diego, borrows insights from NHL scouts. He is looking for IT “skaters” who, when they step onto the ice, make the other four teammates better hockey players.

How leaders view themselves and others and how they are viewed by others is a critical causal driver of leadership success or failure. Tony Blair was able to reverse a multi-decade decline in Labour Party electoral success when he realized, “People judge us on their instincts about what they believe our instincts to be. And that man polishing his car was clear: His instincts were to get on in life, and he thought our instincts were to stop him.”

Leadership success requires connectedness to the community. How connected are your IT leaders throughout the ranks?

Are you effective at making a positive impact?

Franklin Pierce, America’s 14th president, is viewed by most historians as being one of the very worst presidents. Every action he took “made things worse,” as was discussed on “The First 15,” Episode 93 of the American POTUS podcast.

Have your actions made things better or worse?

Business IT Alignment, IT Leadership

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , ,

The last thing any CIO wants is to experience catastrophic operational issues during a peak season, but that’s exactly what executives at Southwest Airlines faced last week. While weather may have been the root cause, the 16,000 flights canceled between Dec. 19-28 far exceeded any other airlines’ operational impacts.

Experts point to Southwest’s point-to-point operating model as problematic in recovering from major weather issues compared to the hub-and-spoke model used by many major airlines. But Southwest’s technology was also cited by experts and the company’s leadership as contributing to the calamity. “IT and infrastructure from the 1990s,” said Casey A. Murray, president of the Southwest Airlines Pilots Association, and “Southwest has always been a laggard when it comes to technology,” according to Helane Becker, an aviation analyst with Cowen.

Even before the blizzard hit, Southwest Airlines CEO Bob Jordan acknowledged on Nov. 30, “We’re behind. As we’ve grown, we’ve outrun our tools. If you’re in an airport, there’s a lot of paper, just turning an aircraft.”

Surely many more details about this failure will surface over the next several months. CIOs know that tech issues get the trigger finger of blame when businesses experience operational disasters, but we also know there are culture and process issues that can be primary and often untold contributors — both well within the CIO’s purview.

So, I’ll use this opportunity to point out what questions CIOs should be asking about their enterprises based on what we can already discern from last week’s Southwest Airlines IT disaster.  

1. Are you investing enough in digital transformation?

Southwest Airlines recently announced a quarterly dividend that will pay out to shareholders starting Jan. 31 what amounts to $428 million a year. They also received $7 billion in pandemic aid and performed $5.6 billion in stock buybacks between 2017 and 2019.

And how much are they investing in their digital transformation? In 2017, Fast Company wrote that Southwest Airlines’ digital transformation “takes off” with an $800 million technology overhaul, but only $300 million was dedicated to new technology for operations.

The investment seems minuscule given that Southwest Airlines was a $33-$38 billion market capitalization airline in 2017. Its market cap has dropped significantly since then, but considering what’s being spent on buybacks and dividends, shouldn’t they have invested more to accelerate their transformation?

And that’s my question for CIOs: Are you investing enough in digital transformation? Do you have strong relationships with the other top executives and the board to raise the bar if your enterprise lags behind competitors or if legacy systems and technical debt pose a significant operational risk?

While CIOs must recession-proof their digital transformation priorities, underinvesting and slowing down can negatively affect customers, employees, and financial results. And if that doesn’t sway the executive committee, perhaps Southwest’s near 16% drop in stock price over December and the fear of having to respond to a federal investigation will get their attention.

2. What tools and protocols aid communications during a crisis?

According to CEO Jordan, Southwest does not have a quick, automated way to contact crew members who get reassigned. “Someone needs to call them or chase them down in the airport and tell them,” he said.

I’m having a hard time believing that Southwest, let alone any major enterprise, doesn’t have technologies and automated procedures to reach employees to inform them of operational changes. And during a crisis, organizations should have procedures outlined by human resources and supported by multiple technologies to reach employees, ensure their safety, and provide protocols to support operations.

Another key question is whether call centers are staffed and have scalable technologies to support a massive influx of calls and communications that often happen during a crisis. 

While we should all sympathize with customers impacted by a crisis, organization leaders must also consider employees and their well-being. Murray reported that pilots and crew waited hours to speak to staff about reassignments, and hundreds of pilots and crew members slept in airports next to passengers.

