CIOs (or Chief Information Officers) are often faced with the same balancing act when it comes to security - maintaining sufficiently tight control to protect assets and sensitive data, which could prove costly in the event of a leak or breach, AND ensuring these controls are not so stringent that employees are discouraged from embracing IT and technological innovation, or attempt to bypass them completely. It’s a fine line to walk. New devices and technologies are making it easier for businesses and individual employees to work more productively and profitably, yet the same levels of sophistication are also being used by criminals for fraudulent activity.
The below insight comes directly from 100 of the most senior IT leaders in five different areas (US, UK, France, Germany and the Nordics) surveyed directly, and focuses on how they handle security.
Who’s in Charge?
With the vast majority of the workforce now likely to be IT literate, everyone from junior executives to the CEO will have their own views on what activities are and are not secure. The CIO still remains more likely to oversee security than any other person within the business. 48% said they were principally responsible for IT security in their company, with the CEO being the next most influential, overseeing security in 20% of cases. It will come as little surprise to learn that large companies are most likely to have security controlled by the CIO, whereas in smaller enterprises the CEO is more likely to take a hands-on role.
While CIOs no doubt want to encourage their end users to experiment and engage with technology, they must also be aware that relinquishing control could bring serious consequences. Without a top-level view of the entire IT portfolio, end users lack the perspective to make decisions on what is and isn’t safe, not only for themselves but for the entire organization.
To BYOD or not to BYOD
One element of IT strategy, which is making the CIO’s role ever more complex is the proliferation of consumer devices being used in the workplace. The term BYOD (‘Bring Your Own Device’) implies that end users are encouraged by their employers to use their own consumer technology in the workplace. However, instances of formalized BYOD policies are still relatively rare. Just 17% of CIOs polled were operating a fully-fledged BYOD policy, while 60% said their device policy was enterprise-mandated.
64% of CIOS admit that tablet computers are presenting a new security challenge, with 59% of respondents already working with tablet computers within their company. The fact that tablets and smartphones are now commonplace concerns should be the wake-up call that CIOs need to fully embrace BYOD. Consumer devices are making their way into the workplace whether CIOs like it or not, and securing them is one of the biggest challenges they will have to face over the next decade.
Security Vs. Convenience
Many still consider security and convenience to be mutually exclusive, but this is not always the case. 85% of CIO respondents said they would not accept any increased security risk as part of an initiative to enable greater mobility or increase virtualization. Overall, over two thirds of respondents from across the globe believed that strong security and authentication was a greater priority than convenience and usability.
While it is reassuring to see that CIOs are not prepared to compromise on security, the fact that two thirds believe this is a greater priority than usability shows that there are still some hurdles to be crossed before the two are considered equally essential parts of the security process. Neither can exist without the other, and until CIOs understand this then they may struggle to encourage their end users to make the best use of the technology available to them.
The X Factor
Corporate budgets are also a factor for CIOs. 38% of surveyed CIOs said recent, high profile data breaches experienced by other organizations had prompted an increase in their own security budget. However, despite increased budgets in a large portion of the companies surveyed, the ways in which security was being implemented still left a lot to be desired. Almost half of the CIOs questioned (47%) believed that a simple login and password was a secure enough form of authentication to protect their network and applications.
This attitude towards security may go some way towards explaining the inordinate number of high-profile security breaches that have occurred over the past year or two. Security experts have known for some time that multi-factor authentication is the most effective means of controlling access to sensitive data and systems, but can be a tough practice to implement. Cost was cited as the main barrier to implementing stronger authentication, with 56% of CIOs giving this as the reason why they had not put a more robust system in place. While on-going economic uncertainty will no doubt be a factor in this lack of investment, almost four in every ten CIOs was able to increase their investment in security this year.
Consumer technology and widespread IT literacy have changed the role of the CIO., in that they can no longer hope to exert complete control over their end users.
Whether they are officially permitted to or not, 21st century users of technology will use their own mobile devices to conduct their work, will download whatever software they feel they need to make them more productive, and, in doing these things, will assume that they are acting securely. This is a challenge which IT leaders must recognize and adapt to for success. The challenge facing the modern CIO is affording end users this freedom while ensuring they continue to act securely. Preventing the use of new technology will not achieve this goal, so CIOs must find new ways of ensuring their users’ security without limiting their activity. Many are beginning to do this, but most still have a long way to go.