During the last month's research I frequently ended up with thinking about IT organizations - as well the organization of IT itself as the IT as part of the overall organizational structure, including the role of the CIO. There is, from my perspective, no doubt that fundamental changes are required.
Let's start with the IT organization. Early in 2008, we've done a survey and report on the topic of "SOA Governance" together with Ernst & Young (the German subsidiary) which we first time presented at EIC 2008 (by the way: EIC 2009 will be again in Munich, May 2009 5th to 8th, hope to meet you there). The most important result was that the main problem of SOA Governance and, as part of it, SOA Security are the missing application security infrastructures, e.g. standardized approaches for securing applications. The reason for that is as well very obvious: Siloed IT organizations.
Typical IT organizations are divided into different departments like IT Security, IT Infrastructure, Development and so on. Sometimes there is sort of a CIO office which tries to set guidelines but frequently fails. The major problem: The people in these siloes don't talk much with each other, and often they are even "fighting". The result: Coded security, missing end-to-end security, no reuse of proven methodologies for example for change management, insecure applications which can't fulfill compliance requirements, and so on.
These problems are expensive. Even more expensive is the frequent re-invention of security per self-developed application and the problems with software from vendors or external developers which isn't easily to integrate in existing infrastructures. Many organizations have hundreds or even thousands of applications with own "application directories". To integrate them for example in a central IAM infrastructure, in a central GRC infrastructure or in a central configuraion management, is sometimes costly and more often impossible due to technical constraints.
With other words: Siloed IT organizations aren't acceptable from an economic perspective. The argument frequently is that business departments are the ones who have the budget for building or buying new applications - and they decide. But that works only because the overall costs of the non-integratable applications aren't known.
In these days, no organization can afford that type of IT anymore.
The answer to this is obvious: Siloes have to be broken up. There have to be at least strong matrix organizations where strategists and architects provide mandatory guidelines for IT methodologies, infrastructures, and architectures.
And if you ask yourself the question how to implement your GRC strategy which goes beyond "IAM-GRC" (e.g. the identity and access related parts of GRC) and has to include ITSM (for example business continuity) and other aspects, you end up with a situation where you have to open up these siloes.
A model might be an IT organization which provides mainly strategies, methodologies, architectures, and which acts as controller for IT, whilst the different departments either act like an outsourcer with clearly defined SLAs or are - mainly for business applications and application development - assigned to the business departments themselves.
Any of these changes rises the question for the future role of the CIO. First of all, a CIO has to have significant control of sourcing decisions, to avoid that applications which doesn't fulfill defined requirements (like externalization of administration and authentication of identities) aren't bought. To implement GRC (I've talked about the relationship of IT risks and operational risks before) the role of CIOs has to change as well.
There are two and a half options for that:
CIO = COO? CIO = CRO? CIO = CCO? [Chief Information Officer, Chief Operating Officer, Chief Risk Officer, Chief Compliance Officer]
Two and a half, because the roles of CRO and CCO often are understood as the same, even while CCO is somewhat more limited than CRO from my perspective.
The CIO as COO is one approach, giving him responsibility for all non-operational parts of the business, including overall corporate security or sourcing. That will help. The CIO as CRO/CCO is as well an option, because GRC in fact is the link between business and IT. And there might be as well the approach to understand the roles of CCO/CRO as part of the COO role. In any case, the CIO will become a member of the board, besides CEO, CFO, and some few others. In any case, he will have much more business focus and will be CIO amongst other responsibilities, thus his major title most likely won't be CIO anymore.
I'm convinced that organizations which are changing their organizations according to these ideas will be more efficient in what they are doing, thus being more successful (the economic aspect). These organizations are as well much better suited to deal with GRC requirements and manage and mitigate their risks - and thus are more likely to be successful.