3. How quickly can you realign operations during a crisis?

Looking beyond operations, do leaders and managers have collaboration tools, real-time reporting dashboards, and forecasting machine learning models to aid in decision-making? How often do teams schedule tabletop exercises to play out what-if scenarios? Has IT invested or piloted a digital twin to help model operational changes and support decision-making during a crisis?

Southwest, like other airlines, relies on scheduling software to route pilots, crew, planes, and other equipment. But when things go wrong at a significant scale, relying on manual operations is highly problematic. “It requires a lot more human intervention and human eyesight or brainpower and can only handle so much,” said Brian Brown, president of Transport Workers Union Local 550, representing Southwest dispatchers and meteorologists

4. Is your organization learning from past failures?

This isn’t the first time Southwest Airlines canceled flights and blamed weather issues as one of the causes. They canceled over 1,800 flights over a weekend in 2021 that Southwest’s pilots’ union attributed to management’s “poor planning.”

All too often, you see organizations recover from a crisis, fix a few low-hanging issues, and go back to business as usual. The question for CIOs is whether they can use a crisis to demonstrate a strong enough business case around more holistic improvements.  

5. Does your organization have the culture to support software development?

Developing and maintaining proprietary software and customizations entails an ongoing commitment to talent development, product management disciplines, and DevOps practices. It requires prudent decision-making on what capabilities to invest in and when platforms have reached their end-of-life and require app modernizations.

SkySolver, the software Southwest uses for crew assignment, is a customized off-the-shelf software developed decades ago that the airlines customized. The software is at the root of Southwest’s delays in restoring operations, and I suspect the company’s IT leaders will now have the support to replace it.

Of course, no one wants to wait for a disaster to drive legacy modernizations, especially around complex operational systems. Too much urgency and stress can drive teams to select suboptimal partners, make costly architectural mistakes, or underinvest in scalability, quality, or security.

So the key question for CIOs is how they use this crisis to educate boards and executive committees on the fundamentals of agile software development and cloud operations. Many executives still believe that software development is a one-time investment, that maintenance budgets are discretionary, and that just moving to the cloud will solve IT infrastructure bottlenecks.  

CIOs know never to waste a good crisis to drive mindset changes. Using today’s headlines to ask the tough questions can be a catalyst for gaining new supporters and investment in digital transformation.

IT Leadership

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , , ,

Cybersecurity breaches can result in millions of dollars in losses for global enterprises and they can even represent an existential threat for smaller companies. For boards of directors not to get seriously involved in protecting the information assets of their organizations is not just risky — it’s negligent.

Boards need to be on top of the latest threats and vulnerabilities their companies might be facing, and they need to ensure that cybersecurity programs are getting the funding, resources and support they need.

Lack of cybersecurity oversight

In recent years boards have become much more engaged in security-related issues, thanks in large part to high-profile data breaches and other incidents that brought home the real dangers of having insufficient security. But much work remains to be done. The fact is, at many organizations board oversight of cybersecurity is unacceptable.

Research has shown that many boards are not prepared to deal with a cyberattack, with no plans or strategies in place for cybersecurity response. Few have a board-level cybersecurity committee in place.

More CIOs are joining boards

On a positive note, more technology leaders including CIOs are being named to boards, and that might soon extend to security executives as well. Earlier this year the Security Exchange Commission (SEC) proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

This includes requirements for public companies to report any board member’s cybersecurity expertise, reflecting a growing understanding that the disclosure of cybersecurity expertise on boards is important when potential investors consider investment opportunities and shareholders elect directors. This could lead to more CISOs and other security leaders being named to boards.

Greater involvement of IT and security executives on boards is a favorable development in terms of better protecting information resources. But in general, boards need to become savvier when it comes to cybersecurity and be prepared to take the proper actions.

Asking the right questions

The best way to gain knowledge about security is to ask the right questions. One of the most important queries is which IT assets the organization is securing? Knowing the answer to this requires having the ability to monitor the organization’s endpoints at any time, identify which systems are connecting to the corporate network, determine which software is running on devices, etc…

Deploying reliable asset discovery and inventory systems is a key part of gaining a high level of visibility to ensure the assets are secure.

Another important question to ask is how is the organization protecting its most vital resources? This might include financial data, customer records, source code for key products, encryption keys and other security tools, and other assets.

