Information Week

When Marc Hoit came to North Carolina State University (NCSU) in 2008 to take on the role of vice chancellor for information technology and chief information officer, the school and its IT operation looked much different. Hoit had left his role as Interim CIO at the University of Florida, where he was also a professional in structural engineering. At the time, NC State had an IT staff of about 210 and an annual budget of $34 million. Fast forward to 2025, and Hoit now oversees a bigger department with a budget of $72 million. NCSU has a total of 39,603 students. Aside from taking care of the university’s massive IT needs, Hoit’s department must also lend a hand to research initiatives and academic computing needs. Before Hoit’s arrival, those functions were handled by separate departments. The administration decided to merge the functions under one CIO. “They wanted a lot of the IT to be centralized,” Hoit says in a live interview with InformationWeek. “We had a lot of pieces and had to decide how much we could centralize … It balanced out nicely.” That unified approach would prove to be beneficial, especially as technology was advancing at an unprecedented pace. While many find the pace of innovation dizzying, Hoit has a different viewpoint. Related:John Deere’s CISO Is Always Thinking About Cyber Talent Marc Hoit, North Carolina State University “Really, the pace of the fundamentals has not rapidly changed,” he says. “Networking is networking. You have to ask: Do I need fiber instead of copper? Do I need bigger servers? Do I need to change routing protocols? Those are the operational pieces that make it work. You have to change, but the high-level strategy stays the same. We need to register students … we need to make that easier. We need to give them classes. We need to give them grades … those needs are consistent.” The Trump Effect The Trump Administration’s rapid cost-cutting measures hit research universities especially hard. Just this week, the attorneys general of 16 states filed a lawsuit to block the administration from making massive federal funding cuts for research. And earlier this month, 13 US universities sued to block Trump’s cuts to research funding by the National Science Foundation. Cuts from the National Institutes of Health (NIH) and the US Department of Energy also sought to cap funds for research. Hoit says people may want to see less government spending but may not realize that the university already picks up a substantial share of the costs for those research projects. “We’ll have to adjust and figure out what to do, and that may mean that grants that paid for some expensive equipment … the university will have to pick up those on its own. And that might be difficult to accomplish.” Related:How Constructive Criticism Can Improve IT Team Performance Hoit says NCSU is in a somewhat better position because its research funding is more spread out than some public institutions. “If you were a big NIH grant recipient with a medical school and a lot of money company from grants, you probably got hit harder. In our case, we have a very interesting portfolio with a broader mix of funding. And we have a lot of industry funding and partnerships.” The Trump administration’s aggressive tariff policies have also impacted universities, who must attempt to budget for hardware needs without knowing the ultimate impact of the trade war. On Wednesday, the US Court of International Trade halted the administration’s sweeping tariffs on goods imported from foreign nations. But legal experts warn that the block may be temporary as the administration expects to appeal and use other potential workarounds. Hoit says the university learned lessons from the first Trump administration. “The writing was kind of on the wall then,” he says. “But a lot of the vendors are trying their best to manufacture in the US or to manufacture in lower tariff countries and to move out of the problematic ones.” Related:The Death of the CIO? Why Some Companies Are Eliminating the Role He said the COVID 19 pandemic was also a learning opportunity for dealing with massive supply chain disruptions. “[The pandemic] taught us that the supply chain that we relied on to be super-fast, integrated and efficient … you can’t really rely on that.” Shrinking Talent Pool and AI Solution According to the National Center for Education Statistics (NCES), colleges and universities saw a 15% drop in enrollment between 2010 and 2021. NCSU has largely bucked that trend because of explosive growth in the Research Triangle Park area of the state. But the drop in higher education ambition has created another problem for IT leaders in general: A shrinking talent pool. That’s true at the university level as well. AI could help bridge the talent gap but could cause interest to dwindle in certain tech careers. “I keep telling my civil engineering peers that the world is changing,” Hoit says. “If you can write a code that gives you the formulas and process steps in order to build a bridge, why do I need an engineer? Why don’t I just feed that to AI and let it build it. When I started teaching, I would tell people, go be a civil engineer … you’ll have a career for life. In the last three years, I’ve started thinking, ‘Hmm … How many civil engineers are we really going to need?” source

Change may be the only constant, but disruption is ruling this age. And it’s not just AI that’s breaking things. Economic uncertainty, political tension, market shifts, and fluctuating tariffs are wreaking havoc around the world. Jobs are lost in layoffs, business closures and bankruptcies, and AI realignments. So where does all that leave chief information officers? Are their jobs at risk too?  Certainly, the ground under the CIOs feet isn’t as solid as it used to be.  “With companies increasingly adopting a more integrated tech strategy across all departments, the traditional role of the CIO is getting reevaluated. Tech isn’t just managed by one department anymore — it’s everywhere,” says Hone John Tito, co-founder of Game Host Bros, a server hosting services company for gaming networks.  “It’s clear that businesses are prioritizing flexibility, where leadership is less about managing systems and more about driving innovation across all areas. This shift could be why some companies are eliminating the role entirely or considering it,” Tito adds.  To Be or Not To Be, That Is the Question for Every CIO  The CIO role has substantially changed over the decades in some ways. In others, not so much.  “In 2016, when I transitioned from the role of CDO to CTO of Staples, we brought a CIO into my team alongside the CDO and CISO. Even then, the CIO wasn’t positioned to lead digital experiences across the enterprise,” says Faisal Masud, president at WW Digital Services at HP.  Related:NCSU CIO Marc Hoit Talks Fed Funding Limbo, AI’s Role in Shrinking Talent Pool “The primary distinction lies in the core responsibilities: Today’s CIO focuses on aligning IT needs with business strategy and enhancing operational efficiency. In contrast, the CDO role emphasizes customer experience, technological innovation, and transformation,” Masud adds.  In the early days, CIOs were innovators and inventors with a sharp talent in mastering technologies. It wasn’t uncommon for a CIO to develop proprietary technology for the company as the need for such arose.   