whyframeshot - stock.adobe.com
CIOs and other digital leaders are playing a broader role in helping their organizations deal with fast-moving and disruptive developments, from emerging technologies to damaging cyberattacks.
Indeed, digital resilience, organizational adaptability and business agility surfaced as key themes at this week's MIT Sloan CIO Symposium. Speakers at the annual event pointed to the changing nature of the CIO amid the chaos of change and the potential for that position having greater sway as a result.
"If you think about the board of directors in most large public companies, they are needing expertise that we have," said Shamim Mohammad, executive vice president and chief information and technical officer at used car retailer CarMax. "And because disruption for most companies is coming from technology, you need a technology-savvy leader -- a business leader -- who can sit at the board level and help influence the company."
Dealing with generative AI
The latest in the list of disruptive technologies has arrived in the form of generative AI. CIOs presenting at the Cambridge, Mass., conference are now grappling with that technology's implications.
Mohammad, who spoke during a panel discussion on the CIO's evolving role, said CarMax has been working with generative AI for about 18 months. In one use case, the company employed ChatGPT to organize customer reviews and feedback on the tens of thousands of cars it sells. Mohammad estimated it would have taken a content writer 10 or more years to create such a synthesis of reviews, which AI compiled in a matter of hours. Writers still play a role; they review the material ChatGPT gathers before it is published.
The ability to quickly harness a new technology stems from the company's culture, Mohammad said. CarMax's experimentation culture lets individual product teams operate like a startup within the larger corporate environment, he noted. That was the case with CarMax's car review use case, in which a product group, working with a cross-functional team, "tested and learned and figured out a way to make it work," he added.
Growing up versus giving up
At one point, the panelists were asked whether the protection-to-resilience shift amounted to giving up to threat actors. But participants suggested the more dangerous path is holding on to false hopes.
"I would say that we are growing up, not giving up," said Jeff Reichard, vice president of solution strategy in the office of the CTO at Veeam Software, a data protection company. "If you're in a regulated industry, you're accustomed to auditors looking at your environment a couple of times a year. Everyone in this room is getting audited every day by cybercriminals. Accepting that's the reality, and maturing and understanding it, is just the right place to be."
Mojgan Lefebvre, executive vice president and chief technology and operations officer at Travelers, said the insurance company looks to generative AI to make better use of its knowledge bases. Another use case: extract and process the documents, embedded in email messages, that agents need to provide customer quotes.
The CIOs work isn't strictly around exploring new use cases, however. With the ultimate effects of generative AI still to be seen, the role of the technology leader includes raising critical questions.
"We've got to think about how [this is] going to impact all of us," Lefebvre said.
Coding is one area of inquiry. "Are we all going to need as many engineers as we have when [we've] got these machines, whether it's Microsoft Copilot or Amazon's CodeWhisperer, generating code -- which is pretty darn good based on what our people are telling us?" she asked.
Subhadaa Reddimasi, chief architect of technology and chief operating officer at Wells Fargo, said job roles will change because of generative AI. Engineers will spend time making "Copilot the best copilot that it can be," she suggested. "So there's a shift in the jobs from that standpoint."
Responding to cyberattacks
A panel discussion on building cybersecurity around resilience cast a different light on organizational adaptability. Businesses increasingly recognize that cyberattacks will occur, which shifts the discussion from protection to rebounding after an event.
"When I think about resilience, it's about just maintaining some semblance of services post incident," said Bill Brown, CISO and CIO at Abacus Insights, a data analytics provider for healthcare payers. "It doesn't mean there won't be some interruptions. It just means that you can gain some confidence of your stakeholders that you're under control and going to get things back in operation."
The healthcare ecosystem seems to face more ransomware attacks than other sectors, he noted. To deal with that reality, Abacus Insights developed an incident response plan, which revolves around a regimen of prepare, practice and improve.
Shamim MohammadExecutive vice president, chief information and technical officer, CarMax
As for practice, the company conducts a role-playing exercise Brown referred to as situational analysis. In this approach, a design team crafts a security incident scenario and throws in "some zingers" so participants must respond to a wider range of problems that can occur during a security incident, he explained. A key player on the incident response team being called away for a family emergency might be one example.
Getting more employees involved in incident response is another element of adaptability and resilience. Abacus Security is currently creating a series of lunch-and-learn sessions to get employees thinking about issues such as what they would do if their endpoint devices become unavailable, Brown noted. They might consider making sure they have Slack, Zoom and Microsoft Teams on their phones, for instance.
The objective is "getting all of our employees involved to be part of that response team," Brown said.
The change in mindset -- having conversations on what to do in the event of an incident as opposed to focusing solely on prevention -- has emerged as one silver lining from security breach statistics, said John Allen, vice president of cyber risk and compliance at cybersecurity company Darktrace. That conversation should run both ways in an organization. While executives and board directors customarily question the CIO and CISO, the tech executives should query the executive leadership on their recovery priorities across business units and assets, he said.
"Put it back in their court a little bit," Allen advised.
Such discussions line up well with the CIO's expanding role within organizations. "As the CIO, you really have this unique ability to be at the intersection of anything and everything that's happening, whether it's operational or strategic," Lefebvre said. "If you take advantage of that, then the opportunity is to not only enable [but also] drive the strategy along with the rest of your peers in the enterprise."