Safeguarding the Data

By CIOinsight  |  Posted 08-13-2002

Roundtable: Defining the Ethical CIO

 

The Ethical CIO

Recent ethical lapses by trusted leaders in public and private life have dominated the headlines this summer. Rising distrust in the integrity of business, political and religious institutions has contributed to a collapse in consumer confidence and public trust. The technology world has not been immune. New surveys by Gartner show billions were wasted on technology projects that didn't work, failed quality tests or simply weren't needed in the first place. Nike's CEO, Phil Knight, grumbling about a major tech meltdown that caused his company millions in lost profits last year, was quoted as saying, "This is all we got for our $400 million?"

To get a better idea of what the current debate over business world accountability means for CIOs, CIO Insight Executive Editor Marcia Stepanek recently convened a roundtable of seven experts—corporate IT executives who grapple with financial pressures, corporate CFOs who impose them, and IT leadership and ethics experts who see inherent conflicts in the CIO's role between doing the right thing and the push for corporate profits—to discuss the tough choices they face in their daily business lives. Corporate culture is key, they agree, but there was disagreement over how much CIOs should—or can—do to help their firms operate ethically, especially in an economic downturn and in an increasingly global marketplace. What follows is an edited transcript of their remarks.

CIO Insight: What's gone wrong with business today?

Stuart Robbins Stuart Robbins Executive director of the CIO Collective, a nonprofit association of CIOs and a managing partner of KMERA Corp.

ROBBINS: Corporations are created to make money. But if that is the No. 1 objective, and all other objectives are secondary to the goal of profit, then you have an implicit and explicit statement that everything else will be subjugated to that higher goal. Later, it's easy to criticize. But we all wanted those higher share prices. I don't think that should be the number-one goal, but that often sets everything else downstream.

Usha Sekar Usha Sekar CEO of CRIA Technologies Inc., a maker of outsourcing management software, former CIO of Fujitsu PC and former IT Director of Compaq Computer Corp.

SEKAR: Speaking as a CEO of a company, making money is the goal, but it is not making money without any constraints. The issue is, do you know those constraints, and do you live within those, or do you choose to flout them? I think the expectation is for the shareholders, the number-one focus for most companies, and that you do not cheat your shareholders. I think that is a kind of high-level expectation. Shareholder value has to be within certain guidelines and parameters, and it is important that those parameters are known. And if you choose to deviate, that must be communicated.

ROBBINS: There are rules. Revenue recognition issues have been around for many years and have been the subject of a great deal of inquiry long before WorldCom and Enron. But it's a constant battle for balance, and IT is very much in the center of things because company technologists need to automate whatever the process is.

John Burke John Burke CFO of New World Business Ventures Group, consultants and advisors for small and medium businesses.

BURKE: There are also a lot of time pressures. If you're financially desperate to make a sale, then people become blinded. Say it's a potential quality issue. You need to be loud and clear. The other issue that's out there is a balance issue; being 90 percent of the way there, is it okay to ship? Maybe being 90 percent of the way there isn't okay. You start to have quality problems with the auto industry, for example. Maybe it saves them a couple of dollars per car. Well, if they've got 15 or 20 deaths over a 10-year life cycle, I'm not sure they've made the right decision there. On the other hand, sometimes getting the products out is the right thing to do.

You always try to do full disclosure for whomever is making the decisions. If you're at a decision point, you need to tell them you have these concerns about a product or a transaction, and it needs to go all the way to the top. That's why the keeper of the ethics in an organization can't just be one person. All of the executives and managers in a company have to have an ethical point of view and be in sync with it.

Safeguarding the Data

Safeguarding the Data

Let's talk about information technology. Do you believe CIOs have a particular obligation in this regard?

SEKAR: I think the issue that CIOs and people in technology face today is how to determine their roles as guardians and keepers of data. What data gets recorded? A lot of the time, actions get recorded, but the policy that drives those actions are hidden from any of the views of most of the people who are in charge of simply looking at the data or guaranteeing it.

Bart Bolton Bart Bolton Former CIO at Digital Equipment Corp., and an IT leadership facilitator for the Society for Information Management and various IT organizations.

BOLTON: Technology gives you a new capability to do something illegal. Go back and look at who's been making the initial profits on the Internet. It has been the pornographers, right? And you better believe that criminal organizations are some of the first users and adopters of this technology. They certainly were with the telegraph. It was about getting the results of the horse race to the guy before the bets were closed. Now, what is wireless going to do to us? What is a GPS system going to do?