Not all data is equal from a security, privacy and regulatory perspective, and board members need to fully understand the controls in place to secure access to this and other highly sensitive data. Part of the process for safeguarding the most vital resources within the organization is managing access to these assets, so boards should be up to speed on what kinds of access controls are in place.

Board members also need to ask about which entities pose the greatest security risks to the business at any point in time, so this is another key question to ask. The challenge here is that the threat vectors are constantly changing. But that doesn’t mean boards should settle for a generic response.

Accessing threats from the inside out

A good assessment of the threat landscape includes looking not just at external sources of attacks but within the organization itself. Many security incidents originate via employee negligence and other insider threats. So, a proper follow-up question would be to ask what kind of training programs and policies the company has in place to ensure that employees are practicing good security hygiene and know how to identify possible attacks such as phishing.

Part of analyzing the threat vector also includes inquiring about what the company looks like to attackers and how they might carry out attacks. This can help in determining whether the organization is adequately protected against a variety of known tactics and techniques employed by bad actors.

In addition, board members should ask IT and security executives about the level of confidence they have in the organization’s risk-mitigation strategy and its ability to quickly respond to an attack. This is a good way to determine whether the security program thinks it has adequate resources and support to meet cybersecurity needs, and what needs to be done to enhance security via specific investments.

It’s most effective when the executives come prepared with specific data about security shortfalls, such as the number of critical vulnerabilities the company has faced, how long it takes on average to remediate them, the number and extent of outages due to security issues, security skills gaps, etc.

In the event of an emergency

Finally, board members should ask what the board’s role should be in the event of a security incident. This includes the board’s role in determining whether to pay a ransom following a ransomware attack, how

board members will communicate with each other if corporate networks are down, or how they will handle public relations after a breach, for example.

It has never been more important for boards to take a proactive, vigilant approach to cybersecurity at their organizations. Cyberattacks such as ransomware and distributed denial of service are not to be taken lightly in today’s digital business environment where an outage of even a few hours can be extremely costly.

Boards that are well informed about the latest security threats, vulnerabilities, solutions and strategies will be best equipped to help their organizations protect their valuable data resources as well as the devices, systems and networks that keep business processes running every day.

Want to learn more? Check out this Cybersecurity Readiness Checklist for Board Members.

Risk Management

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , , ,

Cybersecurity breaches can result in millions of dollars in losses for global enterprises and they can even represent an existential threat for smaller companies. For boards of directors not to get seriously involved in protecting the information assets of their organizations is not just risky — it’s negligent.

Boards need to be on top of the latest threats and vulnerabilities their companies might be facing, and they need to ensure that cybersecurity programs are getting the funding, resources and support they need.

Lack of cybersecurity oversight

In recent years boards have become much more engaged in security-related issues, thanks in large part to high-profile data breaches and other incidents that brought home the real dangers of having insufficient security. But much work remains to be done. The fact is, at many organizations board oversight of cybersecurity is unacceptable.

Research has shown that many boards are not prepared to deal with a cyberattack, with no plans or strategies in place for cybersecurity response. Few have a board-level cybersecurity committee in place.

More CIOs are joining boards

On a positive note, more technology leaders including CIOs are being named to boards, and that might soon extend to security executives as well. Earlier this year the Security Exchange Commission (SEC) proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.

This includes requirements for public companies to report any board member’s cybersecurity expertise, reflecting a growing understanding that the disclosure of cybersecurity expertise on boards is important when potential investors consider investment opportunities and shareholders elect directors. This could lead to more CISOs and other security leaders being named to boards.

Greater involvement of IT and security executives on boards is a favorable development in terms of better protecting information resources. But in general, boards need to become savvier when it comes to cybersecurity and be prepared to take the proper actions.

Asking the right questions

The best way to gain knowledge about security is to ask the right questions. One of the most important queries is which IT assets the organization is securing? Knowing the answer to this requires having the ability to monitor the organization’s endpoints at any time, identify which systems are connecting to the corporate network, determine which software is running on devices, etc…

Deploying reliable asset discovery and inventory systems is a key part of gaining a high level of visibility to ensure the assets are secure.

Another important question to ask is how is the organization protecting its most vital resources? This might include financial data, customer records, source code for key products, encryption keys and other security tools, and other assets.

Not all data is equal from a security, privacy and regulatory perspective, and board members need to fully understand the controls in place to secure access to this and other highly sensitive data. Part of the process for safeguarding the most vital resources within the organization is managing access to these assets, so boards should be up to speed on what kinds of access controls are in place.

