The Evolving CIO, Boards and CyberSecurity with Patricia Hatter


In this episode, I’m joined by Patricia Hatter. Patricia has served as the CIO of McAfee, on the boards of two publicly traded companies and is an advisor to a number of other companies.

We discuss Patricia’s perspective on the evolving Chief Information Officer (CIO) role and boards. During our discussion, we cover several of the challenges facing executive teams and her take on where cybersecurity plays a role.


Patricia Hatter LinkedIn:

Patricia Hatter Twitter:


Barrick Gold:


Podcast Episode

Episode Transcript

Tim Crawford:               Hello, and welcome to the CIO In The Know podcast, where I take a provocative but pragmatic look at the intersection of business and technology. I’m your host Tim Crawford, a CIO, analyst, and strategic advisor at AVOA. Welcome to episode number one. This week I’m joined by Patricia Hatter, who is the former CIO for McAfee, serves on the boards of two publicly traded companies, and is an advisor to a number of other companies. In this inaugural episode, we talk about the evolving role of the CIO, the CIO engaging with the board of directors, and cyber security.

Tim Crawford:               So thanks again for joining us for another episode of CIO In The Know. I’m Tim Crawford, and today I’m joined by Patty Hatter. Welcome, Patty.

Patricia Hatter:             Thank you Tim. Great to be here.

Tim Crawford:               Patty, you are the former CIO for McAfee, served on a couple of public boards, and an advisor to a number of groups and startups. That’s quite a background.

Patricia Hatter:             I’ve been very fortunate. Very fortunate.

Tim Crawford:               Well I’m glad that you’re taking the time to join me today as part of the discussion. Let’s just jump right into it. You’ve had the fortune to work with a number of great companies, from the CIO role and other roles. What’s different about the CIO role today?

Patricia Hatter:             It’s interest, because my view is when you look at IT organizations a few years ago, there was much more of an ability for CIOs to be in more of a command and control role. They were the center point for the technology that the enterprise would be using, people had to … All the other functions had to come to IT, and it allowed IT in a way to be a bit lazy in how they were developing relationships across the organizations, how they were figuring out models to really draw collaboration of partnership in a team with a different function.

Patricia Hatter:             I think, my view is, with so many SAS and cloud options to day, you see it so much in organizations where if one part of a company feels like they’re not getting supported by IT, they literally are able to go off with a vendor or two and drive their own technologies, and then IT’s left holding the bag if something doesn’t work well, they have to jump in and help sort it out. That leaves a bad taste in people’s mouth. They’re not getting engaged until there’s a problem, so it really … with the speed of the technologies now, and how much other parts of the business want to be driving and really focusing on new capabilities, getting enabled as quickly as possible, it really makes it incumbent on the CIO to drive an organization that is centered around being flexible in how it works with the rest of the business, centered on a collaboration model, and centered on really taking risks with some of the new technologies and teaming with different parts of business to find ways to make them successful.

Patricia Hatter:             Whether it’s other business functions like sales or finance or support, or on the product development side, but that collaboration level of flexibility really has to start with the CIO. I see that as such a difference with where organizations were a few years ago.

Tim Crawford:               Do you think that those outside of the CIO see it that way today?

Patricia Hatter:             Usually no. Usually no, and that’s part of the problem. Maybe this goes in the category of life isn’t always fair, but you have to deal with what you have. So in that spirit, I think the bulk of the responsibility of building those relationships and building that collaboration and building that flexibility between IT and the rest of the business, is on the shoulders of the CIO and IT. That the CIO has to be the one really setting the stage of “Hey, it’s our responsibility to reach out, to understand the rest of … what sales is doing, what the product teams are doing, what support’s trying to do, what finance is trying to do.” And meet people further than in the middle.

Patricia Hatter:             It’s really IT’s responsibility to get that understanding, build those relationships, and that might not seem a hundred percent fair because maybe everything should be 50/50, but it’s just not the case. If the CIO isn’t setting the table in that way and really setting that tone, the rest of IT isn’t going to do that and the rest of the organization isn’t going to take the time to try to. If you don’t have that trust and willingness to work together, it’s … that’s always going to be bad news for the CIO.

Tim Crawford:               So if we look beyond the CIO role itself and look toward the rest of the C-suite, how should … from your perspective, how should the rest of the C-suite look at the CIO role? What’s the opportunity for the CIO as they start to build those relationships with the rest of the C-suite?

