It’s not just about IT. Information security and cyber-security need to be viewed within a wider context.

There are so many unknowns when compared to ‘traditional’ physical threats. The fact a cyber-attacker can be inside your network for months before being discovered (and then usually by an external actor), says Chris Butler Principal Consultant, Sungard AS

Chris Butler, MA FCMI FInstLM CISM CBCI Principal Consultant, Sungard AS

Describe your current role

Principal Consultant for Resilience and Crisis Management at Sungard Availability Services

What are your day to day responsibilities?

Advising the boards and senior leadership teams within our clients on ways to develop their organisational resilience capabilities, with a particular focus on C-Suite crisis leadership skills, competencies, and experience.

What is your professional background?

Following 20 years as an Army officer, with numerous leadership positions with military aviation, I became a resilience and security consultant. I have worked within the UK high hazard energy sector, supporting leadership teams in the UK nuclear sector, from board level down to the operational front line in nuclear power plants. Since joining Sungard AS, I have worked principally, but by no means exclusively, with our clients in the financial services sector, developing additional cyber resilience services.

What are you speaking about at CIO 2019?

Crisis leadership – ensuring your organisation survives and thrives.

How do your particular areas of expertise manifest themselves in your current role?

I’m a Fellow of the Institute for Leadership, a Member of the Business Continuity Institute and a Certified Information Security Manager. I’m also a certified Executive Coach and Mentor with the ILM (the Institute of Leadership and Management which is the UK’s top leadership and management qualifications specialist). The combination of these skillsets and expertise, with my history as a military leader, provides me with the knowledge, experience, credibility, and confidence to advise boards and C-Suite executives at their level around the key psychological and behavioral drivers for crisis leadership.

How do you see your role developing in 5 years’ time?

I see boards and executives wanting a ‘trusted advisor’ – someone with the professional credibility and the independence to provide impartial advice and support to build organisational resilience over time. I wonder whether there is a role for Non-Execs who will have this level of expertise.

What advice would you give to someone adopting a CIO role for the first time?

It’s not just about IT. Information security and cybersecurity need to be viewed within a wider context. Become very comfortable with translating the often impenetrable IT issue into a language the board can grapple with, based on risks and impacts, and demonstrate alignment with other resilience practices such as risk management and business continuity.

What are the greatest challenges facing modern technology leaders?

There are so many unknowns when compared to ‘traditional’ physical threats. The fact a cyber-attacker can be inside your network for months before being discovered (and then usually by an external actor). The indicators and warnings can be conflicting and it’s difficult to know what to prioritise. Traditional DR tended to be retained at the IT level and not aligned with the operational level and BC – this still is not changing quickly enough. The resource challenge for stressed CIOs against all the other competing resources. The wide array of third parties in IT and working out where the vulnerabilities might lie – e.g a third party code within an application or widget on a website providing specific functionality. This could be the back door into your network. Or other third parties who have remote access to networks, how does their security match your own? Or working from home – ensuring workers’ home network security is sufficient, especially if you allow access to functionality from personal devices.

How do you think a CIO can best support company revenue growth?

Move beyond a focus on IT SLA and uptime to demonstrate how the IT layer within the organisation adds value, where it contributes positively to resilience, how it enables operations. In the specific area of cybersecurity, CIOs should focus on supporting and finding innovative and creative ways of developing their cybersecurity culture. Annual online training and a basic phishing campaign are not sufficient. Develop excellent relationships with suppliers, working to enhance support and mutually beneficial contractual arrangements.

Chris Butler is speaking at the CIO and IT Leaders Summit on Sept 25 in the Aviva Stadium.

Seewww.ciosummit.ie for details.