Board members also need to ask about which entities pose the greatest security risks to the business at any point in time, so this is another key question to ask. The challenge here is that the threat vectors are constantly changing. But that doesn’t mean boards should settle for a generic response.

Accessing threats from the inside out

A good assessment of the threat landscape includes looking not just at external sources of attacks but within the organization itself. Many security incidents originate via employee negligence and other insider threats. So, a proper follow-up question would be to ask what kind of training programs and policies the company has in place to ensure that employees are practicing good security hygiene and know how to identify possible attacks such as phishing.

Part of analyzing the threat vector also includes inquiring about what the company looks like to attackers and how they might carry out attacks. This can help in determining whether the organization is adequately protected against a variety of known tactics and techniques employed by bad actors.

In addition, board members should ask IT and security executives about the level of confidence they have in the organization’s risk-mitigation strategy and its ability to quickly respond to an attack. This is a good way to determine whether the security program thinks it has adequate resources and support to meet cybersecurity needs, and what needs to be done to enhance security via specific investments.

It’s most effective when the executives come prepared with specific data about security shortfalls, such as the number of critical vulnerabilities the company has faced, how long it takes on average to remediate them, the number and extent of outages due to security issues, security skills gaps, etc.

In the event of an emergency

Finally, board members should ask what the board’s role should be in the event of a security incident. This includes the board’s role in determining whether to pay a ransom following a ransomware attack, how

board members will communicate with each other if corporate networks are down, or how they will handle public relations after a breach, for example.

It has never been more important for boards to take a proactive, vigilant approach to cybersecurity at their organizations. Cyberattacks such as ransomware and distributed denial of service are not to be taken lightly in today’s digital business environment where an outage of even a few hours can be extremely costly.

Boards that are well informed about the latest security threats, vulnerabilities, solutions and strategies will be best equipped to help their organizations protect their valuable data resources as well as the devices, systems and networks that keep business processes running every day.

Want to learn more? Check out this Cybersecurity Readiness Checklist for Board Members.

Risk Management

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , ,

With the threat landscape evolving to be more dangerous and sophisticated, board members may wonder where their own organizations stand when it comes to cybersecurity readiness against threats such as ransomware and data breaches. After all, board members have a duty to ensure their organization protects itself against cyberattacks and accidental data leaks. 

Here’s a list of questions CIOs should be prepared to answer to ensure the organization is making the right strategic investments in cybersecurity.

Questions for CIOs about cybersecurity readiness

1. Have we prioritized our objectives and our risks?

Risks are uncertainties about outcomes. Risks matter most when they pertain to the outcomes an organization prioritizes. Is there a risk management practice in place that identifies its highest-level objectives? For most organizations, those objectives will include:

Business continuityData confidentiality, integrity, and availability (data “CIA”)Regulatory comp

2. Have we identified the IT resources and processes that support our objectives?

Besides identifying key objectives, an organization needs to identify the IT resources and processes that support those objectives. For example, if business continuity depends on an eCommerce website, which IT assets, processes and teams does that website depend on? What are its most valuable assets? Do they include intellectual property, financial data, physical infrastructure, or something else? Where are those assets stored, and who has access to them?

3. Have we identified the risks associated with each of those IT resources and processes? 

Board members and the executive team need to understand what makes the IT resources, processes and teams supporting each key objective vulnerable to attack. Unpatched software? Unreliable hardware? Lack of training? Have governments or industry groups adopted new regulations that will require redesigning and redeploying software and hardware?

4. Have we assessed the likelihood of these risks? 

If the organization estimates the odds of a data breach to be just 1%, that’s too low to be realistic. If the odds are 80%, then it isn’t making the right investments in cybersecurity. What is our confidence level in our cybersecurity posture, and how does that compare to those of our peers? Has the organization assessed the combined likelihood and severity of each risk, so that risks can be compared and prioritized?

5. Have we developed a software Bill of Materials (SBOM) for all our key applications and software services?

An SBOM is a catalog of all the software components and their versions that goes into an application or software service. By compiling SBOMs, organizations make it much easier to identify applications and services that are at risk when new vulnerabilities are announced, such as the Log4j vulnerability that was announced in December 2021. Has the organization begun the practice of automatically compiling SBOMs for key applications and services? What’s the plan for doing so? How far along is the process now? How is this work being automated so it’s always up to date?