Later, and largely for economic reasons, technologies were bought commercially and were usable “out of the box.” Later still, they were purchased in the cloud as SaaS.   “The traditional CIO role, rooted in vendor management and centralized IT deployment, has been steadily shrinking since the rise of SaaS. Business units now often bypass IT to buy their own tools, reducing the CIO’s direct control,” says Rajan Goyal, CEO of DataPelago, a universal data processing engine. Formerly, Goyal was CTO at Fungible, a data center hardware and software developer, which has since sold to Microsoft.  Related:John Deere’s CISO Is Always Thinking About Cyber Talent Time continues to erode the CIO’s need to be hands-on, technically gifted and decidedly geeky.  Now, with their skills becoming increasingly redundant, the question becomes whether the role itself is antiquated.   “The elimination of the CIO position is a part of the technology evolution. Companies are recognizing that technology is no longer just a support function, but the backbone of business strategy, meaning that companies simply need someone with broader experience outside of the IT function,” says Joy Taylor, managing director of consulting at Alliant, a management consulting firm.  But Taylor doesn’t see the CIO role disappearing from company rosters entirely.  “I don’t see replacement happening, but rather a transformation of the CIO role. In many organizations, CIOs are taking on expanded responsibilities that reflect their growing strategic importance. Rather than being replaced, the role is being elevated and integrated more deeply into the business leadership team,” Taylor explains.  Others agree that the role is changing, and maybe the title, too, but the duties are expanding rather than evaporating. However, they don’t necessarily see that happening in the same way that Taylor does.  Related:How Constructive Criticism Can Improve IT Team Performance “If the CIO role goes away, it’s mostly going to be about labeling. A CIO’s work is only becoming more central to how most businesses operate, so if a CIO isn’t handling these tasks, someone else in your IT or data infrastructure will have to manage it,” says Jonathan Palley, CEO of QR Codes Unlimited, a QR code platform.  Whether you agree with Taylor’s take or Palley’s, or see room for both, the CIO role as it’s historically defined is decidedly dead.  “It’s part of a broader shift, not a passing trend. As tech becomes central to every function, some CEOs question the need for a standalone CIO. If the CIO isn’t driving commercial outcomes or transformation, the role risks being seen as redundant,” says Rebecca Fox, group CIO at cybersecurity consultancy, NCC Group.  “This isn’t about cutting IT — it’s about elevating tech leadership into something more strategic and business-critical,” Fox adds.  source

TRS-80, Commodore 64. Early PCs have laughable specifications by today’s standards, but they inspired a lot of creativity. Take Jacob Anderson, owner of Beyond Ordinary Software, for example. He started programming a Commodore 64 as a tween by building character management tools for his Dungeons and Dragons game. The Commodore 64 was an 8-bit machine with the Basic programming language built in.  “I was 11 years old and very isolated in a small town, so I didn’t really have any exposure to the outside world and everything that was happening with the whole personal computer revolution,” says Anderson. “My dad was the janitor at the middle school, so I helped him clean. One evening, he sat me down in a math classroom that had a Commodore 64-style environment, so I started playing Artillery Duel. I noticed a button on the keyboard called, ‘Run Stop,’ and if you hit that key, the program stops executing and becomes a terminal. I hit that key by accident and typed “list” and I saw all the source code. I instinctively understood everything.”  His uncle subsequently helped his family buy a Commodore 64 and peripherals for Anderson, including a dot matrix printer. He became obsessed, spending nearly all his time programming. However, in high school, his progress slowed as he discovered girls and did the things high school kids do. When he went to college on a US Navy ROTC program scholarship at Worcester Polytechnic Institute (WPI), he discovered the program actually ran at The College of the Holy Cross in the evenings, which conflicted with his computer science schedule. Anderson chose to give up his three-year Navy scholarship to pursue a dual major in nuclear engineering and computer science. Since he had to figure out a way to pay for school, he got into the Science and Engineering Research Semester (SERS) program at Los Alamos National Laboratory’s Applied Theoretical Physics Division, which develops novel applications of theoretical physics.   Related:Horizon3.ai Co-Founder Talks Transition From CTO to CEO At the time, Los Alamos was retiring its punch card mainframes and adopting modern software development practices. That was significant because at the time, the legacy software had been written in very old Monte Carlo N-Particle Transport Code (MCNP).   When Anderson arrived for the SERS program, his advisor was John Hendricks, a Ph.D. nuclear engineer from MIT. Hendricks had Anderson running MCNP test problems to validate the physics that the problems were testing.   “I took the SERS program to complete my major qualifying project (MQP) at WPI, which was required for graduation. However, I felt that running test problems was a waste of time, so I voiced my concerns to my WPI advisor, John Mayer, and later to John Hendricks, who didn’t appreciate my attitude,” says Anderson. “As a result, I planned to leave the SERS program and return to WPI to work on a different MQP.”  Related:Chicago’s CIO on Increasing Government Efficiency and Accessibility However, before Anderson could leave, Ken Van Riper, a Ph.D. astrophysicist from Cornell, met with him.   “[Ken] appreciated my perspective and offered me a project he was working on. I proposed developing a full GUI for it, and he let me take the lead. I stayed in the SERS program and completed the project, which became MUD—MCNP User Demonstration,” says Anderson. “MUD was a 3D graphics-based problem setup tool that could create MCNP input files, run MCNP and visualize the output as particle tracks. Nobody had previously developed a complete package with a simple ‘click the button’ approach. After I graduated from WPI, [Los Alamos] hired me as staff.”  Next, he went to work at Bolt, Beranek and Newman (BBN), where he found himself working for the Department of Defense (DoD) again and PRAJA, a dot-com immersive experience company. It focused on 3D visualization tracking of people in complex environments. While at PRAJA, he was the project lead on FOX NFL GameTracker 2000 and PRAJA Football 99. After that, he founded Beyond Ordinary Consulting alongside corporate roles as President of AccessQuery, a web-based job search engine, and XPLive, a SaaS company. He also served as managing partner and later managing director of Totally Evil Entertainment.  Related:Top 5 Decision-Making Frameworks for Effective Leadership Important Lesson CIOs Can Learn Vicariously  One thing Anderson has learned along the way is that military personnel can benefit the tech industry.  “Military personnel are often highly trained, but they’re focused on a very unique niche, and they own that entire niche. Whatever their operational job was, they own it. And that’s somewhat unique, because in the [civilian world], most people take a job for a little while, and then they bounce. They’re very scattered when it comes to their career choices,” says Anderson. “When you deal with technical people you want them well versed in their niche job. And that’s where the DoD comes in very handy, because the people who get that role are going to know it inside, out and backwards. That’s one of the reasons why I wanted to hire DoD people.”  Those who worked for the DoD are very regimented because they must adhere to certain policies and rules.  “Military personnel understand the playing field and limitations. They’re good at limiting themselves, and they also understand large-scale systems on a worldwide scale,” says Anderson. “A defense department in any country is enormous, much larger than entities in the private sector. They know how to compartmentalize and manage complex systems. Most people have a really hard time compartmentalizing at a world scale.”  However, he says cultural IQ is the most important thing CIOs and other organizational leaders must understand and use to their advantage. “Because the DoD is world scale, you get experience with different cultures, different people from different parts of the world. As a result, you must learn to understand individuals from their cultural point of view. Otherwise, you’re just going to be frustrated all the time,” says Anderson. “The military is the same. It’s important to understand the nuances and respect them

Snehal Antani has been tinkering with technology since childhood. His father, an electrical engineer, would give him broken devices and task him with fixing them.   He moved into computer science as an undergraduate, eventually earning his master’s degree. He then worked for IBM and eventually served as CIO for GE Capital and CTO for Splunk. In 2018, he joined Joint Special Operations Command, a division of the United States Special Operations Command, as CTO. He started Horizon3.ai, an AI pen testing company, with JSOC colleague Anthony Pillitiere in 2019.  Here, he describes his unusual career path and how he deploys the skills he learned along the way to facilitate innovation.  Can you tell me about your early tech education?  When I went to undergrad at Purdue, I knew I was going to do computer science. What I love about computer science is that it’s horizontal — so I can apply that to any vertical that I’m interested in. I was interested in stock trading while I was an undergrad, so I was able to write code to learn how to trade stocks. The software programming and systems architecture skills that I picked up could be applied to solve any job.  What did the early portion of your career teach you? I optimized for learning. I used to sit in the hallway in front of my team lead’s office at IBM. He couldn’t see me, but I could see his whiteboard. I would try to understand something he had explained to me. I was too afraid to go in and ask for more information, so I would literally sit on the floor and just stare at it, trying to make sure I understood it in detail.   Related:Chicago’s CIO on Increasing Government Efficiency and Accessibility I wanted to be an expert in distributed systems and enterprise software. The first few jobs I took were all about learning as much as I could in that domain.   I was an awful speaker. I forced myself to become a better communicator. I then moved over to learn how to launch products in product management. I was an awful product manager the first year. But there was no way I was going to get better except by throwing myself into that arena and trying to figure it out.   In 2012 I got recruited to be a CIO at GE Capital. I had never managed anyone before. GE made a bet on me. I learned a lot and I was able to impact the organization as well.  Having a solid technical foundation and being able to communicate well were probably the two most important skills I developed early in my career.  Can you describe a scenario in which you felt out of your depth?  When I was in IBM, there was a customer in Germany struggling with their tech. Their banking system kept crashing. Steve Mills, who was a legendary senior vice president, sent out a message that said, “This customer is struggling. No one can figure out what’s wrong. Who here knows how to fix this problem?” I was a nobody at IBM. I replied directly to Mills and said, “I think I can fix this problem. Send me.”  Related:Top 5 Decision-Making Frameworks for Effective Leadership Once it got there, they were explaining their problem. I had no idea what they were talking about. All I could think was, “I’m going to get fired. I just embarrassed myself and my company.” Suddenly, everything in my brain clicked: every single aspect of enterprise software technology, operating systems, distributed systems. We ended up solving the problem about 90 minutes later.   How has life in the C-suite changed for tech folks?  I remember going into meetings at GE Capital. People thought I was there to manage the projector. Some of those teams struggled to understand the role technology played in creating a competitive edge. GE had just come off gutting and outsourcing the bulk of their technology DNA. Throughout the 2000s it didn’t seem that there was a belief that technology was a competitive advantage.  I think there was a realization that they had gone too far. They started to try to bring in more technical talent. In the mid 2000s through 2015, tech was a back-office function. I believe that’s shifted dramatically, especially now when you think about AI and the advantage you can create using technology. There are certainly CIOs in my network who still view themselves as a back-office function. They don’t want to learn the business. But I believe that type of CIO is in the minority now.  Related:Jacob Anderson, Founder, Beyond Ordinary: Curiosity Fuels Innovation Why did you join Joint Special Operations Command in 2018?  I was 21 when 9/11 happened. I remember this feeling of both helplessness and the desire to do something about it. Was there a multiplier way to affect change — one calorie in causing 10 calories of impact? There wasn’t an obvious way for me to do that. I remember in 2014 watching the rise of ISIS. The desire to make a difference came back at a much more intense level. The Special Operations community had invited me to do some planning sessions with them. How could they increase the velocity of innovation in order to keep up with the adversary?   Terrorist organizations were able to use off the shelf technology — open-source software, cloud computing, drones — to innovate lethal capabilities that were otherwise only available to armies. And so, the question was, how do we accelerate the innovation velocity? A lot of that experience was drawn from my time at GE Capital.  I was able to join as the first ever CTO. For me, it was about purpose and impact. There’s no clearer mission than looking at human beings putting themselves in danger to help others. Anything that we could do using technology to reduce risk to them was an incredible opportunity.  How did you come to found Horizon3.ai?  I met Tony, my co-founder, at JSOC.