ROBBINS: Technology systems, I believe, are mirrors of the organizations and the people who built these systems. Often, we may point to the mirror and say the mirror is the problem. But in the end, we're the ones who need to address the issue because it's essentially a people problem and not a systems problem.

Well, let's say if a CIO, the keeper and distributor of a company's data, notices quite by accident that the data itself is corrupt, or has reason to suspect fraud on the part of the CFO. Does the CIO have an obligation to speak out, or should there be companywide policies drawn up to spell things out?

ROBBINS: One of the big conundrums is the quarterly reporting of financial data. All of us in IT know that a good project takes far longer than three months to roll out. They're often nine-month cycles, they're often 18-month cycles. In fact, product development can take 36 months. How do you gauge accurately the health of a corporation when, in fact, you've got these 90-day cycles and at least for the last month in that cycle, there's a lot of reporting and summarization, and two weeks after the quarter you've got a lot to do? So you lose about half of the quarter just gathering this metric, which I believe is a false metric. But that metric, false or otherwise, has just driven a great deal of policy and adjustment in IT. It causes IT people to focus on a metric that doesn't reflect the health of the corporation and triggers a lot of problems.

Mike McCracken Mike Mccracken President of Tatum CFO Partners LLP, a national partnership of career CFOs that provides CFO services to companies.

McCRACKEN: I think some of this comes down, perhaps, to a redefinition of the CIO's role, a redefinition of who you report to. Where the CIO reports does have a bearing on the ethical aspects of business and who is accountable. If the CIO is, in fact, only expected to be the keeper of the data and is not responsible all the way through the financial reporting aspect of it, then there's a different level of built-in responsibility that's left up to the CFO. Is the CIO reporting through the CFO? Should he or she be? Should you have a check and balance?

A discussion of ethics could become a discussion of internal controls, as they have a very strong bearing on what the financial results will actually be. Is the correct data being accumulated? Who's making the final call as to how it all gets reported and what information is shared?

ROBBINS: Mike, are you saying that if the CIO is reporting to the CFO, there's less of a check and balance than if the IT organization were an independent function?

McCRACKEN: Absolutely.

Malka Treuhaft CIO of the Centre Group, the insurance-based finance arm of the Worldwide Zurich Financial Services Group.

TREUHAFT: I disagree. I really do not think the question of ethics in an organization should have anything to do with whom you report to. I think that at the end of the day it's about every individual and how honest they are about what they do and what they're asked to do. I mean, I don't care if I report to the chairman, the CFO or the COO, I think that if somebody asks me a question and says, "What are your thoughts on this, what are the final results on that, what are the finances on this," I should be able to come forth with the same result regardless of who that individual is. On the other hand, if there's a discomfort in doing that, then there's an integral problem in the organization because then people don't feel comfortable being honest, and I think that's the true crux of the whole issue.

Where Does the CIO

Fit?">

Where Does the CIO Fit?

Then what, exactly, is the CIO's responsibility within the context of the organization?

BOLTON: I think the CIO has a responsibility to speak up, because he or she represents the use of technology. That's an overall role that they carry, a responsibility. They have got to look and say, "Well, if we adapt this new technology, what openings or opportunities to do wrong things might it have?" That's assuming that the corporation understands what its values and ethics really are.

I mean, when you see it's wrong, you've got to speak up. But that can only happen in a company where it's okay to do that. There are an awful lot of companies where you just tell the emperor his clothes look pretty good. Is that unethical? We see that all the time. That's not just the CIO, by the way. There's a lot of that in the large organization.

Helen Nissenbaum Helen Nissenbaum Ethics professor at New York University and cofounder of the Ethics and Information Technology Journal.

NISSENBAUM: You might, as CIO, sort of throw up your hands and say, "It's not my fault, I'm a hired gun. I'm only doing what I was told to do." But the CIO must also understand how certain technological choices can embed different kinds of value structures. A CIO with integrity should be able to stand up to the CFO and all the other top brass in a company and argue for certain technological choices as opposed to others.

Would it be ethical, then, to stand up to a vendor who is selling bad or buggy software?

ROBBINS: It is unethical to misrepresent your product.

BOLTON: Absolutely.

ROBBINS: And that's the distinction. If the product that is going out, a 1.0 product or a bug-fixed shipment, and you explain very clearly to the customer what they are getting, this is at the heart of revenue recognition, and the customer accepts what they are taking from you, then that's a fair exchange.

I found it fascinating that across industries in the late days before the Y2K rollover, everyone was so forthcoming with customers and partners and suppliers regarding every aspect of flaws because there was no litigation risk and because, in fact, we were being encouraged toward full disclosure. Now, though, we're back to thinking that bugs are only bugs if a customer finds one. During Y2K, we had a real opportunity to become more forthcoming as technologists and as an industry to what technology can and cannot do, but we didn't take that opportunity to continue that frank exchange, and I find that disappointing.