6. Do we have a real-time inventory of all our IT assets, including laptops, desktops, servers, and IoT devices?

You can’t secure something if you don’t know you have it. An organization needs a comprehensive inventory of all its IT assets as part of its cybersecurity program and recognize that this inventory changes continually. How are we compiling this inventory? How regularly is it updated? How are we determining that it really is complete and accurate

7. Have you identified likely adversaries and their goals?

Doing this helps an organization focus its investments on cybersecurity. Are there specific parties such as cybercriminal gangs, nation-states or activists who are likely to attack us? If so, what are their goals? Are they hoping to steal information, inflict a ransomware attack and demand funds, cause mayhem, or somehow damage the organization’s brand? How is this knowledge shaping our cybersecurity strategy?

8. How are we prioritizing our spending on risk?

Trying to eliminate all risks would be cost-prohibitive. How are we prioritizing our investments? Who is involved in making decisions about spending? How often are those decisions reviewed and, if necessary, adjusted?

9. What plans do we have in place to mitigate risks if attacks or other undesirable outcomes occur?

Do we have teams ready to respond to our most serious risks? Are communication channels in place? Do team members have the tools they need to act quickly and effectively? Have teams practiced responses to attacks to ensure that people, processes and tools are ready for action?

Learn how Tanium can help you make the right strategic cybersecurity investments here.

Security

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , ,

Board directors like Jean Holley can be a CIO’s best friend or worst nightmare. A former CIO herself, Holley always reaches out to the CIO before board meetings to offer her advice on how to handle inevitable questions. “It’s amazing how many times they don’t take me up on it,” Holley says.

These CIOs, especially those new to the role, often come off as overly techie, out of touch with the business, or worse, out of their depth in the position, she says. On three different boards, directors have asked Holley if the company chose the right CIO, and three times her answer was no. Don’t be that CIO.

CIOs hold more influence than ever in the boardroom. The CEO and board may steer the ship, but they’re relying on the CIO’s radar to see what’s coming. Preparation is key and can make or break the relationship. Get ready for these questions and curveballs.

First, know your audience

Before meeting the board for the first time, it’s important to research the background of each board member and the other boards they’re on, says Gary Cantrell, former CIO and senior vice president of IT at manufacturing company Jabil, who spoke with his board quarterly.

“Most of the board members aren’t deeply versed in IT, but they know what’s important from reading the news or from what they’ve learned from other boards that they sit on,” Cantrell says. “If you follow those companies on your feed and read up on an incident before you get in front of the board, you can answer questions easy enough. If not, you have to dance as you go.”

1. ‘Are we vulnerable to current cyber threats?’

Cybersecurity remains a top board concern, especially given the war in Ukraine and ongoing global unrest. CIOs should always prepare for this loaded question without giving doomsday predictions or appearing overconfident.

“Prepared for cyber questions in the context of risk,” says Jay Ferro, chief information and technology officer at Clario. “Explain that the likelihood of a risk X happening is very low, but the impact could be high, so here’s what we’re doing to mitigate it,” Ferro says. “Have a conversation about where you aren’t as secure, too, but follow immediately with how you’re getting better, what your plan is, and how they can hold you accountable for getting better.”

Here, CIOs can help the board see improvement by reusing and updating performance graphs and charts that were presented at previous board meetings, so directors can see progress, he adds.

Vulnerability isn’t the only cyber-related question CIOs should be prepared to address. Ferro says he was put on the spot many times with the question, “Are we spending enough on cybersecurity?”

“You always want to spend more, but your CEO is in the room, and you have to be very careful about your answer,” Ferro says. “You don’t want to throw your CEO under the bus.”

On the flip side, the current economic climate has some boards asking, “Can you do this more cheaply?” says Alexander Lowry, host of the podcast “Boardroom Bound.” Typically the answer is no if the company wants to remain well-defended or needs to retain talent, he says. “Time, cost, and quality form the triangle of balance,” he adds, and CIOs must explain the importance of all three factors.

Directors who sit on several boards may also inquire about the security chain of command in the organization, Holley says. Because of this, CIOs are often asked, “Should the CISO report to the CIO or to someone else?”