It’s normal to feel nervous when you have to make big decisions at work. After all, you never know how things will turn out. Fortunately, decision-making frameworks can help lessen those nerves and boost your confidence. They bring structure and clarity by bringing practical, proven methods that turn chaos into clarity.   For IT leaders, these frameworks support critical thinking, confident action, and smarter choices — even under pressure. Most importantly, they help you cut through the noise and ensure every decision stays aligned with your long-term business goals.  This blog post will walk you through the five frameworks for effective decision-making that can help IT leaders make more informed decisions. Each one is designed to help you simplify complexity and lead with greater impact.   Importance of Decision-Making Frameworks Decision-making frameworks bring consistency and logic to the decision-making process. They help you break things down and focus on the essentials. Here are the benefits of using these frameworks.  Make your objectives clear: Structured decision-making frameworks help you cut through the noise and focus on what matters most, ensuring every decision aligns with your objectives.   Bring teams together: The frameworks allow you to involve the right people and ensure everyone is on the same page.  Related:Horizon3.ai Co-Founder Talks Transition From CTO to CEO Avoid costly mistakes: IT decisions often involve significant investments, such as new software and infrastructure upgrades. The framework helps you assess potential risk upfront and make deliberate choices.   5 Decision-Making Frameworks Every Leader Should Know A decision-making framework provides clarity and consistency to make better decisions. Here are five frameworks that can sharpen your thinking and strengthen your leadership.  1. RAPID (recommend, agree, perform, input, decide)  RAPID is a decision-making framework that helps clarify who is responsible for what when multiple stakeholders are involved.   Each letter in RAPID represents a key role in the decision-making process:   Recommend: The person in this role leads the effort by gathering data, analyzing options, and proposing a well-informed recommendation.  Agree: These stakeholders have to work closely with the recommender to shape the best possible decision.   Perform: This is the individual or team responsible for executing the decision once it’s made.  Input: These contributors offer valuable insights, expertise, or context that inform the recommendation.   Decide: The final authority that makes the call and commits the organization to move forward. This role carries accountability for the outcome.  Related:Chicago’s CIO on Increasing Government Efficiency and Accessibility 2. SPADE (setting, people, alternatives, decide, explain)  The SPADE framework breaks down each step of the structured decision-making process so that you can reach an informed and critical conclusion. It’s especially helpful when decisions involve multiple teams, limited time, and high visibility.   Each letter in SPADE represents a crucial phase in the decision-making process:  Setting: Define the decision’s scope, goal, and constraints.   People: Identify and engage relevant stakeholders such as decision-makers, influencers, and executors.  Alternatives: Generate options related to the decision based on criteria like cost, security, and scalability.   Decide: Evaluate all options and select the best course of action. You can avoid negative consequences and bias through objective methods like private voting.  Explain: Clearly document and explain the rationale behind a decision to ensure alignment across teams and maintain accountability for outcomes.  3. OODA loop (observe, orient, decide, act)  The OODA loop is a four-step approach to decision-making that focuses on filtering available information, putting it in context, and quickly making the most appropriate decision.   Related:Jacob Anderson, Founder, Beyond Ordinary: Curiosity Fuels Innovation The word OODA stands for:   Observe: Monitor system performance, team dynamics, and industry trends to gather relevant and timely data.  Orient: Analyze the information you have collected to understand the context, challenges, and opportunities.  Decide: Based on your analysis, choose the most effective course of action.  Act: Implement the decision quickly and efficiently. Once action is taken, the loop restarts—each decision and outcome creates new conditions to observe and evaluate.  4. Eisenhower Matrix The Eisenhower Matrix is a task prioritization technique that helps make decisions related to tasks. It helps you organize tasks into four quadrants, based on the urgency and importance, and suggests appropriate action for tasks in each quadrant. It ensures that essential tasks are completed first, contributing to the success of projects and goals.   Here is what the Eisenhower matrix includes:   5. Decision Tree A decision tree is a graphical representation that helps IT leaders map out the possible outcomes of different decisions. It helps leaders assess risks, rewards, and the potential consequences of each choice before committing to a path. Decision trees are most useful in complex decision-making processes where multiple scenarios are involved.  Conclusion IT leaders deal with tough decisions every day. Which project should be prioritized? Should we adopt new tools or improve the existing ones? Who should get what tasks? To handle these challenges, leaders can use frameworks for effective decision-making like RAPID, SPADE, OODA, Eisenhower Matrix, and decision trees. These tools help bring structure and clarity to tough decisions, making it easier to move forward with confidence in a fast-changing business world.  source

Nick Lucius has spent his entire career in government service. He has put his skills as an attorney and data scientist to work in several roles with the City of Chicago. Last year, he was confirmed as the city’s CIO, heading up the newly formed Department of Technology and Innovation.   “I’m proud of what we’re doing in Chicago … saving significant amounts of money by being more efficient,” Lucius tells InformationWeek. “We’ve saved $6 million already in 2025, which is a significant part of our budget. But [we did] so without a reduction in the delivery of services to humans.”   He talks about how he built his career and how he is aiming to increase both efficiency and access to services for Chicagoans.   Law and Computer Science  Lucius plays guitar and piano. His early career ambitions focused on music but shifted to politics and government. During his undergraduate years at Ohio State University, he worked for the Ohio Statehouse.   “I was just really interested in the power of the justice system and how just how much having an advocate can really make a difference in that,” Lucius shares.   