The Spy Game

The Spy Game

In our August 2001 issue, we referred to a poll by TR Cutler Inc. that said 55 percent of manufacturing companies with fewer than 1,000 employees spied on rivals using technology, and of those, 75 percent reported industrial spying for competitive analysis, including using the Web and posing as a potential customer to glean pricing and other data. How far is too far?

ROBBINS: Whether you're snooping on your employees or whether you're snooping on your competitors, how far you will go is a conversation about the culture of that company. And if your company is sick, it's going to go too far.

NISSENBAUM: What's difficult about this privacy problem is that there isn't yet a lot of agreement about what is right and what is wrong. We grew up with a norm that came out of an environment where certain physical monitoring was possible, and now we have technology that enables us to do a lot more. And what many of us said is, "Well, where do we draw the line? Is this right or wrong?" What often happens is that people may abhor certain behaviors out in the world, but then they would say in a business, "Oh, well, yes, it's fine to monitor your employees because, after all, you own the business, you own the property, you own the computers," and so forth. But what if you put video surveillance cameras in the bathroom, is that all right? Suddenly, some people will step back and say, "Well, maybe not, maybe there is a limit." So part of what we have to do is figure out that yes, technology can enable us to do all these things, but what's right? And then we need to figure out how to get people to do the right thing.

BOLTON: One of the things I've witnessed over the last nine years of doing IT leadership training is that there are some people who, after they finish nine months in the program, turn around and leave their companies. It's because, for the first time, they understood what their own personal values are, and they realize they don't mesh with the company they work for. And so I'm taken by this subject of ethics. I think it comes down to two people working together, whether it's you or a vendor, say, over a question over lousy software. Are the two parties trustworthy?

You take the word trust and you have different levels of that. I may trust you with loaning you a buck, but I may not loan you my car, and I probably won't give you a blank check. And then you can get into questions such as, is it all right to take company property home? Well, if it's a paper clip or a piece of paper, it may be okay. Well, can I walk off with a PC? Maybe not. And there are questions of what I should do on the job. Should I try to tap into a rival's wireless network if I have the opportunity to do so? Ethics is a subject of gray areas, and of choices.

Is there an ethical standard here?

BOLTON: I don't think there is one. I think it is a variant of one's individual personal values, and those values are set in growing up and the environment we live in. If you look at the personal values in the U.S., they're all over the map, but if you take some kind of a generalization of what they might be in the U.S. and then go to some other countries, the values are quite different. Simple things like bribery are quite acceptable in certain countries, but not here.

TREUHAFT: The entire topic of ethics, to me, is very removed from whether you're a CIO or not. There have been noted examples of people in companies who are stealing each other's customers, pulling information from each other, so on and so forth, but it goes down to the basics. If that's something you feel comfortable as a person doing, then it doesn't matter how many rules and regulations and policies and enforcement and security items you put in place in the company—if a person feels comfortable doing that, they're going to do that.

I strongly believe that the conversation and topic of ethics goes beyond IT, and it is a core, intrinsic characteristic that people have or don't have. And I believe that there's a lot of education that has to be in this area overall. Just based on the fact that I speak my mind and don't, you know, get pushed around on things that I believe are right, I have seen things change.

NISSENBAUM: Perhaps there are good people out there and evil people who weren't trained properly and so on. But I still want to come back to the notion that we're very lucky when we deal with people who are going to be ethical because that's the way they've been raised. Still, though, there are two things to think about. One is there are hard ethical problems, and even if you have the best intentions in the world, you may wind up doing the wrong thing. And there we need training, we need discussions like this one to continue because I think with the privacy cases, it's a hard new problem that society is facing, and we don't actually know the answers yet.

There are very few ethical theories that demand that people sacrifice themselves, to perform what are known as acts of supererogation. You've got ethical duties, but few people expect you to lose your life in order to save someone else. Heroes do that, but it's not everyone's ethical duty to do that. So the culture of the organization makes a difference because if the culture is bad, then it requires the individual to be a hero simply to do the right thing. You can't expect everybody to be a whistle-blower. If you have culture in an organization that requires someone to be a whistle-blower just to do the right thing, then your organization is sick.

The problem, I think, is that we live in a business culture that says if you're ethical, you're a chump, that you have to go for your own self-interest at all costs. And if being ethical is in your own self-interest, yeah, sure, go for it. Do it as a sales pitch. It's a good marketing tool. But if it doesn't improve your lot as a business, then being ethical is stupid.

