Organizations obviously are aware of the need to address security and privacy needs, but many seem to be only moderately ready on this front. That is one of the takeaways from the Society for Information Management’s (SIM) recently released IT Issues and Trends Study for 2019. The results show what organizations and IT managers are concerned about, where they focus their attention, and some of the disparity in their interests.
The report gathered responses from 1,033 IT executives who hail from 618 organizations. On the surface, the results show unilateral concern for keeping data and infrastructure secure. A deeper look at the charts and tables shows, among other trends, some lethargy, according to Leon Kappelman, lead author of the report. He is a professor of information systems at University of North Texas.
In a way, the report shows that organizations might be aware of a need but do not always act immediately. Historical results from the annual study show an evolution in focus among organizations. Cybersecurity moved from No. 9 in 2009 among organizations’ top ten most important IT management issues to No. 1 as of 2017 onward. Yet, the increased concern about security does not lead automatically to sweeping changes.
“We’re kind of lethargic,” Kappelman says. “We have real issues given the number of breaches.” Target and Equifax reported significant data breaches in 2013 and 2017 respectively, yet he says there has not been widespread redress in response. The largest segment of responders to the study, Kappelman says, indicated at best a moderate readiness on cybersecurity, with a smaller portion indicating they were “very ready” or “extremely ready.”
The study shows the percent of organizations paying attention to cybersecurity has more than doubled to about 36%, Kappelman says, but he still sees that as too low given the collective track record on big breaches. “Only about one-third of organizations selected that option,” he says. “Does that mean it is actually not a point of concern for management?”
There seem to be gaps in leadership in cybersecurity where it may be most needed. Of the responding organizations that generate $1 billion to $5 billion in revenue, about 29.7% indicated they do not have chief information security officers. Kappelman says this shows complacency even after high profile data breaches. “I think we’re a bit -- or a lot -- too lax on cybersecurity,” he says.
In addition to sorting out security matters, splits can exist between what organizations want to prioritize compared with their IT executives. For example, in the study’s ranking of personal and organizational IT management issues, data analytics and digital transformation ranked No. 3 and No. 4 respectively with organizations. Those same subjects ranked No. 7 and No. 11 with IT leaders. There were also different perspectives on IT talent and skill shortages and retention. This topic ranked No. 17 with organizations while it ranked No. 3 among IT leaders.
Such disparity in priorities, particularly on IT talent, speaks to the complexities of the CIO’s job, Kappelman says. “The organization assumes you’re going to have the right talent,” he says. “They’re not making it their problem.” The assumption organizations make, he says, is that CIOs will handle whatever needs to be done to keep the lights on, including cybersecurity, in order to keep their jobs. The converse may also occur, Kappelman says, where the concerns of the organizations are not top of mind for IT managers.
Deeper conversations about IT are happening at the executive level, Kappelman says, as organizations look for more ways to leverage these resources for digital transformation. “IT is becoming more strategic,” he says. “For the first time ever, we’re seeing half of CIOs reporting to CEOs.” Who fills the role of CIO is changing as fewer executives step into the position with prior IT-specific experience. According to the report, 91.6% of CIOs in 2015 had prior IT experience. This fell to 68.9% in 2019. “That is a big, fastmoving trend of CIOs coming from non-IT backgrounds,” Kappelman says.
Where organizations find their CIOs has also changed, opening the door further for different disciplines to be involved in technology management decisions. The study responses show that 79.3% of CIOs came from outside of their organizations rather elevated from within. Part of this trend may be generational, Kappelman says, as the current crop of CIOs has an organic affinity for tech having grown up with IT at home and in school. “They maybe equally qualified to be an IT leader because they are not only tech savvy, they are also very business savvy,” he says.