Patricia Hatter:             I think that there’s … Well, a couple things. Maybe stepping back a second, I think for CIOs to really be able to do this, and Tim I know you and I have chatted about this a bit in the past, I personally feel it’s super helpful for CIOs to have more experience than just in IT. I think having a broader set of experiences in roles across the company, in different companies, really helps CIOs and then CIOs help the rest of their IT team to figure out how to best relate with their peers across the company.

Patricia Hatter:             So one thing I always advocate for, folks that are growing up in IT or for sitting CIOs, is to look at opportunities across the company. How can you even take even lateral positions to build your breadth of experience, because that in the end, that’s gonna make you better in doing your … a variety of IT roles, but also give you a way to progress to other roles outside of IT as you continue to progress your career.

Patricia Hatter:             I’ll use myself as an example. I had … I mean, my career is anything but a straight line. I started off in [inaudible 00:07:47], started … Moved to Europe, started a new business unit, ran a PNL, ran service and sales, then moved to … when I left AT&T, then moved to Cisco and ran large transformation programs across the company. Came to McAfee in a head of operations role, then had the CIO title added, then the CIO of intel security, plus a bunch of other intel responsibilities. And then moved back to a PNL role after my CIO stint where I headed up services. That was a great connection because I was able to show how using my skillsets and understanding of what really makes CIOs and IT organizations tick, why are they buying what they’re buying, how to best create a unique value proposition, I brought my CIO skills to that different role.

Patricia Hatter:             So I always advocate both in being the best CIO that you can, having those other skills, and then also once you have those other complementary roles and experiences outside of just IT, that allows you to continue into other roles after IT as well.

Tim Crawford:               Looking beyond that, kind of throw a sideways question to you. There’s been talk about which makes a better CIO. A CIO that has come up through the rank and file of the IT organization, and then as you mentioned starts to get experience from beyond the IT organization, or someone that comes from outside of IT that comes in to lead IT. Which of those two do you think, as you look forward and think about the future CIO, which of those two directions do you think, or maybe neither, serves the company best?

Patricia Hatter:             I think there’s never just one path. Each individual’s a little different and brings a different personality, even if they have the same skillsets, brings that different personality to the table. I just wouldn’t say that if you didn’t have anything but IT experience, you’re destined to be a bad CIO. You can build up those muscles in different ways, those different skillsets.

Patricia Hatter:             But I think you give yourself the best option, the best opportunity, the best skillsets, the biggest breadth of understanding, how the company really works, if you have skills that you’ve honed in roles outside of just IT. Maybe I’d put another qualifier on that. If a company’s really focused on using their CIO and IT organization to drive bigger transformational changes, because that’s not always the case. A company can’t always be in the mode of “Hey, I’m turning things upside down. We’re in a desperate situation, we need to make big, bold changes.”

Patricia Hatter:             Organizations just don’t, year over year, live in that. It ebbs and flows. I would say especially when a company’s really in need of large changes, that’s when you want somebody who’s either inherently has the personality and the connections and the synthesis of how to draw that collaboration, prioritization, flexibility, and working model, with the rest of the business, then that would work. But the bigger the transformation a company has to go through, I’d really say the more important it is for the CIO to have a broad set of skills, not just IT.

Patricia Hatter:             If the company’s more focused on “Hey, we need to go through a couple years of just managing the cost down, absorbing the changes that we’ve already made, we’re focused on other product changes right now, not so much internal business changes,” then more straight-up IT experience is going to be very helpful in situations like that.

Patricia Hatter:             So there’s never just one way, but maybe different characteristics that would bode better depending on the situation that the company’s in.

Tim Crawford:               You highlighted a couple of other things, too, which I wanna bring up. Which has to do with the individual, and the importance of the individual and where they are, and what they’re capable of. But it also talks to their understanding of the other roles. When you think about the C-suite …

Patricia Hatter:             Completely.

Tim Crawford:               Think about the role of the CEO, the role of the CMO, the role of the COO, kind of getting … not getting in their head, but in a way getting in their head and understanding “Okay, so what is it that my CEO is concerned with, and how do I start to play along those lines so that I can be more valuable to the rest of the C-suite?”

Patricia Hatter:             I personally think that’s so important because a CIO will never have all their peers and their CEO boss give them a list of “Here are my priorities, here’s exactly what I’m thinking. Here’s how I prefer we work together, this is all thought out and completely organized.” It just doesn’t happen that way.

