It used to be so simple. Individual IT chiefs had free rein to decide what IT kit to buy and what level of security they needed to support the business.

Today, IT is hounded by business legislation from all sides, with modern regulations – such as Sarbanes-Oxley, MiFID and the Data Protection Act – all carrying a heavy technology element. Add the legal ramifications of data theft, cyber-squatting and security breaches, all of which can leave company reputations in tatters, and the chief information officer (CIO) suddenly seems to be shouldering a hefty amount of legal and business risk.

The managing director may be ultimately responsible for any security or compliance breach, but the CIO’s head is likely to be served up on the sacrificial chopping platter as a garnish. Roger Bickerstass, joint head of IT sector group at law firm Bird & Bird, says he does not think all IT directors and CIOs are fully aware that they are working in an increasingly regulated environment. ‘The freedoms of setting up PCs on desk and licensing in a relatively unconcerned manner are long gone,’ he says.

So today’s IT director needs to add legal expertise to their arsenal of first-class IT, people management and business skills. And many IT directors are beginning to feel the changes, says Alan Herd, IT manager at law firm Anderson Strathern. ‘In the past couple of years, more and more of my role has moved away from technology towards legal issues and compliance.’

Added responsibility

While large firms usually have internal legal and risk teams, in small and medium-size firms far more responsibility falls on the IT director’s head. ‘In my last role in financial services, we had a large audit and risk team and there were people supporting the framework. We have 260 staff at Anderson Strathern, so I have to do roles that other people did before,’ says Herd.

Obviously, working in a law firm means Herd has an enviable amount of expert help on hand, but for other IT chiefs in medium-sized companies, such as Mark Beattie at London Waste – see case study, 20 – that internal help simply is not there. Even large organisations with their own legal teams do not always have IT law experts in-house.

While Enron and 9/11 have played their part in raising compliance and legal issues, this is also simply a sign that IT is growing up. ‘CIOs are now right in the middle of business and that is where they wanted to be,’ says Simon Briskman, technology law partner at legal firm Field Fisher Waterhouse.

Just as they had to learn business lingo, they must now become legally astute.

Every board member needs a broad understanding of the law, human resources (HR) issues and finances that govern their departments. ‘It is symptomatic of the industry growing up,’ says Bickerstass. ‘The financial director has always needed to know a lot of law and now the IT director needs it as part of his skillset.’

But while HR and finance directors will cover legal issues as part of their professional training, there is not an IT equivalent. Recognising the growing legal dimension to the CIO role, the BCS is seeking to fill the gap, introducing an IT Law qualification to give IT professionals a broader understanding of the legal issues affecting them.

For one thing, having basic legal knowledge can help IT chiefs understand when they need outside legal help and will help them get the most out of legal discussions. Briskman says CIOs need to know enough to be able to make an assessment and when to ask for advice. ‘If you talk to a specialist, it would be a real benefit if you understand some of the issues,’ he says.

But having a passing legal knowledge can also be a good career move. IT, in the same way as the finance and legal departments, are support services with feelers into all business units, says Briskman.

‘I’m not sure the marketing department or HR touch on other areas of the business,’ he says. ‘CIOs, lawyers and accountants reach into lots of areas of the business. So they can really appreciate different areas and place projects on a business agenda.’

Arguably, IT gets closer than any other of these support functions, which means the CIO can carve out a vital role as a link that can broker communications between different business groups.

‘The CIO is a facilitator,’ says Briskman. ‘I understand the law better than him and he understands the range of solutions and constraints, so he needs to be in a position to learn what the legal position should be, but also needs to get under the skin of business people to understand the real needs.’

Being that person who proactively talks to the business, find out their biggest areas of risk and keep an open dialogue with the legal department presents a huge opportunity for IT to raise its profile.

See next page for best practice tips