A few years ago, the IT department at New York City-based law firm Kelley Drye & Warren LLP warned employees of...
phishing attacks and educated them about known viruses by email. Today, employees are required to go through security awareness training.
"The first line of defense for us is the employees of the firm. That's oftentimes the infiltration point," Judi Flournoy, CIO at the law firm, said. "We had to take a more active step in educating our user community around what the risks are and what the responsibilities are."
Security will remain a top IT project in 2015 for Flournoy, whose perspective was in line with the other 333 senior IT leaders, including CIOs, CTOs, executive vice presidents and directors of IT, who participated in TechTarget's annual IT Salary and Careers Survey. When asked to choose their top three projects for 2015, 21% chose security, 21% picked cloud computing and 17% selected BI/big data.
The results provide a glimpse into the IT evolution occurring within the enterprise. While security was also ranked as the top project last year, cloud computing saw a major leap from fifth in 2013 to first this year. BI also gained prominence, rising from fifth in 2013 to third in 2014, though it should be noted the combined category of BI/big data was not an option on last year's CIO salary survey. Business process management ranked fourth this year, the same position it held last year, but garnered a lower percentage of respondents, from 17% in 2013 to 16% in 2014.
On the flip side, mobile technology slid from second in 2013 to fifth this year, with 14% of respondents reporting it as a top priority for 2015. Sasi K. Pillay, CIO and associate vice president at the University of Wisconsin System, does not agree with this finding. Mobile technology touches so many aspects of a technology strategy that it remains a major priority for CIOs, he said.
"You mention security and cloud as top focus areas, but you can't have success in those areas without mobile [technology]," he said. "It’s all connected -- cloud, security, mobile, data. Information is accessed on mobile devices from the cloud and you need application and data security."
Disaster recovery/business continuity also dipped from third in 2013 to fifth in 2014, with 15% of respondents reporting it as a top project for next year. Like last year, outsourcing and privacy landed on the bottom of the top projects list -- at 3% and 1%, respectively -- joined by help desk (3%) and social media (1%).
One of Flournoy's major goals for 2015 is to obtain ISO 27001 certification, a standard for information security management systems that will involve an analysis of the firm's systems, policies and procedures.
The certification is part of an ongoing security initiative sparked by Kelley Drye's relationship with financial institutions, which view law firms as vendors and are required by the federal government to audit those vendors. "We're being regulated by virtue of the fact that we have clients that are being regulated," she said.
This "downstream regulation," as Flournoy referred to it, has been a major influence on her security-heavy IT strategy for the last few years. She has invested in and implemented new technology such as the network authentication standard 802.1x, which enables IT to identify and control every piece of equipment attached to the firm's network. And she's increased her security staff from three to four full-time employees, introducing a director of information security and risk to the department.
"After what happened with Heartbleed and now Shellshock, I don't know where we'd be if we didn't have those people," said Flournoy, who oversees a team of 40. "And I don't know how other companies are dealing with those vulnerabilities if they don't have staff to handle them. It's a significant effort to go through and talk to and obtain from every single vendor the relevant patches and apply those patches."
But investment dollars don't grow on trees, leading Flournoy to make some tough tradeoffs -- a reality that's happening across her industry, she said. Investments in Kelley Drye digital assets -- from the website to marketing materials to electronic signatures -- were put off until 2016. Flournoy recognizes the importance of these customer-facing digital products, but also believes having an ISO 27001 certification in hand "will be a badge, if you will, that we can show our existing and potential clients that we have taken this step toward a heightened information security practice."
Project lines blur
Other CIO salary survey respondents made it clear that delineating a big data from a security from a cloud computing project is becoming increasingly difficult. Anthony Peters, director of IT at the San Francisco-based financial services firm Burr Pilger Mayer Inc., called cloud computing "an ongoing thing for us." This year Peters, who leads a team of 14, is embarking on a significant data integration project that will combine data from billing with the firm's CRM and HR systems.
"We don't have the expertise in house to support the data integration, so we thought it would make more sense to use a cloud-based solution," Peters said. He referred to the project as a BI/big data project -- indicating it was his team's top priority for 2015 -- but the importance of cloud computing technology and services should not be overlooked.
According to Gartner Research Inc., the lines between technologies will continue to blur as businesses become more digital. The "nexus of forces" -- a combination of social, mobile, information and cloud -- "gives rise to digital business and new business designs that blend the virtual and the physical worlds," Peter Sondergaard, head of research, said during Gartner's Symposium/ITxpo opening keynote.
An IT director at a large educational publishing company -- who participated in the survey and asked to remain anonymous -- is seeing that collision firsthand. He said big data and security projects for 2015 -- so intertwined, he called them "equally priority ones" -- will be part of the company's digitization transformation. The effort will also involve an overhaul to IT service management, which didn't fare well in this year's survey results, with only 8% reporting it as a top project.
"The organization is moving from a centralized business model to more of a global model," he said, and that means subsuming shadow IT personnel -- any group or individual performing an "unofficial" IT role within the business lines. Part of the impetus for the restructuring is to streamline the company's technology portfolio to, for example, remove redundancies such as the company's "47 instances and contracts with Salesforce.com," he said.
Mobile technology falls down the list
One of the most surprising survey results was mobile technology's fall from the top projects list. Last year, it ranked second (20%), while this year, it tied for fifth (14%). For Kelley Drye's Flournoy, the result makes sense.
"In the last couple of years, we've dealt with mobile technology," she said. "We've adapted to iPhones and iPads; we manage them with mobile device management, so we manage them securely, and we've allowed them into the enterprise."
Mobility hasn't gone away, instead the conversation has shifted, Flourney said. It's now about building applications or ensuring employees are able to access the resources they need when they're not in the office. "Those are things we're still working on," she said.
For a smaller firm like Burr Pilger Mayer, mobile technology isn't a priority for a very simple reason. While the firm has a BYOD policy in place and employees can access email on their mobile devices, "it hasn't been high on the priority list because we don't have the resources," Peters said.
Even if Peters did have the resources, a mobile technology project would eventually lead the firm back to security. "We'd like to give our users access to some of our applications and data on their mobile devices," he said. "We've not had the chance to look into it and the security concerns, data encryption -- all of that."