That interest led him to law school. He attended DePaul University, a choice that was driven by its location. “Chicago, I chose for the city. I absolutely love the city,” he recalls.   Related:Top 5 Decision-Making Frameworks for Effective Leadership Lucius earned joint degrees in law and computer science. His original intention was to pursue patent law with an interest in technology issues.   Nick Lucius While his career took a different path, his skills in computer science and law have served him well. “If I learned anything in the law, it was that having someone articulating as an advocate on behalf of a cause can do so much to move us toward progress,” he says. Armed with the ability to shape a narrative and champion a cause, Lucius has seen how technology can breathe life into those visions.   “On the technology side, I can then build and say, ‘OK, now we’re going to implement a system … We’re going to create something. We’re going to put something out there that wasn’t out there before to move this cause forward,’” he says.   A Career in Government  Lucius had those plans for patent law, but he graduated around the time of the Great Recession that began in 2007. Law firms weren’t hiring. But, as it turns out, the City of Chicago was. He got his start as assistant corporation counsel in the city’s Department of Law, focusing on foreclosures and abandoned buildings.  “As soon as I started doing that, I forgot about everything I went to school for, and I spent about 10 years in litigation trying to help out the people of Chicago,” he says.   Related:Jacob Anderson, Founder, Beyond Ordinary: Curiosity Fuels Innovation After all those years of litigation, Lucius’s interest in technology began to resurface. “I also noticed that in my legal cases I had to do a lot of digging into city data systems and city technology systems in order to get my evidence,” he recalls.   He saw how modernizing city systems and connecting those systems across departments could make a big difference in the lives of residents. That spark got him back to his technology roots. He started taking on community projects and volunteer coding classes to hone his skills.   That reinvigorated interest in technology lead to roles as a data scientist with the city and then chief data officer and CTO with the office of the mayor.   Spearheading a New Department  As Lucius moved through each of these roles and now in his position as CIO, he increasingly took on leadership responsibilities.   “I’m a builder by nature. And so I always love to roll up my sleeves and get into a problem,” says Lucius. “I find myself in the role now more often of … people [looking] to me for inspiration … leadership and vision.”   As the head of the department of technology and innovation, Lucius and his team have responsibilities for a vast array of systems that support the third-most populous city in the country.   Related:How to Keep a Consultant from Stealing Your Idea “We do so much: everything from supply the drinking water, pumping billions of gallons to not just Chicago but 125 cities in the area coming from Lake Michigan. Two major airports, international airports, 250 square miles of roads and sewers,” Lucius notes. “What we do is so massive, and one of the first orders of business when we got started was, we have a lot to just maintain and support.”  Lucius leads a team of 75 people, which is slated to grow to 150 by the end of the year. In addition, he works with a large network of vendors and consultants that support the city’s IT systems.   The team is organized into different groups: planning, delivery, support, and cybersecurity. “When someone comes and says, ‘Hey, Nick, I need some help. I need a new website. I need a new app. I need you to solve this problem for me.’ We’re going to plan it. We’re going to build it. We’re going to deliver it. After that, we’ll support it, and we’ll make it’s safe and secure.”  Lucius spends the majority of a typical day, up to 75% of it, in collaboration spaces. He is talking to team members, attending events, working to ideate. The remainder of his day is spent thinking about the future.   “What’s happening with AI? Where are we going with quantum computing here in Chicago? What’s our innovation play right now?” he asks.   As any CIO knows, not every day is a typical one. Systems go down. Fires have to be put out. Lucius was just a few months into the CIO role when the CrowdStrike global IT outage hit last year, impacting Windows machines across the city.   “Those kinds of days, when they come … it could be the only thing I do from the moment I wake up

Almost 30 years ago, the Health Insurance Portability and Accountability Act of 1996 went into effect to protect the use and disclosure of personal health information. But with a new regime in town, companies are watching closely to see what changes could be in the works under US Department of Health and Human Services (HSS) Secretary Robert F. Kennedy, Jr. HIPAA‘s primary goal is assuring that individuals’ health information is properly protected, while allowing the flow of health information needed to provide high-quality healthcare to remain safe and securely accessible. The act strikes a balance that permits important uses of patient information while protecting the privacy of people who seek care.  Kennedy became HHS secretary in February and is responsible for administering and overseeing all HHS programs, operating divisions, and activities. Kennedy has yet to make any formal announcements about HIPAA’s future course, but that hasn’t stopped healthcare industry observers from speculating about possible future moves, especially as the agency plans to cut as many as 20,000 jobs as part of the Trump Administration’s efficiency efforts. Early Signs of Changes to Come? So far, no communication has come from HHS about HIPAA specifically, says John Zimmerer, vice president, healthcare, for customer experience platform provider Smart Communications. “Secretary Kennedy has put the agency’s initial focus on understanding the causes of and improving the treatment of chronic diseases, as part of his ‘Make America Healthy Again’ movement,” he observes in an email interview.  