Patricia Hatter:             So I feel very strongly that the more the CIO, and this gets to CIOs have to meet people more than halfway down the road. The more the CIO is able to understand what’s really driving the worries of the head of sales, of the head of support, of the head of the product teams, what are they really concerned about in the next quarter, in the next two quarters, also in the next fiscal year; the more you can relate to that, the more you’re able to really add value in “Hey, okay, if this is where the worry is, if this is the risk for your organization or the company unfolding over the next two quarters, here’s what IT can do from our perspective. Here’s how we can help speed up these capabilities. Here’s how we can drive more costs down in this area.”

Patricia Hatter:             Maybe it would ramp up or down the risk, but then that’s a conversation to have. I personally feel the more the CIO is able to really relate to what their peers are dealing with, what they’re worried about, what they’re afraid of going forward, what they’re worried for their own organization or themselves, that’s what gives the CIO really a lot of credibility, power, ability to drive change and ability to put their organization in a position to be much more of a supporting collaboration partner, and not just somebody where “Hey, I need you guys to deploy X, Y, or Z. Tell me when it’s done,” kind of thing.

Tim Crawford:               You’re really talking about an IT organization that is A) proactive, and B) speaking in business terms as opposed to technology terms.

Patricia Hatter:             Right. And I know we’ve … The CIO community has been talking about that for a number of years. I personally, in the tough-love segment of our podcast here, I don’t think we’ve made as much progress on that as we should have, as a CIO community.

Tim Crawford:               And that sounds like a call to action right there.

Patricia Hatter:             Completely! Completely. What does it take to do that? Like I said, I think it takes an understanding of the reality of CIOs really have to be proactive in reaching out, and developing the skills, the understanding of the broader side of the business, and not just staying in the four walls of IT and waiting for a set of pre-baked priorities to come in from the rest of the business. You’ll be waiting a very long time for that.

Patricia Hatter:             So how do you get out of that conundrum? It’s more on the shoulders of IT and specifically the CIO to say “Okay, what skillsets, what can we learn, what can we upscale our IT professionals in that are going to make them even better at this?”

Tim Crawford:               Yeah. I wanna take our conversation even beyond the C-suite a bit. I know you and I both have been privy to a number of conversations of late, that have really caused this uptick in the number of conversations about CIOs serving on boards. You have that unique perspective, which many folks that are serving as a CIO don’t have, or don’t have yet, which is that you have served on a couple of publicly traded companies’ boards. Including Qualys, so a technology company, and Barrick Gold, which is a gold mining company, which is very unique. Can you talk about the value that someone with your background, with that CIO background, brings to the board of directors?

Patricia Hatter:             It’s very interesting, and I think we are still at, our industry and our group of CIO peers, are just at the early stages of this wave. First, let me talk about how necessary I think it is, and then let’s pivot to the challenges.

Patricia Hatter:             So every type of company needs technology, needs technology to drive speed out to the customers, improved operations, better costs, better employee experience, better customer experience. More and more even non-tech, non-technology companies are really repeating that mantra. “We’re only going to get better if we figure out how to use technology.”

Patricia Hatter:             So that’s a good thing. Then that leaves the question of how do they do that? How does that work? My experience, because I’ve talked to … I’ve been on two public company boards, I’ve spoken with a bunch of … many many board members in many many industries. There are a couple of things that are very frequently true.

Patricia Hatter:             One of the things that’s very frequently true in all the public company boards that I’ve had an opportunity to deal with, there is very little technology experience on those boards. So most board members are made up of CEOs and CFOs. Those CEOs and CFOs are most frequently not from tech companies. So they’re really not in the technology space. What they’re hearing just in all the information out in industry is there’s so much new technology, you’re going to … you’re company’s going to be left behind if you don’t figure out how to use it, and that’s really important.

Patricia Hatter:             What I typically see across industries is CEOs and boards really struggling with how do they even talk to or relate to their CIO, and where is the value given all the spend that the IT organization is spending? Because that is pretty much a common truth. It varies by industry somewhat, but IT tends to be one of the biggest functional spends that a company has after sales and product and support. Third or fourth on the list is IT.

Patricia Hatter:             Since a lot of CIOs don’t spend, in my view, enough time really getting immersed in the language of that company, that industry, the challenges that that company and industry have, it leaves the CIO talking even more at a weird language level than the rest of the C-suite. I see so many times just a huge chasm, and it’s not that either side is wrong, but one side’s speaking French and the other side is speaking Japanese. Just good people, right intents, inability to communicate. That can cause some really bad things.

