If there was ever a time for enterprise resolutions, 2014 is it. Businesses of all sizes will face major security risks, while the CIO will be taking on a larger, unprecedented role.
Yet, research shows there are confusing priorities when it comes to security and a huge communication gap going on in the C-Suite. So, addressing the challenges and change will require new approaches and a new mindset.
The annual survey from Society for Information Management (SIM) certainly yields long-ranging insights into the CIO’s year ahead. The results are broken down into what IT is concerned about, what the enterprise is worried about, and the areas in which the company is actually investing.
Most notably, while security is on the minds of many CIOs, it’s actually not on the minds of enterprises — not even making the Top 5 Concerns, and coming in 14th place for investments.
Yet, according to the Information Security Forum (ISF), a global, independent non-profit association, companies are faced with major risks going forward, including BYOD, data privacy in the cloud, cyber threats and the Internet of Things. The ISF 2014 Global Business Security Forecast also indicates that regulation and damage to the brand is of utmost concern.
Considering all these threats, are companies heavily investing in security? “I wouldn’t say that they are not investing; it’s about investing appropriately,” said Steve Durbin, Global Vice President, ISF. “There is a job that needs to be done on the part of security professionals to have the appropriate conversations with the organization that clearly demonstrates the business needs and requirements for investment as part of the overall business strategy."
"Today, all too often, we’re still viewing security as a cost, or as an insurance policy, as opposed to how we should be seeing it: as a core business component for effective business transactions in cyberspace,” he noted.
6 Major Threats
The major threats, as identified by the ISF, are not exactly standalone issues, and often combine to create even greater problems.
“You can’t avoid every serious incident,” said Durbin, adding that, “While many businesses are good at incident management, few have a mature, structured approach for analyzing what went wrong.” This results in accepting unacceptable risks and incurring unnecessary costs. He advises enterprises to adopt a realistic, broad-based, collaborative approach to cyber security.
It’s not just a trend, but an everyday reality. More employees than ever are bringing in personally-owned devices to access emails, file share and connect to the corporate network.
Risks come from unreliable and vulnerable apps, from the constant connectivity and the lack of containerization. In addition, devices can simply be lost or stolen, opening up liability if proprietary information and corporate data is accessed by third parties.
Everyone is in the cloud these days. What about the data? Is it secure? Or is personally identifiable information being accessed by anyone on a whim and without IT’s knowledge? For example, it could be a solution partner with inappropriate access or employees making inadvertent mistakes.
The next war the United States faces is likely to be in cyberspace, as hackers and terrorists find a way in to networks in an attempt to take down infrastructure. Any threat to a corporation is actually a threat to the country, even if such hackers are only interested in causing disruption, or bringing down a competitor. Unfortunately, cyber threats are unpredictable and often unforeseen, yet can result in high impact, far-reaching events. (Look at the recent credit card breaches at major retailers, its ramifications are still unfolding.)
Privacy and Regulation
Any organization that fails to protect personally identifiable information is at risk of non-compliance. The fines are steep and the penalties rack up as customers take their business elsewhere, to companies that are not subject to privacy breaches.
Speaking of privacy breaches, the big brand names which have been in the news lately, resulting in tens of millions of data theft victims. What company wants to inform their customers of this? Not one. Who wants to wake up to find their identities stolen? No one. It falls upon the enterprise to keep things in order, or see the damage to its reputation and impact on the bottom line.
The Internet of Things
As one machine connects to the next, the security risks become exponential. Imagine being able to devastate a network, an infrastructure — an entire organization — simply by hacking in to something as seemingly unthreatening as say a vending machine, which may just be connected to everything else.
That means all stakeholders should be on the same page, and as Durbin noted, current conversations are not taking place across the business.
What? What Again?
Results from the SIM survey also reveal the confusion going on in terms of priorities.
“Sixteen percent are saying BYOD is keeping them up at night but many fewer are saying it’s a big investment,” said Leon Kappelman, Primary Investigator, IT Trends Study at Society for SIM. “If 16% are telling me that BYOD is a big worry, a top five concern, do they represent more mobile enterprises? Or are there other differences we should be looking at?” he asked. SIM is currently parsing the data in more depth to better understand the gaps.
IT & Business Meet
In the meantime, what can be said with certainty, according to SIM, is that the number one concern affecting enterprises is aligning IT with business. If a CIO can get this right, he or she is on the way to superstardom, at least within that person’s corporate world.
This will require a shift in thinking all around. For instance, is it better for the enterprise to promote the right technologically apt employee to the job, or the person who best understands the business? It’s not a question that has typically been asked before. (See sidebar for more on the cultural shift.)
Plus, CIOs have traditionally been held in lower regard by CEOs and CFOs, in terms of contributions to the business. Kappelman is personally appalled by the mindset. “If 85% of CEOs think the CIOs do not contribute, my question is, why would you stand for that? Would you continue to hit yourself on the head with a hammer if it hurts the first time?” he asked.
One possible reason for such a disconnect is that enterprises don’t pay CIOs to be key players in the business. “Want to change that?” he said. “Change how performance is measured.” Instead of focusing on just whether projects come in on time or on budget, look at how IT can increase customer/client satisfaction, and add to revenue growth. And don’t forget incentives.