Related:Breaking Bread: Do You Understand Your Data? Nonetheless, a few policy announcements could impact HIPAA specifically and health privacy in general, Zimmerer says. Most importantly, HHS has reversed a policy regarding the federal rulemaking process that requires getting input from the public. “Previously, HHS would notify the public about proposed rules and seek input on proposals before finalizing them,” he explains. “By rescinding the Richardson Waiver at the end of February, that appears to no longer be the case.” The waiver guaranteeing public participation in federal rulemaking has been in use since 1971, but following Kennedy’s announcement in February, exemptions for public input could be won more easily. In late December, prior to the new administration and Kennedy’s appointment, HHS issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rule “to strengthen cybersecurity protections for electronic protected health information (ePHI).” Public comments were filed by March 7 and currently are being considered. Related:CIO Joel Klein and the Intersection of Medicine and IT Industry groups sent President Trump and Kennedy a letter asking them to rescind updates to the HIPAA security rule. Zimmerer says it’s unclear what the outcome of the proposed rule changes will be. David White, president of Axio, a cyber risk management provider, believes the healthcare industry is facing a crisis it’s not prepared for. “The proposed updates to the HIPAA Security Rule are a direct response to a problem that’s been growing unchecked for years,” he warns in an online interview. “Healthcare organizations aren’t prepared for the sophistication or scale of today’s cyber threats,” White says. “While compliance frameworks like HIPAA set a foundation, they have historically been reactive, evolving only after a crisis.” He points to the recent Change Healthcare breach in February as the latest example of how fragile the current system really is. Making Changes  “Considering his libertarian leanings, and that the process to update HIPAA actually started during the first Trump administration, I suspect that Secretary Kennedy would be in favor of strengthening privacy protections,” Zimmerer says.  Under the proposed HIPAA Security rules, healthcare organizations would be held to a higher standard of cybersecurity, unless the final rules are changed. New HHS leaders will probably promote more robust HIPAA protections, particularly regarding online health data and patient privacy, says Bill Hall, CEO of OurRecords, a provider of compliance and quality-assurance offerings for businesses in highly regulated industries. He anticipates the arrival of AI-powered tools and deeper regulations on companies’ collection, storage, and data sharing. Related:DOS Won’t Hunt: Breaking Bread — New Tech for Legacy Ops “Patients will probably get more control over their information, and businesses will face tougher compliance standards,” Hall says in an online interview. The upcoming changes will affect marketers, insurers, hospitals, and entrepreneurs, he adds. “Consumers will gain more privacy protection, but companies will have to change,” he predicts. The hardest aspect will be maintaining security without stifling tech innovation. “If the rules are clear and practical, they will help build trust in digital health without slowing progress. Cybersecurity Mandates Needed  Stronger mandates are necessary, but they shouldn’t be viewed as a silver bullet, White warns. Cybersecurity isn’t about checking boxes — it’s about understanding the full attack surface. “Threat actors don’t care whether an organization is a covered entity or a business associate — they exploit the weakest link. That’s why these regulations finally address third-party risk, requiring vendors to verify their security controls annually,” he states. Yet, even with new requirements, many healthcare organizations will still find themselves playing catch-up.  Implementation will come through updated regulations, more enforcement actions, and possibly new guidance for healthcare providers and tech companies, Hall says. “HHS can [also] tighten restrictions on data sharing with third parties, increase audits, and fortify consent regulations,” he observes. “Businesses handling health data — whether in healthcare, insurance, or IT — must evaluate their processes to ensure compliance.”  Going Beyond Compliance  Compliance should be the floor — not the ceiling, White says. “Organizations need to go beyond what’s required by focusing on continuous risk analysis, rapid response capabilities, and a security culture that prioritizes resilience,” he advises. “Because in healthcare, a cyberattack isn’t just an IT issue — it’s a patient safety crisis waiting to happen.”  source

Joel Klein, MD, senior vice president and CIO of University of Maryland Medical System, did not start his career in IT. He practiced as an emergency medicine physician, thriving in that chaotic and demanding environment. In the early days of electronic medical record systems, he started looking for ways to leverage data to understand performance in his hospital group. When it came time to upgrade the health system’s EMR systems, he was tapped to lead that process.   “That’s really what started accelerating that part of my career, and from there it was just one thing leading to another, and I became our CIO. I’ll have finished six years in July,” Klein shares.   He started his career in emergency medicine at North Arundel Hospital in Maryland. In 2000, that hospital joined the University of Maryland Medical System. Today, that system has 11 hospitals. As CIO, Klein has a team of 800 people, plus consultants.   He tells InformationWeek about the early days of his career, navigating the fallout of a third-party ransomware attack during COVID, and the satisfaction of being able to deliver impactful IT solutions.   From Emergency Medicine to IT  Klein discovered a passion for medicine in college. He worked a series of work study jobs, one of which happened to be as a student athletic trainer. “That was my first exposure to really taking care of people,” he recalls.  Related:Breaking Bread: Do You Understand Your Data? He found his fit in emergency medicine. As he started to take on more IT responsibilities while still practicing, Klein felt himself pulled in two different directions.   “At first when I became the CIO, I didn’t want to stop seeing patients. I had done all this training. and I liked working in the ER,” he explains.  Joel Klein, MD So, he would split shifts in the ER with his colleagues. He started his day seeing patients at 5 a.m. and then went on to begin his day as CIO at 8 a.m. or 9 a.m. He worked like that through the initial years of COVID, seeing patients into 2022. But that split became unsustainable. He has a family, and the physical demands of being an ER doctor became hard to ignore.   He envisions the rest of his career in IT, but he sees ways in which his experiences in medicine and IT complement each other.   “I really don’t think they’re different roles at all,” says Klein. “It’s huge variety from meeting to meeting or patient to patient. It’s the kind of variety that some people would call whiplash where you have to quickly code switch from issue to issue or stakeholder to stakeholder very, very quickly. But I’ve always loved that.”  Related:DOS Won’t Hunt: Breaking Bread — New Tech for Legacy Ops A Day in the Life   Klein is still an early riser. He starts his day around 4 a.m., reading the news and catching up on email. By 7 a.m., he might be on the phone with the health system’s compliance team or its CTO. After that, he’s in the car heading to one of the system’s hospitals. Throughout the day, he will be talking to plenty of different people and teams who make a hospital run: the head of the OR, other executives, other IT workers, lab leaders.   “There are so many different walks of life and experts and professionals and therapists and clinicians and business folks in a healthcare organization, and you’re responsible for their ability to do their job,” says Klein.  CIOs in any industry need to be able to understand the needs of different positions and their workflows, but this can be particularly challenging in health care given the complexity and diversity of roles.  “Add on the fact that you’ve got a lot of really opinionated people; doctors and nurses are not known for being shy about telling you what they think and what they need,” says Klein. “Sometimes that’s great because when you can deliver what they want, it’s really gratifying. But sometimes it feels like they’re asking for magic, and you can’t always do that given all the constraints.”  Related:Kellanova Chief Data & Analytics Officer: Collaboration Is Key to Success Resource constraints are a constant challenge, especially in an industry that is still working through the aftermath of a pandemic.   Navigating a Major Incident   Not every day for a CIO is typical. There are days, and weeks, devoted to handling the unexpected.   In December 2021, Ultimate Kronos Group was hit with a ransomware attack, impacting its customers’ payroll, staff attendance, and timekeeping capabilities.   “So, we had to stand up a way of tracking time: clock in, clock out time for 30,000 employees during the holidays, during COVID,” says Klein.   That ordeal stretched out over six weeks, a total of three pay periods. Within two weeks, IT was able to get a backup time and attendance system in place, Dr. Klein shares.   “[It meant] standing up a whole new piece of infrastructure and connecting it to the thousands of [time and attendance] clocks that we have all over Maryland,” he says. “Then, we had to convert everything back over after the third pay period when our systems came back online.”  The Best Part of the Job   Much of a CIO’s role is invisible to other people in the organization. That is until something goes wrong. But there are some opportunities to bring new developments into the hospital that make it easier for people to do their jobs.   Right now, Klein’s team devoted to new technology is working on a project to place video screens in operating rooms. The screens display information on patients, current procedures, and other case details. “It’s the scoreboard and the current status of the case,” says Klein. “It can be incredibly helpful to orient people back to these fundamental safety attributes to the case you’re doing. So, the feedback that we’ve gotten from our surgical team on that has been fantastic.”  The team is currently figuring out how to bring this technology to the

Mark Houpt first discovered his technological talents while rewiring a computer lab in high school. He later entered the US Navy where he served as a cryptologist and then moved to the private sector, where he worked his way up from being a help desk tech to the C-suite. He now serves as CISO for DataBank. The company operates dozens of data centers nationwide.  Here, he describes how he got into tech and offers his unique view of the current tech landscape in a conversation with InformationWeek.  How did you start out in the tech space?   I was asked to pull cable and help build a computer lab in high school in the late 1980s. It was a typing lab designed for young ladies to learn how to be secretaries. We wanted to upgrade it to be more inclusive.  I joined the Navy in 1991 and was a cryptologist for four and a half years. They sent us through what’s called A School and C School — intensive training on how to do our jobs.  Once I got out, I still didn’t have a degree. I progressed in my career through certifications and hands-on learning. I got my master’s degree in information security and assurance. That was my first formal education. I continue to do certification and hands-on learning.  What were your early roles in the private sector?  Related:Breaking Bread: Do You Understand Your Data? I went to work for a healthcare entity. I was on the help desk. HIPAA came out. They were up in the boardroom one day trying to figure out how to deal with that. Somebody mentioned that there was a kid down on the help desk who said that he used to do cryptography. They pulled me up to the boardroom to have a conversation. That re-engaged my technology and security career.  Mark Houpt, DataBank I’ve always incorporated security into my roles, even when it wasn’t popular. I was a CTO at a university in Illinois, and we had collateral duty. We added my CISO title to that. That was important, because the Department of Education came out and started leveraging on a number of security requirements during that period of time.  How did you land the CISO role?   I’ve been at DataBank for 10 years as the CISO. Technically, I started this portion of my career as CISO of a company called Edge Hosting, which was acquired by DataBank. I started there in January of 2015. Edge Hosting was acquired in 2017. I remained as the CISO of DataBank because they didn’t have one. We’ve grown the company from two data centers and 60 employees to 73 data centers and almost 1,000 employees.   The types of customers that we service are completely different. Ten years ago, we were servicing small mom-and-pop type companies that wanted to go to the cloud. Now we’re working with name brands, companies that are using co-location space. We’re selling entire data centers to one company.  Related:CIO Joel Klein and the Intersection of Medicine and IT Is the leadership aspect challenging? There is a narrative in the industry that tech skills and people skills don’t necessarily go hand in hand.  I don’t find leading people to be difficult. It is just another skill set that is important if you want to move beyond being an average technologist into an upper-level technology position. If you want to be a good security architect, you have to be able to interact and work well with others. You have to be able to sit down with people who don’t know technology and speak their language in order to translate what they need into security. You need to be able to sit down and work with customers, most of whom don’t know anything about security or even about technology.   The Navy gave me a great start. As you increase in rank in the Navy, they make you become a people leader, whether you like it or not. Either you take the instruction and you alter your course, or you don’t. If you don’t, you don’t succeed.   So, leading people has not been difficult for me, but I have seen people over and over again who don’t refine their people skills. That always results in problems — people being dictatorial and rubbing people wrong. It’s a skill that you have to refine and build. Leadership is not something you’re born with. It’s something you develop.  