Cyber Lessons from the 2017 Harvey Nash / KMPG CIO Survey Report
In May this year, Harvey Nash and KPMG released their 2017 CIO Survey report. The report looks at some of the key issues on CIOs’ radar, including how CIOs are handling changing times, the need for stable IT, the strategic influence of CIOs, issues leading to costly and failed IT projects, job satisfaction, and of course, the issue of cybersecurity.
We’ll cover the highlights of the report, and take a deeper dive on how the issue of cybersecurity which features prominently in the report, and share lessons on how CIOs can improve their organization’s posture.
Top (and Bottom) Priorities for CIOs
The top four priorities listed for CIOs are
- The need to deliver stable IT service to the business (63%, up 21% from 2016)
- Increasing operational efficiencies (62%, up 7% from 2016)
- Improving business processes (59%, up 3% from 2016)
- Saving costs (54%, up 8% from 2016)
In contrast, the bottom three priorities are:
- Reputation management via social media (5%).
- Achieving sustainable/green IT (6%).
- Investing in social media platforms (7%).
CIO Good News
Among the list of positive news for CIOs was their self-reported increase in their strategic influence: when asked if their influence was growing, 71% of CIOs responded yes, up from 67% in 2016. Not surprisingly, 62% of CIOs now sit on the executive board, up from 57% in 2016, a number that was below the 50% mark for the decade ending in 2010. This increased visibility is also confirmed with 68% of CIOs reporting having attended a board meeting in the last quarter, a figure that goes up to 85% when considered over a 12-month window. However this picture is skewed towards the smaller organizations, where it appears that CIOs have an easier time getting access to the board (72%, versus 65% for mid-size, and only 45% for large organizations). Similarly, CIOs at smaller organizations are more likely to report directly to the CEO at 45%, versus 27% for mid-size, and 17% for large organizations.
Where a CIO sits in the organizational chart makes a difference in their perception of job satisfaction: 44% of CIOs on the executive committee reported their roles as very fulfilling, compared to 42% of CIOs reporting to CEOs, and only 38% of CIOs reporting to CFOs. On the salary front, CIOs reporting to the CEO or the board reported larger salary increases (36% for CIOs under CEOs, and 35% for CIOs on executive committee) than those under the CFO (32%).
Managing change comes with the territory for CIOs. When asked about how they had adapted their technology plans to deal with uncertainty, CIOs reported creating a more nimble technology platform (52%), finding a way to work with restricted budgets (49% average, but more pronounced in small organizations at 51%), and investing more in cybersecurity (45% average, but much more pronounced in mid-size and large organizations at 55% and 53% respectively) as their top three.
The Cybersecurity Issue
While cybersecurity figures in 3rd place in the aggregate picture, it is the #2 issue for both mid-size and large organizations, just behind the need for nimble IT. For mid-size organizations, nimble IT ranks in the top spot at 56% while security is just below at 55%, with a similarly close picture for large organizations with 54% for nimble IT and 53% for security. Not surprisingly, cybersecurity was a regular topic in the top five categories of topics discussed when CIOs interacted with boards, along with IT strategy, IT investments, and digital transformation.
The report introduces the cybersecurity issue thusly: “Everyone is talking about cyber security. Organizational leaders are fretting while hackers seem to be able to ghost their way effortlessly into their systems to steal emails and secrets.”
Top concerns for CIOs include organized cybercrime (71%), amateur criminals (52%), insider threats (48%), but also spammers (39%), foreign powers (28%), and competitors (19%). More worrisome, when CIOs were asked about if they were “well prepared” for detecting and responding to cyber-attacks, only 21% responded yes in 2017, compared to 22% in 2016, 23% in 2015, and 29% in 2014.
As can be expected, large organizations are more likely to report having suffered a major attack in the past two years (53%) compared to mid-size (41%) or small organizations (30%). However, the lower numbers for the smaller organizations may also be a reflection of their less mature detection and investigative capabilities.
Many CIOs are left wondering if their organizations are truly secure, or whether a false sense of security has been allowed to take hold, with potentially disastrous consequences. Bob Kalka, Vice President IBM Security Business Unit, wrote a three part series on Questions Every CIO Should Ask the Cybersecurity Leader: part 1, part 2, and part 3.
Much More in the Report
The report also points to an increasing trend where a larger share of the IT budget is controlled or managed outside of IT, 40% in 2017, up from 38% in 2016, and 34% in 2015. This trend puts increased pressure on CIOs’ ability to effectively manage the relationship with the rest of the C-suite and the board to exert influence on how that share of the budget is being spent.
Overall, the 56-page report provides a snapshot of where a CIO sits compared to their peers, as well as highlights important trends to be aware of and key areas they should be focusing on.