“About 90% of CIOs will say yes, I want it,” Holley says. “But if you’re a technology-based company and you develop technology for a living or maybe in the security space, it should not be under the CIO. The board prefers the checks and balances of two different leaders in this case, she says.

2. ‘Are we investing in the right technology that aligns with our strategy?’

The board wants assurances that the CIO has command of tech investments tied to corporate strategy. “Demystify that connection,” Ferro says. “Show how those investments tie to the bigger picture and show immediate return as much as you can.”

Global CIO and CDO Anupam Khare tries to educate the board of manufacturer Oshkosh Corp. in his presentations. “My slide deck is largely in the context of the business so you can see the benefit first and the technology later. That creates curiosity about how this technology creates value,” Khare says. “When we say, ‘This project or technology has created this operating income impact on the business,’ that’s the hook. Then I explain the driver for that impact, and that leads to a better understanding of how the technology works.”

Board members may also come in with technology suggestions of their own that they hear about from competitors or from other boards they’re on. So CIOs should also be prepared to answer the question, “Should we be using the same technology as company X?”

Avoid the urge to break out technical jargon to explain the merits of new cloud platforms, customer-facing apps, or Slack as a communication tool, and “answer that question from a business context, not from a technology context,” Holley says. “[The answer] depends on how the business is doing and where you are competitively. Are you trying to be a leader or a fast follower” in the digital space?

It’s also wise to prepare a list of three areas that you would invest in if capital were available, Holley says. “That’s a key question to always have a good answer to in case the business is throwing off more cash or somebody isn’t spending as much capital,” she says. “For instance, if we throw $5 million now at this active project, we could pull in this ROI in six months. It may not be IT-related either. If we’re looking to pull in that acquisition in Q1 of next year, why don’t we pull it in Q4 this year because people have the bandwidth.”

Holley had a similar short list of projects to slow or stop if the business was contracting or the company had a rough quarter and needed to pull back. Top contenders were projects where the business is not engaging enough, or those the business can’t bring the right head count to make it move faster, she says.

3. ‘How are you retaining and attracting tech talent?’

Board members read about a worldwide IT talent shortage and they’re asking CIOs what they’re doing to develop talent in-house, and how they’re retaining workers, Cantrell says. They’re also asking about attrition rates and how you’re attracting new talent. Are you only offering higher salaries or other perks?

4. ‘Should we be looking to automation to fill hiring gaps?’

Without enough qualified workers, some board members may also ask about automation or robotics as an alternative, Lowry says. “The question might be, ‘Since we can’t get enough human beings to do these things anyway, could we do it more efficiently with automation? Not just today, but for the medium or long term would it make the organization more resilient or help us operate more cheaply?’” CIOs should prepare a list of what parts of the business could be or should be automated, Lowry says.

5. ‘How are you cultivating the most diverse, equitable, and inclusive tech team?’

With the increasing emphasis on diversity, equity, and inclusion (DEI) as a key workplace objective and productivity driver, CIOs should also be prepared to describe their DEI initiatives, including how they are going about sourcing for this talent, such as partnerships with organizations that can help, Ferro says.

These types of corporate responsibility topics may also include sustainability questions, he adds. “What are you doing to run a more sustainable technology organization — whether that’s reducing your data center footprint or moving to the cloud,” he says.

6. ‘What should we be concerned about that’s not on our radar?’

The board is relying on your radar to help them shape business strategy. A crisp top-three list should start things off. “This is not an invitation to go apocalyptic or to overtalk or overexplain,” Holley says.

“I would always pre-think an answer internally and externally,” Holley says. “I start with something like, ‘Externally there’s an opportunity to grow revenue by x%.’ Or I would ask, ‘Do you know what our competitors are doing?’ And I would expand on that. Or I would start with, ‘The competitor we don’t even see today is probably doing this.’”

Instead of elaborating on each idea, she would follow up with, “Would you like to know more?” The board chair or a committee chair would usually say yes or want to follow up at a later time.

Dealing with the unexpected

If any question comes out of left field that you aren’t prepared to answer, never make up the answer, Ferro says. “Be prepared to say, ‘I would like to come back to you on that, or just say, ‘That’s a great question. Generally, it’s on our radar. Let’s do a separate call on that.’”

Preparation can pay off big time, Cantrell says. “It’s always the first impression. If you can get off on a good foot in the first three meetings, life gets a lot easier. If not, it gets to be a challenge.”

CIO, IT Leadership