Related:DOS Won’t Hunt: Breaking Bread — New Tech for Legacy Ops Do CISOs and other tech execs encounter challenges in communicating with their peers in the C-suite?  I’d be lying to you if I said it wasn’t somewhat of a problem. I firmly believe that the breadth and depth of the problem is firmly on the shoulders of the CISO. Are they capable of creating a sense of urgency and a sense of need for the business?   If I don’t understand the importance of risk and balancing that between the business and the security needs, then I’m failing my company in doing so. I took it upon myself to get an education on how to deal with finances. If you want to succeed as a CISO in a larger-scale business, that’s what you have to do.  What are some of the challenges facing a CISO today? Are there things in the industry that need to change?  We’ve been following a mindset of don’t ever let a crisis go to waste in order to get more people, in order to get more technology. Every time there would be just the slightest bit of ransomware that hit the corporation, we would take full advantage of that. The challenge we’re dealing with right now is security fatigue.  We have to change how we deliver our message — how it’s going to help the business. The other thing is that CISOs have to realize that we can do security on a budget. We could do it really well if we just implemented good security

A great IT idea is as good as gold. That’s why an unscrupulous consultant may decide to take one of your organization’s original methods or practices to another client — perhaps even a rival — without first asking for permission.  While most consultants play fair, issues do sometimes come up, observes John Pennypacker, a vice president at AI technology firm Deep Cognition. “Someone working at your office learns your methods on Monday — by Tuesday those same tricks might help another client,” he says in an online interview. Tech companies face the biggest danger. “Your special formula or unique program code gives you your market advantage.”  Most consultants are professionals who play by the rules, but idea theft still happens, says Adhiran Thirmal, senior solutions engineer at security service and technology provider Security Compass. “Some consultants work across multiple companies in the same industry, and the temptation to reuse a good idea is real,” he warns in an online discussion. “It’s not always malicious — sometimes they don’t even realize they’re crossing a line.” That’s why ensuring legal protection and building clear communication channels upfront are important.  Proving Originality  It’s all about holding onto detailed documentation, Thirmal says. “Keep track of emails, meeting minutes, whiteboard sketches — anything that shows when and where the idea was created,” he advises in an email interview. If it’s a major innovation, consider filing for a patent, copyright, or trademark to establish official ownership. “Even small things, such as internal Slack messages or version histories, can serve as proof, if needed.”  Related:MIT Sloan CIO Symposium to Showcase 10 Startups Focused on CIO Needs Before engaging a consultant, be sure to put protections into place, recommends Iliyan Paskalev, founder of MyHumanoid, a robotics and humanoids information website. “Clearly define within the contract that all ideas, strategies, and materials shared remain the property of your organization,” he notes in an online interview. Paskalev also suggests closing any loopholes by using work-for-hire agreements explicitly stating that any contributions made by the consultant belong to your company.  Preventive Steps  The best defense is a good offense, Thirmal says. Before sharing any sensitive information, get the consultant to sign a non-disclosure agreement (NDA) and, if needed, a non-compete agreement. “These legal documents set clear boundaries on what can and can’t do with your ideas.” He also recommends retaining records — meeting notes, emails, and timestamps — to provide documented proof of when and where the idea in question was discussed. “If possible, develop key parts of the idea internally first before bringing in outside help.”  Related:How CIOs Can Prepare Their Successors Control what the consultant can see, Pennypacker advises. “Share only what they must know to do their job,” he says. Document everything. “Keep emails, notes from meetings, and early drafts — they prove where ideas started.” Pay close attention to what the consultant or consulting team do daily. “Make sure they follow the rules you set.”  Move fast when you see your ideas being stolen, Pennypacker says. “Look for certain danger signs.” Has a product like yours appeared after your project ended? Did your methods show up in competitors’ offerings? Has the consultant broken the secrecy agreement? These signs all indicate it may be time to consult a lawyer.  Remediation Actions  If a consultant takes an idea and commercializes it, or shares it with a competitor, it’s time to consult legal counsel, Paskalev says. The legal case’s strength will hinge on the exact wording within contracts and documentation. “Sometimes, a well-crafted cease-and-desist letter is enough; other times, litigation is required.”  If you suspect a consultant has taken your idea and used it elsewhere, gather all of the evidence — emails, agreements, and meeting records, Thirmal recommends. Then, try to address the matter informally. “If that doesn’t work, and the stakes are high — such as lost revenue or competitive advantage — it’s time to bring in a lawyer,” he suggests. “If they broke an NDA or misused proprietary information, you may have legal grounds for action.”  Related:Ask a CIO Recruiter: Where Is the ‘I’ in the Modern CIO Role? Compensation depends on the amount of damage inflicted. “If the theft results in a loss of market advantage, organizations can demand licensing fees, royalties, or outright financial damages,” Paskalev says. “In some cases, businesses have successfully negotiated settlements or forced a buyout of their stolen IP rights.”  Last Thoughts  The best way to protect ideas isn’t through contracts — it’s by being proactive, Thirmal advises. “Train your team to be careful about what they share, work with consultants who have strong reputations, and document everything,” he states. “Protecting innovation isn’t just a legal issue — it’s a strategic one.”  Innovation is an IT leader’s greatest asset, but it’s also highly vulnerable, Paskalev says. “By proactively structuring consultant agreements, meticulously documenting every stage of idea development, and being ready to enforce protection, organizations can ensure their competitive edge.”  Pennypacker has one final bit of advice: “Guard your company’s thinking like you would guard its bank account.”  source