TREUHAFT: I agree. Those decisions have to be made at a business level across the company, like what kind of privacy issues you want to have and enforce within your company. It's not necessarily on the shoulders of the CIO to say one way or the other. It's the CIO's role to enforce that policy and to perhaps bring up the options of what they can put on the table and then to communicate that down throughout the hierarchy.

McCRACKEN: I echo what you're saying. None of us would say that we are not ethical people, however you define it. But I think that this whole notion gets into the expectation of the user who is actually going to rely on whatever information is sent out eventually by an organization. And is it ethically created and distributed, frankly, from the investor's standpoint?

I'm hearing some disagreements. Some of you think ethics is a purely personal matter; others say a company's leadership needs to create an ethical culture that would, in turn guide and inform one's ethical behavior on the job. Some say it's the CIO's job to speak up; others say it's the job of the top brass. Who's right?

BOLTON: I think ethics needs to be the responsibility of the CIO, as technology changes and can impact the way we do business or the way we make decisions or the way we deal with other people. I think it is the CIO's responsibility to educate others on the impact of a particular technology. If you go back and look at before we even had the Internet, if you go back and look at central processing versus distributed processing and what would it mean, why all of a sudden there were a lot of people into the business who weren't there before…

TREUHAFT: I agree with you 100 percent that the CIO and the people in IT have to participate. But I just keep hearing in this conversation that you have to make tough decisions and that you might find yourself in a situation where you might make the wrong ethical move even if you're a very straight person. And I have to tell you, we've all had to make very hard decisions in our careers and we've all been in situations where everything wasn't 100 percent black and white. But if you're naturally a person who's going to agree to do the right thing and be honest about it, then you tend to move in the right direction. That's what I have found.

BOLTON: Look at a company that operates under unethical standards, and I'd be willing to bet they've never had a discussion of what their values as an organization are. And I think that is the responsibility of the leadership of those organizations, including the CIO, considering that the CIO is one of the leaders—and not just because he or she is the CIO. Companies that are ethical, I would bet, have a firm understanding from the top through most of the organization of what the organizational values of that enterprise are. They are very explicit, they understand them, they spend a lot of time talking about them, they educate people, especially new employees, and it gets reinforced by all of the C's—CEOs, CFOs, CIOs, all of them.

SEKAR: I think that technology is not going to generate or drive ethical behavior, and that CIOs can only help a company monitor and review actions to see if they're ethical or not.

CIOs and Outsourcing

CIOs and Outsourcing

What about companies to which work is being outsourced? What's the role of the CIO within the context of the extended enterprise—and can contract language help?

SEKAR: Mostly, it's a data tracking challenge. You can't simply impose cultural and behavioral norms only through contracts, because they're driven at the highest level of the organization. The people who execute the contracts are, typically, people at the lowest levels. It becomes, therefore, incumbent on IT to make those who execute contracts aware, day-to- day, of any changes in contracts or customer demands and expectations. IT has a role in that it can help a company monitor and track behaviors of partners, vendors and outsourcers, so the company knows if rules are being followed. Information, delivered in real time, gives people a chance to take action if that is their choice.

But not everything is on an intuitive level. For example, we had this huge restructuring charge that we took, and then we did a whole bunch of projects under restructuring. But there were a lot of issues because people were charging things to restructuring that did not really belong to restructuring. IT projects, for example, that supported the restructuring were okay. IT projects that did not support restructuring should not have been included—but some were.

It became an issue of communicating clearly what is a restructuring charge and what should not be a restructuring charge, what capital can be brought under IT and what cannot. And once we were able to communicate that, it became a lot easier—but because communication was manual for quite a while—some accountability got lost. The issue with WorldCom was an issue, I believe, of capital and expense reporting. WorldCom made a policy change. Was that policy change communicated and was it approved?

BURKE: I agree that all the executives in a business have to be responsible for the ethics in the business, but the CIO has an additional responsibility because technology governs so much of how we do things and what we can actually do. He or she needs to be cognizant of what the organization's ethical goals are and how technology impacts that and can help to maintain those standards.

Resources

Resources

Society, Ethics and Technology
By Morton Winston and Ralph Edelbach
Wadsworth Publishing, 2000

The Principles of Information Ethics
By Richard W. Severson
M.E. Sharpe Inc., 1997

Computers, Ethics & Social Values
By Deborah G. Johnson and Helen Nissenbaum
Prentice Hall Inc., 1995

Ethical Decision Making and Information Technology
By Ernest A. Kallman and John P. Grillo
McGraw-Hill, 1996