Ohio CIO Stu Davis talks to private-sector CIOs during the NASCIO conference last month in Philadelphia. Photo by e.Republic/David Kidd
A familiar hot topic is back in the #1 priority slot for state CIOs. After bouncing around in the top ten rankings for the past few years, cybersecurity is back at the top of the “must do” list.
But why? After providing some background I'll explain five reasons.
According to a National Association of State CIOs (NASCIO) press release issued last week:
IT security strategies and tools are at the forefront of discussion around the states, with ‘Security’ topping the list of Priority Strategies, Management Processes and Solutions and ‘Security Enhancement Tools,’ such as continuous diagnostic monitoring, coming in second among Priority Technologies, Applications, and Tools.
With the breadth and depth of cross-sector cybersecurity issues now facing local, state and federal governments, the sense of urgency is now growing stronger. For example, NASCIO President and Mississippi Chief Information Officer Craig Orgeron recently said,
"It is significant that security has now risen to the number one priority on our top 10 list. As I presented in congressional testimony before the Committee on Homeland Security last week, cyber-attacks against state governments are growing in number and becoming increasingly sophisticated. Security has to be the top priority for all sectors. Clearly from our top 10 voting results, the state CIOs agree on this.”
The complete top 10 final priority ranking for state government CIOs can be found at this NASCIO website.
In the state CIO surveys, the security category is more specifically defined as: “Risk assessment, governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third party security practices as outsourcing increases, determining what constitutes ‘due care’ or ‘reasonable.’”
Other top management processes and solution priorities in the top five priorities include:
2) Consolidation / Optimization
3) Cloud Services
4) Project and Portfolio Management
5) Strategic IT Planning
The top five priority technologies, applications and tools selected for 2014 are:
1) Cloud computing: software as a service
2) Security enhancement tools: continuous diagnostic monitoring (CDM), digital forensics
3) Mobile Workforce: technologies and solutions
4) Enterprise Resource Planning (ERP)
5) Virtualization: servers, desktop, storage, applications, data center
Why highlight this poll now?
As mentioned in previous NASCIO press announcements, security has always been a top ten priority for state CIOs. Security was the #3 priority last year, the #6 priority two years ago and the #7 priority three years ago.
Notice a trend?
Remember that the majority of state CIOs started in their current roles over the past three years, after the 2010 elections brought in a host of new Governors. This means that cybersecurity has been a rising issue for them since day one.
Another interesting aspect of this survey result is that security is a part of almost every other priority listed as well. For example, CIOs could have just assumed that security is a major component of cloud computing or mobile strategies or datacenter consolidation or application development.
But no – security is still highlighted separately. And now security is back at #1.
A few years back, many experts even predicted that security would be incorporated into everything in IT and become less of an overall (or at least unique) challenge. The drop in security's importance in the NASCIO survey results at the time seemed to affirm that perspective.
Why is that? In my view, the reasons get back to where IT leaders are spending their time - and losing their sleep. That leads to us answering the question: What issues are CIOs most worried about as we head into 2014?
Five trends that keep CIOs up at night
Here are my top five reasons why security is now back at #1 in the NASCIO survey:
1) The number of security incidents occurring now. Breaches are happening, and talented leaders often take the fall when it happens. From South Carolina to wherever…, there have been both high profile and lower profile security incidents in 2012-2013. More cyber headlines are inevitable. No CIO wants to be a 2014 headline or in a breach news story.
2) The bad guys are getting much better – and it is hard to keep quality good guys (white hat hackers). As CIOs and CISOs dig into potential solutions, the gap in talent and resources becomes painfully more apparent. Meanwhile, the current model for bringing in and keeping the best all-around security staff needs to be reexamined in many states.
3) The scope and complexity of securing major new computer systems. Managing contractors and integrators, as well as multiple technology teams, is a constant headache. The recent security and performance challenges of deploying the Healthcare.gov website is another current reminder.
4) The ubiquitous use of technology in every area of life. From pacemakers to cars that drive themselves – the list of issues and areas impacted by cybersecurity is growing. The never-ending number of enhancements to mobile devices, cloud computing and other technology means that security is a moving target with hard to define end points. Can we ever declare victory?
5) The people problem in security. From providing effective new cyber training to rolling out BYOD programs to stopping staff from clicking on bad links, it is hard to influence an employee who now depends on their mobile device to get their work done. Social engineering has become an even hotter topic in global enterprises. Add in the incoming millennial generation and retiring experts, and the complexities associated with culture change are harder than ever to address.
In short, cybersecurity is back as the top priority.
Are you really surprised?