“Value stream-based funding models as opposed to project-based funding are becoming more and more effective at tying board-level objectives to budgetary influences. The cost structures and process efficiencies of legacy vs. a nimble digital capability are much different — nimble is less expensive and much more efficient.”
Along with skepticism from higher-ups, nearly half of IT and line-of-business respondents said that budgets were a barrier to firming up IoT security, according to a November 2017 report from Forester.
CompTIA’s Thibodeaux says the risks go beyond security threats.
“It comes down to the question of whether the business wants to grow and thrive or get left behind by their competitors,” Thibodeaux says. “As businesses become more digital, technology moves out of the background shadows to centre stage where it becomes the primary driver to meet long-term objectives.
"Skilled, trained and certified IT professionals are essential to make investments in technology pay off. They have the expertise to connecting and IT architecture to the overall corporate objectives and can provide the guidance decision-makers need to evaluate the tradeoffs involved when selecting devices, applications, or operational models.”
Finding new revenue streams
Ian Murray, vice president of telecom expense management software firm Tangoe, says that while the business landscape is ever evolving, the basic premise of making a profit is the same.
“The process to finding and exploiting revenue opportunities hasn’t fundamentally changed — find a problem that we can solve that is common, prevalent and that people will pay to solve,” Murray says.
What has changed is the emphasis on direct revenue generation landing in the CIO’s lap, says Mike Fuhrman, chief product officer of hybrid IT infrastructure provider Peak 10 + ViaWest.
“Maybe I’m old school, but I don’t think the CIO should be worried about directly generating revenue,” Fuhrman says. “I’m starting to see this pop up more and more among my peers. To stay relevant as a CIO, many are working to try and productize themselves.
"While there are benefits to thinking that way, I think it can also be a recipe for defocusing the team and the boardroom. When it comes to revenue-generating opportunities, the place the CIO belongs is focusing on those projects and digitising the business into an automated platform at scale.
"We need to stay focused on driving costs out of the business and scaling from a go-to-market perspective. That’s how a CIO should focus on revenue."
Upgrading legacy systems
Staffing firm Robert Half this summer created a report that found nearly a quarter of CIOs were most concerned with upgrading legacy systems to improve efficiency.
“This is a big concern particularly among several industries where a large number of outdated or end-of-life systems are still being used to hold mission-critical data or applications,” says United Data Technologies’ Sanchez.
“These systems are no longer supported by their respective manufacturers and therefore can no longer be patched with the latest version of upgrades leaving these systems vulnerable to exploits. These platforms can be interconnected to other networks which allows vulnerabilities to extend outward and include those interconnected systems in attacks.”
Lack of agility
Organisations that aim to incorporate agile methods sometimes end up limping along in a sort of hybrid model that incorporates agile practices but also more linear “waterfall” methods. In short, the worst of both worlds.
Tangoe’s Murray lays it out: “Developers are coding to specific spec sheets with little conceptual understanding of how this button or feature fits within the overall user experience. A disciplined approach is needed to pull this off, where the solution to specific problems are addressed within a certain release.
"Each release is then coordinated for a set of sprints so that a comprehensive solution that adds to the UX is achieved with every release and not just a collection of requested features that may or may not support one another.”
Murray points to recent Apple iOS updates, which fixed some bugs and introduced others. “This problem affects companies large and small,” Murray says, leading to updates that may address security flaws and include new features, but also create well-publicised headaches for users.
The skills gap will lead many organisations to seek outside help. But these sometimes-necessary solutions can lead to concerns with reliability and security.
“Our main focus is to deliver on the promises we make to each customer,” says Sanchez. “You build your reputation and business on this one critical thing. In outsourcing your work, the quality of the deliverable is sometimes at the mercy of the firm you outsourced to.
"Given the sensitive nature of the projects we manage, we utilise strict third-party vendor assessments to evaluate partners in the event a project requires us to consider outsourcing some or all of the required tasks."
In addition to quality concerns, outsourcing opens up security threats that are well known. “The specific threats for CIOs that should be top of mind are the insider and the contractor,” says French Caldwell, chief evangelist with MetricStream and a former White House cybersecurity advisor. “Until we move away from passwords for credentials, humans will continue to be the biggest threat.”
Pitfalls in moving to the cloud
As more data and services are offloaded to the cloud, a potential risk is viewing the cloud as a single, public entity, says Bask Iyer, CIO of VMware and Dell.
“IT needs to also look at a private cloud and/or multi-cloud solutions as they evaluate what’s best for the business,” Iyer says. “This ensures choice and avoids single-vendor lock-in. IT also needs to ascertain which apps should go to which cloud. With the rise of IoT, more horsepower is needed at the edge so IT needs to expand their options for the cloud.”
And CIOs can’t transfer the responsibility of securing their data and apps to the hosting company, says Sanchez.
“Organisations must define security controls to safeguard their data in the cloud in much the same manner as it would when it’s on their site. Many organisations don’t apply these standards and automatically assume the hosting company is providing all of the safeguards they require.”
Multiple security vulnerabilities
According to Larry Lunetta, vice president of Hewlett-Packard's Aruba unit, security nightmares will continue this year, and the top worry is hiding in plain sight.
“Future headline-making exploits will co-opt legitimate credentials as the starting point for an attack that can take days, weeks or even months to begin and finally do damage,” Lunetta says.
“These attacks on the inside can begin with a user clicking on the wrong email attachment, a disgruntled employee going rogue, or as the result of weak passwords or sharing of credentials among colleagues.”
New behavioural-based detection techniques will be needed in 2018 to address the threats, says Lunetta.
“Increasingly, organisations are using artificial intelligence-based, machine learning User and Entity Behaviour Analytics systems to spot small changes in behaviour for users and network-connected devices that are often indicative of a gestating attack.”