Regardless of the perception from the top dogs and underlings, CIOs are leading the shift. There is a big change in how they are spending, or trying to spend their time: from becoming just a tech expert to one who is much more strategic and business savvy — an executive in whatever industry they work.
In a few cases, the enterprise may still not want IT focusing on anything other than IT. That’s okay for now, Kappelman said, because ultimately, it’s what works for the particular organization.
But many more businesses are making the long play. “It’s not just getting the technology up and running but setting the organization up for the second and third and fourth derivative payoffs,” he said. “It’s not about installing the hardware and software anymore but how to leverage it.”
Thus, CIOs who come out of marketing, for example, can be best of breed, making data work better for the organization, marketing what IT accomplishes and helping business performance and meeting strategic objectives. But again, if an enterprise needs that person to focus on installing software, then no, it’s better to have the most technically able employee in place.
The Year of CIO
Kappelman appreciates how much more complicated it is to be an IT leader in 2014 and beyond. Maybe other positions are equally hard, he said, but to be a good IT leader, a good CIO, in today’s environment, involves complex and multi-layered thinking.
“We actually forget how new IT is,” he said. The current crop of board members did not grow up with the multiplying security risks from mobile for example. Just a few generations ago, IT infrastructure involved a typewriter and a telephone.
Flash forward to the last five years, and technology, along with the business, has rapidly changed. Sometimes one is ahead of the other, and that’s where the problem stems. However, Kappelman does not believe the term “alignment” is an appropriate description, nor does it capture the full complexity of what IT leaders even deal with.
“Part of the problem with the term is that IT is NOT separate,” he said. “It’s an historical artifact, and divisive, creating an us versus them thing. Business people say IT doesn’t know anything about the business and IT thinks no one understands the technology. It’s time for a paradigm shift.” Kappelman, along with SIM, plans on pushing the ball on that matter. It’s a question of deciding on the right things to say.
And to top it all off, mobile is really just one piece of the much larger puzzle. Kappelman believes the term itself will soon be outdated. “To be an organization, you better be mobile, or you’ll become something we will remember in history,” he said.
MANAGING MOBILE IN 2014
Lori Castle, Editor in Chief
As the role of the CIO changes and to mitigate greater security risks, mobile policies and management will be top action areas for the enterprise according to ABI Research. We asked industry experts from this firm to provide their perspective on what’s ahead in mobile. Here are their answers.
Jeff Orr, Senior Practice Director, Mobile Devices, Content & Applications; Dan Shey, Practice Director – M2M, Enterprise and Verticals; and Jason McNichol, Senior Analyst, Enterprise all contributed to this outlook.
From when enterprises issued the device to now where most support BYOD, the models have one thing in common — mobile policy development. In fact, policies have migrated along with the change in mobile device environments from a focus on corporate-liable employees to all employees, and the shift in coverage is significant because it demonstrates the power of the mobile device for assisting any employee in their work activities.
But, creating a mobile policy for all employees requires a far more comprehensive review of mobile device platforms, uses, corporate security requirements and management tools than before, so some companies are choosing a hybrid policy known as choose your own device (CYOD). This approach defines the mobile devices employees can use within the workplace or with corporate applications.
Regardless of the type of flexibility offered, mobile policy development will continue to be a top initiative in 2014 and beyond.
Developing and Managing Apps
Despite the promise of HTML5 and “write-once, deploy anywhere” mobile application development platforms, development will remain a challenge. In particular, extra attention is needed when it comes to security for enterprise apps. The evolving OS environment adds to the challenge — struggles with iOS 7, for example, were significant. Even the enterprises that do consolidate platform offerings will need to be diligent in the development, management and maintenance of their enterprise mobile apps.
Speaking of which, mobile application management (MAM) will be a key tool for securing and managing enterprise mobile devices in 2014. Different from mobile device management (MDM) which can wipe the entire device, MAM provides IT with control of only enterprise apps and content without affecting employee’s personal apps and content.
MAM applies to a range of solutions including enterprise app stores, app security assessments, and the latest technology termed “mobile workspace management” which utilizes containerization and app wrapping. With its ability to serve organizations both new and seasoned in enterprise mobilization, MAM will become a core mobile investment area in 2014.
Despite all the past progress, security should still be a top priority, but will remain a top challenge in enterprise mobilization initiatives next year. It’s not a question of how to secure data at rest or data in motion, but more a matter of how enterprises keep pace with the rapid changes in mobile technologies and the mobile supplier environment. Consumer technologies that continue their march into the enterprise will further complicate the matter.
A complex supplier environment persists in 2014. It’s difficult for most enterprises to identify which solutions are best in class and, as yet, no vendor meets every enterprise mobility need. So businesses will still be faced with using multiple providers for solutions. Adding to the predicament is a competitive environment which forces line of business into purchasing mobility solutions with little IT oversight. (See main story for more on the alignment of business and IT.)
Beyond the technical challenges, there are cultural trends — resulting from the move to mobile —that must be addressed as well. How often does IT engage with HR except when dealing with its own staffing changes? Not much. A change here is now necessary, with many “soft” benefits coming from the discussions.
Enterprise mobility strategy development and refinement is the perfect time for organizations to be thinking of this broader internal influence. Understanding the personnel and training challenges will assist IT in making smarter, more informed decisions about mobility.
In addition, the right mobile workforce policy can help retain and attract top talent; but these policies must be clear, flexible and fair to enable opportunity rather than become another mobile issue.