Patricia Hatter:             One of the bad things that it causes is really up and down cycle ticks in the spending of IT organizations. So I’ve personally gone through this multiple times in multiple companies. Tim, I know you’ve seen this. But when there’s not that consistency of long-term vision between the CIO, the COO, the CFO, and where the money’s going and the value, you tend to get the CEO being worried about “Hey, I’m hearing so much about the need for technology. Every other sentence I hear AI, so we’re gonna have to invest.” So they put more spending in IT, but without a clear common view between the CIO and the CEO and the CFO and the rest of the company of how do we really get value out of that? That’s not just about spending more money in IT, that’s … To get value, each of the different parts of the business are going to have to do something differently, enable by new technology, to drive the value.

Patricia Hatter:             I consistently see companies really struggle with that. “Hey, if I put more money in IT, then it should just … the magic should automatically happen.” That’s always great, more money is great. But more money doesn’t always help if that just … Well, it doesn’t … it definitely doesn’t help if that just ratchets up expectations, but there’s no other fundamental business operational changes that are partnered with that new technology. Because then you’re just adding … you’re painting your old car a really pretty color, but it’s still an old car.

Patricia Hatter:             I really see many many many many CEOs and boards struggle with that, because there’s not that … there aren’t that many boards with that technology grounding, that grounding in how do you really drive transformation. I think that’s a huge opportunity for CIOs that aren’t just traditional “Hey, I’ve lived in IT all my life,” kind of CIOs, but ones that have crossed the … well, we’ll use crossed the chasm analogy here. But really have crossed the chasm of being able to speak in multiple languages. Speak in the technology language, so your IT organization feels comfortable in relating to you, but also very well steeped in being able to talk to the rest of the business in their language, about your industry.

Tim Crawford:               This seems like, going back to what you were saying earlier about the gap in conversation between the CIO and the rest of the C-suite, this seems like an even bigger gap, but there’s so much more at risk. At the same time, the board is desperately trying to figure out how do we infuse technology into our strategic initiatives.

Patricia Hatter:             Yes.

Tim Crawford:               Is this a situation where we potentially run into a mismatch of personalities, a mismatch of capabilities? I guess where I’m going with this is, is this really a foregone conclusion that the CIO should serve on the board? Is it for every CIO? Or is there really a criteria or a path that makes more sense to bridge that gap?

Patricia Hatter:             It’s not a foregone conclusion. I would position it a bit of a different way. Instead of saying it’s CIOs, it’s people, whether they come with the title of CIO or have been in C-suite functions in other part of the business. But what I see boards really struggling with, the essence of what they’re trying to do, is how do you be more successful in driving technology enabled change?

Patricia Hatter:             Now, that’s a real opportunity for CIOs that are able to sit on both sides of that ledger, so to speak. On the technology side with IT and on the business side. But what boards really need is somebody who can help be that translator for both. I think, maybe as we wrap up here, I think that’s such an opportunity for CIOs, but CIOs need to be exercising other muscles to get there.

Tim Crawford:               So before we wrap, I wanna ask you about at least one other topic, and I would be remiss not to ask you about this. It’s a topic that comes up amongst boards, amongst the C-suite. It seems like a daily issue that we have to contend with at this stage, and that’s cyber security. What is your perspective in terms of where cyber security should sit in the conversation amongst boards, amongst the C-suite, amongst the CIO? How should we be thinking about it, how should we be engaging in that conversation?

Patricia Hatter:             Well, if … Maybe I’ll use this analogy. If boards don’t understand CIOs very well, they really do not understand, cannot relate to CSOs. It gets back to what common background, what common experiences do people have that they can figure out “Okay, I understand what you’re talking about. This makes sense to me because I have this experience, so I can relate that.”

Patricia Hatter:             If you haven’t had … Say you’re a CEO, you’re on a board and you’re operating role is the CEO of a retail company, and you grew up on the retail side, not on the technology side. You’re just not going to have a lot of experience of what is this cyber security thing, what does it really mean? How does it relate to my overall organization? Can’t IT just fix this? Can’t they just buy one more cyber security product and fix this?

Patricia Hatter:             So getting everybody to have a shared set of experiences that they can relate to what the other is saying is tough. Especially in cyber security. I see that very frequently, because it is … it’s one of the toughest areas for people to deal with, because it’s not just about the technology you use, but it’s the ongoing education for all your employees, of what they’re clicking on, being aware of phishing attacks. What about insider threats? It’s a personnel issue, it’s a training issue, and a pretty complex technology issue.

