BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Security will be the top IT project for CIOs and senior IT leaders in 2016, according to TechTarget's 2015 Annual Salary and Careers Survey of 248 senior IT leaders (CIOs, CTOs, CISOs, executive vice presidents and directors of IT). When asked to choose their three top IT projects for 2016 out of a list of 30, 27% of respondents selected security, followed by application development (24%), cloud computing (19%), and business intelligence/big data (18%).
The survey results show how priorities continue to evolve for IT departments, and, based on interviews with survey respondents conducted for this article, reflect how the IT security conversation continues to mature.
Rather than viewed by IT leaders as a standalone project, security is becoming integral to just about everything IT does. Dennis Vlasich, CIO for the City of Fontana, Calif., for example, can't talk about cloud computing without talking about security.
"The real issue of cloud computing is procedural and legal more than it is technical. We're finding that the [software as a service] vendors are going to departments and enticing them to sign up for services without [consulting] IT," Vlasich said. "That's causing more silos, for one thing. But it also creates a lot of problems because [city employees] don't consider some of the security and connectivity issues associated with cloud computing."
The emphasis on security is also true for Gregory Turner, COO and head of IT at the health care non-profit organization Millennium Collaborative Care. For Turner, application development and design, which was relatively low on the totem pole of top IT projects for CIOs and senior IT leaders last year, will be a top project 2016. But when discussing app dev plans for 2016, he highlighted security as a priority.
Selected by survey respondents as the top project for a third year in a row, security is expected to become an even bigger part of the IT project portfolio. According to 2013 and 2014 TechTarget survey results, 21% of senior IT leaders selected security as a top project. This year, the percentage was closer to one-third of those surveyed.
The heightened interest doesn't come as a surprise to experts. "Everyone's concerned with security issues due to the nature of what's been happening recently," said Turner who works for a non-profit organization in western New York that's striving to better connect Medicaid patients with health care providers. After another turbulent year of high-profile breaches, including Ashley Madison, CVS and the Office of Personnel Management, security threats are top-of-mind for board members and CEOs, alike, putting a spotlight on CIOs and senior IT leaders.
For Vlasich, security and cloud computing, which ranked as a top IT project for the second year in a row, are intertwined thanks, in part, to rogue IT. SaaS-based solutions make it easy to sign up for services, but city employees don't always think about nuances like "open APIs, federated identity management, and things like an exit strategy, who owns the data when the contract's over," he said.
Vlasich, who plans to retire next year, doesn't want IT to be a hurdle for departments looking for new functionality; instead, he wants IT to ensure any services the city invests in make sense to the organization as a whole. When his HR department was searching for an online applicant tracking system, Vlasich assigned an analyst to do research and find a solution that worked for HR and met the city's regulatory standards. "Now, it's supported by IT as if it was a premise system," he said. "We're not providing the server, but we're providing the support, training and technical backend stuff."
The rise of app dev
Cloud computing isn't the only area where security figures large in the conversation between business and IT. For Turner, a top project in 2016 will be application development, which saw a meteoric rise in this year's survey results. Last year, app dev ranked seventh, with 14% of respondents reporting it as one of their top IT projects for 2015. This year, 24% of respondents indicated it would be a top project in 2016, ranking it second only to security.
When discussing app dev, Turner said that strong, seamless security ranks high on his list of priorities. Millennium Collaborative Care will operate as a liaison between Medicaid patients in western New York and health care providers to help improve the quality of care. Next year, the non-profit organization plans to roll out a version of its integrated delivery solution, which will be a "combination of health care related technology to ultimately provide the right care from the right provider at the right time," Turner said.
Part of the organization's objective is to ensure the type of care providers give patients is performance and not volume based, which hinges on data and analytics. Applications, in other words, are vital data pipelines for the organization. "When we're working with a workforce that isn't our employees, we have to be cognizant of the fact that we don't have the same sphere of influence over [them]," he said.
App dev and rogue IT
Turner's biggest security concern isn't that someone will hack into the system; instead, he worries about theft or misplacement of a mobile device or a thumb drive that contains sensitive information. And he worries that applications wrapped in too many security layers will prove cumbersome. "A lot of it comes down to good design," he said. He's "looking for the right partners" to meet his standards, he said.
Application development's rise in popularity -- and the security risks a self-service app environment poses -- could suggest a cloud backlash is in the offing and spur a quest for standardization, said Jill Dyche, vice president of best practices at SAS Institute Inc., where she works closely with CIOs and senior IT leaders.
"Five to seven years ago, the business was like, 'We'll do this ourselves, IT,'" Dyche said. "The [business] still wants to own the application, but they don't want to own the relationship with the cloud vendor or procurement or renewal."
In the City of Fontana, Vlasich set up an active federation service and asks that SaaS vendors be compliant in Security Assertion Markup Language (SAML), a standard protocol for federated identity management. When employees are terminated, they're removed from the directory, effectively cutting off any access they had to SaaS-based services.
But there's still work to do. When the City of Fontana's purchasing department struck a deal with Bank of America for a new purchasing card (PCard) system, it didn't consult IT. "They didn't even think it was something IT could or should be involved in until we brought up the fact that this was going to be a problem with identity management," Vlasich said.
He asked the purchasing department to put him in touch with Bank of America so he could ensure the financial institution was SAML compliant. Turned out, it wasn't. "The good news is, they are planning to be SAML compliant next year," he said.
To ensure better visibility into SaaS investments, Vlasich plans to work with the purchasing department, which monitors all purchases, including those made with credit cards. "They can flag the purchase, take a look and ask, 'Is this ascribing to some sort of service,' and then route it to IT so we can intervene," he said. "That's something we are going to put in place because of the way SaaS solutions are being marketed."
More on TechTarget's 2015 Annual Salary and Careers Survey:
An overview of the salary and careers survey results
CIOs and senior IT leaders are happier in 2015
Risk management is the most time consuming task for cybersecurity managers