Patricia Hatter:             What I’ve seen at boards, and from my McAfee days, I spoke to a lot of boards about this. You literally would see people’s eyes roll up in the back of their heads, because they just couldn’t nor did they want to deal with this. They just didn’t have anything to relate it to in their prior experiences. So that’s … Again, that’s an opportunity. Every challenge is an opportunity in here. That’s an opportunity for the CIOs and CSOs to calmly in language that relates to those board members, over time, build that muscle of “Okay, what does this mean? What do these threats mean? How is it the combination of employee training, insider threats, technology, and all the …”

Patricia Hatter:             There’s a new interesting cyber security startup that starts every five minutes. How does that really fit in? Because the board members see that, all these pushes from all these new technology companies, but just don’t know how … don’t have a good framework of how to relate to that.

Patricia Hatter:             So using the committee structures in the board, like the risk committee is a great place for CIOs and CSOs to start working with their board members to help build up that common base of understanding, because that’ll be the thing that A) connects them on “Hey, we’re all looking at this problem in the same way,” and also helps the board make better decisions.

Tim Crawford:               Mm-hmm (affirmative).

Patricia Hatter:             Over time.

Tim Crawford:               There is so much to unpack right there. The one thing I would underscore is it’s complicated. All of this is complicated, and it’s getting more complicated as we go through time. One of the things I often hear form executive teams is that they’re just completely overwhelmed, kind of your … to your point, there’s a new security startup every five minutes. This is a rhetorical question, not a question to be answered. But how do you keep on top of that? And that’s … Cyber security is just one of many aspects that you have to contend with, right?

Patricia Hatter:             And that relates a bit to what I’m doing now, because I’m working with and I’m an advisor to multiple tech startups. A number of those are in the cyber security space, so I feel like I … in a certain way, I’m talking out of both sides of my mouth. There are too many companies, too many pieces. But some of this technology is very cool, and what I think … Again, this is a huge role for CIOs and CSOs, is to parse through all the chatter and help build this high-level mental architecture that you can keep yourself and your IT team on, glued together on a page, so you’re not just chasing a bunch of silver bullets but you really have a sense of what’s going to be most important for your organization.

Patricia Hatter:             But then on the other startup side, there are so many new, interesting technologies out there, and that’s the opportunity for CIOs to figure out where is the value. Be willing to take some risks, understand where the value is that you can drive for your organization both in the near term and in the longer term, but don’t forget about the near term because nobody, no CEO has patience for something that they’ll see benefit for two years out if they’re not seeing any benefit along the way. And really embrace some of the early stage companies that are out there. Don’t spend a hundred percent of your time there, but consciously balance out keeping your finger on the pulse of some of these new organizations that are coming out.

Patricia Hatter:             The more you think about the technology landscape that you’ve built, that IT manages as well as what’s out there managed by other organizations in your company, and you’re more able to plug things in because you’re coming to the table with a clear view of your architecture and what would be easily to do, what would be a little harder to do. That’s the unique value add that IT can bring to the table, but it means you’ve gotta do the hard work on the architecture. You’ve gotta have a longer term view. You’ve got to be driving near term benefits and you have to be able to speak the language of every function and product team in your company. It’s a lot to ask for one person sitting at the … as the CIO, and for them to try to build that DNA into their teams, but that’s really the opportunity going forward.

Patricia Hatter:             I personally think it’s really exciting, and the pace is only going to pick up. So I think there’s a real opportunity for CIOs to add even more value and help show the way in a increasingly complex technology landscape.

Tim Crawford:               Yeah. This is … Many have said it before me, but I still strongly believe this is the best time to be a CIO.

Patricia Hatter:             I completely agree. Completely agree.

Tim Crawford:               Yeah. Patty, thank you so much. This has been an incredible conversation. I always value the time that I get with you, and I always learn something new from our conversations. I very much appreciate the time that you’ve given to the podcast. Thank you.

Patricia Hatter:             My pleasure. My pleasure, thank you.

Tim Crawford:               Well, I’m gonna close it up here, and thank you again. Hopefully you’ll come back and join us and maybe we can unpack a couple of these aspects that we just glanced over in this short period of time.

Patricia Hatter:             Sounds good.

Tim Crawford:               All right, thank you again.

Patricia Hatter:             Thanks.

Tim Crawford:               For more information on the CIO In The Know podcast series, visit us online at, or you can find us on iTunes, Google Play, Stitcher, and Sound Cloud. Don’t forget to subscribe and thank you for listening.

Leave a Reply

%d bloggers like this: