Today s Enterprise - Cyberthreats Lurk Amid Major Transformation. Assessing the Results of Protiviti s 2015 IT Priorities Survey

Transcription

1 Today s Enterprise - Cyberthreats Lurk Amid Major Transformation Assessing the Results of Protiviti s 2015 IT Priorities Survey

2

3 INTRODUCTION The very technologies that empower us to do great good can also be used to undermine us and inflict great harm.... cyber threats are a challenge to our national security. [the] problem of how we secure this digital world is only going to increase. U.S. President Barack Obama 1 Amid major technology transformation and change, danger seemingly lurks everywhere for today s enterprises. Crafty, cunning and dangerous cyber predators worldwide are threatening to blow the lid off organizational cybersecurity defenses. Defending against these predators is consuming large amounts of IT hours and resources at a time when a majority of organizations are undergoing a major IT transformation (see page 5). Outwitting the wolves at your organization s cyber door and managing changes in the enterprise with confidence requires IT departments to deploy an impressive and innovative array of information security approaches, processes, tools, skills/personnel, and collaborations all of which we find at the top of IT s packed priority list, according to the results of Protiviti s 2015 IT Priorities Survey. Not surprisingly, the priority placed on security and privacy capabilities has intensified in our survey this year often dramatically. To illustrate, in last year s study the highest-ranked area in this category ( Developing and maintaining security and privacy standards ) had a priority index of 6.4 (on a 10-point scale). This year, a full dozen of the security and privacy capabilities we assessed are ranked 6.7 or higher. As we detail in our report, the results for CIOs and IT executives are even more pronounced. These trends are, in fact, evident throughout this year s results, which show that IT leaders and professionals are contending with a vast number of increasing and competing priorities, including but not limited to cybersecurity. This also mirrors key findings from our recent Executive Perspectives on Top Risks for 2015 study, in which board members and C-suite executives identified cybersecurity as one of the top risks their organizations must address in Our key findings in this year s IT Priorities Survey include: 1. Security concerns are paramount No surprise here: Addressing and strengthening cybersecurity represents a critical priority among all respondents, CIOs and companies of all sizes. 2. Major IT changes and upgrades continue Well over half of all organizations are undergoing a major IT transformation that will last a year or longer, intensifying demands on IT departments to manage these changes successfully while addressing other critical business needs (e.g., cybersecurity). 3. The search for balance is underway As important as cybersecurity and privacy issues have become, they represent just one of many rising priorities, such as virtualization and enterprise 1 Comments made at the White House Summit on Cybersecurity and Consumer Protection, February 13, Executive Perspectives on Top Risks for 2015: Key Issues Being Discussed in the Boardroom and C-Suite, North Carolina State University s ERM Initiative and Protiviti, IT Priorities Survey protiviti.com/itpriorities 1

4 architecture, on the IT department s bursting agenda. IT executives and professionals have a vast number of pressing duties on their plates this year, with priorities increasing across the board in volume and significance. To address and manage these challenges successfully, they must develop and strengthen the expertise and business savvy necessary to strike the right balance between activities that enhance business value and those that protect organizational value. 4. IT seeks to manage all assets better: data, hardware, software and more IT departments are adapting and improving how they manage a broader and more diverse collection of companyowned and third-party assets (including data) as their companies seek to harness more and more business value from them. 5. Collaboration is key Organizations undergoing and managing major changes are focused on leveraging technology to enable greater collaboration across the enterprise. This not only facilitates more opportunities for real-time partnering, but also reduces time-to-value significantly. Top 10 IT Priorities for 2015 (including ties)* Rank IT Area 2015 Priority 2014 Priority Significant Priority Percentage (6-10) 1 Virtualization % 2 3 (tie) Virus/malware advanced threat detection/eradication 7.1 NA NA 83% Data breach and privacy laws (various U.S. states) % Enterprise architecture 7.0 NA NA 81% Incident response success (containment, recovery) % Monitoring security events % Data architecture % Data governance % 7 (tie) Incident response policy and preparedness % Incident response reaction time % IT project management % Patch management 6.9 NA NA 83% Vulnerability scanning 6.9 NA NA 82% * Based on a 10-point scale. See Methodology section for details IT Priorities Survey protiviti.com/itpriorities

5 METHODOLOGY More than 1,000 respondents (n = 1,073), including CIOs, IT vice presidents and IT directors, participated in our study, which was conducted within the prior 90 days. We are grateful for the time invested in our study by these individuals. Participants answered more than 100 questions in 10 categories: Managing Security and Privacy Technical Knowledge Defining IT Governance and Strategy Managing IT Assets Management and Use of Data Assets Ensuring Continuity Managing Application Development Deploying and Maintaining Solutions Managing IT Infrastructure Organizational Capabilities For each of these categories, respondents were asked to rate, on a scale of 1 to 10, the level of priority for them and their organizations to improve in different issues and capabilities. A 10 rating indicates the issue is a high priority while a 1 indicates the issue is a low priority. We have classified each issue and capability with an index of 6.0 or higher as a Significant Priority for IT functions. Those with an index of 4.5 through 5.9 are classified as a Moderate Priority, and those with an index of 4.4 or lower are classified as a Low Priority. (Of note, none of the more than 100 IT issues and capabilities addressed in our 2015 survey is rated to be Low Priority. ) Our survey also includes a special section, IT Transformation, in which we assess how IT organizations are managing changes and addressing budget and resource challenges IT Priorities Survey protiviti.com/itpriorities 3

6

7 IT TRANSFORMATION Key Findings For the second consecutive year, a majority of organizations report they are undergoing a major IT transformation, though there was a slight year-over-year decrease in the results. Most organizations expect the IT transformation to last a year or longer, and the magnitude of disruption caused by these changes is viewed to be very significant (of note, multiple studies continue to show that many IT projects experience costly delays, exceed established budgets and/or fail to fulfill the original business requirements). IT transformations are intended to achieve multiple objectives, the most common of which are cost/simplification, new functionality, service assurance and regulatory/compliance. Key Facts Percentage of organizations undergoing a major IT transformation 60 Level of disruption (scale of 1 to 10) organizations are experiencing as a result of a major IT transformation Percentage of organizations in which the duration of the IT transformation is expected to be a year or longer What are the objectives of your organization s IT transformation?* Cost/simplification 64% New functionality (mobile, new products, etc.) 55% Service assurance 47% Regulatory/compliance 46% Adoption of emerging technology 43% Time to market/agility 34% * Multiple responses permitted 2015 IT Priorities Survey protiviti.com/itpriorities 5

8 MANAGING SECURITY AND PRIVACY Key Findings The top security and privacy priorities including virus/malware advanced threat detection/eradication, monitoring security events, and incident response success (containment, recovery) rank among the highest priorities in the entire survey. IT functions plan to invest significant time, staff, technology and budget on numerous specific security and privacy priorities in Overall Results, Managing Security and Privacy Managing Security and Privacy 2015 Priority 2014 Priority Virus/malware advanced threat detection/eradication 7.1 NA NA Incident response success (containment, recovery) Monitoring security events Incident response policy and preparedness Incident response reaction time Patch management 6.9 NA NA Vulnerability scanning 6.9 NA NA Developing and maintaining security and privacy standards Managing user identities and access End-user security awareness and training 6.7 NA NA Implementing security/privacy solutions and strategies Managing technical infrastructure configuration Penetration testing (internal/external) 6.7 NA NA Managing application users Managing IT users Managing third-party vendors U.S. Health Insurance Portability and Accountability Act (HIPAA) Managing and classifying enterprise data Managing contractors Clarity about third-party compliance readiness (partners, vendors) U.S. Gramm-Leach Bliley Act (GLBA) California Security Breach Information Act (CS SB 1386) YOY Trend IT Priorities Survey protiviti.com/itpriorities

9 Commentary Documented occurrences of corporate and governmental data breaches grow larger, more prevalent, more damaging and more complex in nature. Boards and C-suite executives are more focused than ever on security issues. 3 And enterprises are adopting a more comprehensive view of their information security. Thus, IT is doubling down on its efforts to strengthen information security and privacy. Note that each of the 22 areas included in this section of the survey are ranked at the Significant Priority level. Virus/malware advanced threat detection/eradication, which we added to the survey this year, received the second-highest index ranking among all of the 100-plus priorities evaluated in this year s study, and monitoring security events and incident response success (containment, recovery) are among the top six priorities in our survey. We view the responses as indicative of organizations focusing on leveraging technology and automation to improve their ability to identify risks in real-time and to respond accordingly. Additionally, of those areas included in last year s survey, every one of them ranks higher this year compared to last year s results. In other words, information security and privacy, a longstanding IT priority, is becoming even more important. That said, this challenge is no longer viewed strictly as an IT issue at leading companies, but rather as a critical business issue. Executive management teams and boards of directors are working closely with IT executives to more effectively manage and monitor what qualifies as a strategic risk. 4 Key Questions to Consider Has an information security model such as the NIST Cybersecurity Framework, ISO 27001/27002 or Critical Security Controls for Effective Cyber Defense been adopted? Has the organization done a gap assessment against one of these models? Has the company performed an information security risk assessment to understand its technical exposures? Does the organization have the tools and processes to effectively prevent, detect and contain targeted malware after a user clicks on a link in a phishing ? Does the organization have the right tools and staffing levels to address the security needs of the organization effectively? Does the organization s IT strategy include an incident response plan that is evaluated regularly to ensure it addresses new and emerging types of security and privacy risks and breaches? Is an effective incident response team in place and equipped to reduce the occurrence, proliferation and impact of security breaches? Who in the IT organization is responsible for keeping executive management and the board updated regarding the company s information security and privacy risks? Do key stakeholders (IT, C-suite executives, board members) support the development of an information security strategy appropriate to the organization s scale, culture, regulatory obligations and business objectives? 3 Ibid. 4 Protiviti s Board Perspectives: Risk Oversight, Issue 44, Managing Cybersecurity Risk, Pages/Board-Perspectives-Risk-Oversight-Issue-44.aspx IT Priorities Survey protiviti.com/itpriorities 7

10 Does the current incident response plan include procedures that identify specific actions to be taken in response to specific types of security incidents? How often are these procedures exercised (think fire drill ), and who is responsible for doing so (and taking corrective actions, if necessary)? What steps are in place to test and improve incident response speed as well as the quality of the overall incident response capability? Have thresholds been identified that indicate when and how executive management and, in some cases, the board, should participate in incident response efforts when appropriate? Is there agreement on what metrics are communicated to the board and executive management to keep them sufficiently aware of the organization s information security status? Is the organization clear on the value/importance of its information assets especially those that could be considered its crown jewels? Does the company have a formal data classification program to help manage both the effectiveness and efficiency of the overall data security and privacy capability? How is this program communicated and taught throughout the entire organization? Is security-event monitoring support being performed in-house, through a managed security services provider (MSSP) or both? How is the effectiveness of this monitoring evaluated? Are third-party vendors and trading partners addressed in the organization s security/privacy strategy? How is vendor compliance with security and privacy policies and standards monitored (including incident response preparedness)? How are internal ( insider ) security threats monitored, managed and communicated? What additional technologies are planned for managing security risk? Key Facts To whom or where does the CIO and IT organization report?* CFO CEO Board of Directors COO Other * Percentages shown IT Priorities Survey protiviti.com/itpriorities

11 Focus on CIOs/IT Executives and Large Companies Managing Security and Privacy Results for CIOs/IT Executives and Large Company Respondents Managing Security and Privacy Virus/malware advanced threat detection/eradication Incident response success (containment, recovery) Monitoring security events Incident response policy and preparedness Incident response reaction time CIOs/IT Executives NA Large Company Respondents Patch management NA NA Vulnerability scanning NA NA Developing and maintaining security and privacy standards Managing user identities and access End-user security awareness and training Implementing security/privacy solutions and strategies Managing technical infrastructure configuration Penetration testing (internal/external) NA NA Managing application users Managing IT users Managing third-party vendors U.S. Health Insurance Portability and Accountability Act (HIPAA) Managing and classifying enterprise data Managing contractors Clarity about third-party compliance readiness (partners, vendors) U.S. Gramm-Leach Bliley Act (GLBA) California Security Breach Information Act (CS SB 1386) NA NA NA Significant Priority of 6.0 or higher Moderate Priority of 4.5 to IT Priorities Survey protiviti.com/itpriorities 9

12 TECHNICAL KNOWLEDGE Key Findings Virtualization, data breach and privacy laws, and enterprise architecture (a new addition to this year s study) not only are the top priorities in this category, but also represent three of the highest-ranked priorities in the entire survey. Cybersecurity guidance, including NIST, is prevalent in the Technical Knowledge priority list. Data governance and data architecture (another new area in the survey) also rank as significant priorities. As is the case throughout this year s survey, many technical capabilities rank higher as priorities this year compared to last year s results. Overall Results, Technical Knowledge Technical Knowledge 2015 Priority 2014 Priority Virtualization YOY Trend Data breach and privacy laws (various U.S. states) Enterprise architecture 7.0 NA NA Data architecture Data governance IT project management Cloud computing Cloud storage of data IT program management NIST (cybersecurity) Big data Business process automation 6.5 NA NA ERP systems ITIL 6.4 NA NA Agile methodologies 6.3 NA NA Data discovery/e-discovery 6.3 NA NA Mobile development 6.3 NA NA PCI DSS Smart device integration Mobile commerce security Open Web Application Security Project (OWASP) 6.2 NA NA IT Priorities Survey protiviti.com/itpriorities

13 Technical Knowledge 2015 Priority 2014 Priority PMP YOY Trend BYOD policies/programs CISSP/CISM ISO/IEC and Mobile commerce integration Mobile commerce policy Social media policy Social media security COBIT Social media integration ISO CISA European Union Data Directive HITRUST CSF CGEIT Commentary Given the prevalence of IT transformation and the resulting challenges for organizations, it is not surprising to find numerous multidimensional knowledge areas ranking as key priorities in this category, as IT functions strive to both enhance and protect business value. These twin objectives are evident at the top of the Technical Knowledge priority rankings, where equal weight is given to addressing data breach and privacy laws (protecting value) and improving enterprise architecture (enhancing value). Interestingly, the highest-ranked priority in the entire survey, virtualization (7.3), is not tied directly to security. Rather, virtualization serves the dual purpose of enhancing and protecting value by helping IT functions boost efficiency and productivity, reduce power usage and operating costs, and strengthen security and disaster recovery capabilities. While virtualization ranks highly as a priority this year, it certainly is not the only priority in this category. In fact, compared to our 2014 results, there are higher priority index scores throughout the category. Last year, two areas (virtualization and IT project management) each had a priority index of 6.5, while other Technical Knowledge areas scored 6.3 or lower. This year, 10 areas scored 6.7 or higher, with three scoring 7.0 or higher. Relating back to the earlier discussion regarding security and privacy challenges, cybersecurity issues, including data breach and privacy laws (various U.S. states) and the NIST Cybersecurity Framework, also rank among the most important of all issues that IT functions are confronting in this category IT Priorities Survey protiviti.com/itpriorities 11

14 Key Questions to Consider How can the IT department strengthen its current approach to virtualization (server, network, desktop) through new collaborations, investments and skills? Is the IT department s knowledge and expertise concerning virtualization, enterprise architecture and cloud computing sufficient? If not, how can this knowledge be enhanced or supplemented? Is the IT department maintaining current knowledge of changing data breach, information security and information privacy laws, rules, directives, standards and guidance? Has IT evaluated the organization s cybersecurity program against the NIST Cybersecurity Framework? Is data security sufficiently addressed in current data governance, data architecture, IT project management and IT program management activities? Does IT maintain formal mobile commerce and social media policies that lay out the security requirements for those who engage in mobile commerce and/or social media activities? Does IT maintain a bring your own device (BYOD) policy that serves as the foundation for a current, secure and business-value-enabling BYOD program? What applications are running in a cloud environment? What data is processed there and how is it protected and monitored? Are staff members strengthening their knowledge and expertise through formal training (e.g., professional certifications) and informal approaches (e.g., stretch assignments, rotational work, etc.)? Focus on CIOs/IT Executives and Large Companies Virtualization Technical Knowledge Results for CIOs/IT Executives and Large Company Respondents Technical Knowledge Data breach and privacy laws (various U.S. states) CIOs/IT Executives Large Company Respondents Enterprise architecture NA NA Data architecture Data governance IT project management Cloud computing Cloud storage of data IT program management NIST (cybersecurity) Big data Business process automation NA NA ERP systems ITIL NA NA IT Priorities Survey protiviti.com/itpriorities

15 Technical Knowledge CIOs/IT Executives Large Company Respondents Agile methodologies NA NA Data discovery/e-discovery NA NA Mobile development NA NA PCI DSS Smart device integration Mobile commerce security Open Web Application Security Project (OWASP) PMP BYOD policies/programs CISSP/CISM ISO/IEC and Mobile commerce integration Mobile commerce policy Social media policy Social media security COBIT Social media integration ISO CISA European Union Data Directive HITRUST CSF CGEIT NA NA Significant Priority of 6.0 or higher Moderate Priority of 4.5 to IT Priorities Survey protiviti.com/itpriorities 13

16 DEFINING IT GOVERNANCE AND STRATEGY Key Findings Top priorities include monitoring IT costs and benefits, monitoring and achieving legal/ regulatory compliance, and integration/alignment of IT planning and business strategy. IT functions are focused on achieving highly effective IT governance and strategy, which is designed to manage and run the IT function in a way that enhances and protects organizational value. While all of the areas again have Significant Priority rankings (similar to the 2014 results), the priority index numbers for 13 of the 16 areas measured last year increased on a year-over-year basis. Overall Results, Defining IT Governance and Strategy Defining IT Governance and Strategy 2015 Priority 2014 Priority Monitoring IT costs and benefits YOY Trend Integration/alignment of IT planning and business strategy Monitoring and achieving legal/regulatory compliance IT risk analysis and reporting Managing project quality Developing and maintaining operations management policies and standards Key performance indicators (KPIs) Developing and maintaining end-user support policies and standards Maintaining IT controls design and operating effectiveness Reporting IT activities and performance Defining IT roles and responsibilities Defining metrics and measurements for monitoring IT performance Managing and monitoring policy exceptions Negotiating, managing and monitoring customer service-level agreements Negotiating, managing and monitoring information quality Portfolio management Long-term and short-term planning Defining organizational placement of the IT function Commentary Why is strong IT governance and strategy so critical? Consider that almost all companies today regardless of industry, location or size are technology organizations. They cannot function without technology, and the innovative use of technology almost always represents a critical differentiator and success factor for the company IT Priorities Survey protiviti.com/itpriorities

17 More broadly, technology is transforming most industries and driving a wave of innovation and creativity. The pace of change is increasing, and technology is breaking down barriers between industries and transforming business models. In addition, shadow IT and the need to harness it while fostering innovation and creativity represents another critical consideration. As many organizations are learning, there is both risk and reward in this space. These are among the many reasons underscoring the critical importance of IT governance and strategy. From monitoring IT costs and benefits to aligning IT planning and business strategy, we see that numerous IT governance areas rank among the many demanding priorities CIOs and IT professionals are addressing today. As further context, note that last year the highest index ranking in this category was 6.5 (integration/alignment of IT planning and business strategy, key performance indicators (KPIs), and monitoring IT costs and benefits). This year, there are five items with ratings of 6.6 or higher. What other factors are driving changes in the enterprise and the increasing need for strong IT governance processes? Cloud/XaaS is presenting new opportunities and operating models that businesses are exploring at the same time, they must manage key changes and risks that these operating models are introducing. Cybersecurity (as we noted earlier in our report) represents a major area of focus in terms of IT governance and strategy. Despite the increasing need for strong IT governance to help manage the changing enterprise and address increasing risks, IT budgets remain under pressure, requiring the IT organization to do more with the same level of resources. Ultimately, CIOs and IT leaders recognize that failure to define and execute on IT strategy to support the organization s objectives will, for many, lead to failure of the business strategy. Key Questions to Consider Do we have the right leadership and skills to engage effectively with other leaders in the business so that we can help manage changes underway throughout the enterprise? How is IT leadership communicating the importance of IT s mission to enhance and protect value throughout the department s ranks and, more importantly, across the enterprise? What types of collaboration between IT executives and other business leaders can help IT more effectively execute its enhance-and-protect mission? Is the technology organization able to influence business strategy? And is technology and its use a key driver when defining business strategy? Are we able to articulate business risk issues in the context of technology? Do we have a clear view of the cyber risks that we face? And when it comes to cybersecurity, do we know what our risk appetite is? What processes ensure that IT risk analysis and reporting insights and outputs are fed into strategic planning (within the IT department and at an overall business level)? How can IT risks be most effectively represented in an enterprise s operational risks? What is our exposure to third-party risk? Which third parties present the highest risk to the enterprise? Are we spending enough on technology innovation as opposed to security, operations, etc.? What disruptive technologies/innovations exist (e.g., shadow IT ) that could destabilize our business strategy? What opportunities are presented by these disruptive technologies? 2015 IT Priorities Survey protiviti.com/itpriorities 15

18 Is the drive to measure, manage and monitor IT costs and benefits and IT performance consistent throughout every level of the IT department? How can this objective be executed more consistently? How can this be used to change behaviors? Are there ways that IT and finance can partner to strengthen IT s focus on monitoring costs and benefits? How do we communicate cost/value to the business? And how can IT costs be represented in a manner that is meaningful and actionable for business partners? Focus on CIOs/IT Executives and Large Companies Defining IT Governance and Strategy Results for CIOs/IT Executives and Large Company Respondents Defining IT Governance and Strategy Monitoring IT costs and benefits Integration/alignment of IT planning and business strategy Monitoring and achieving legal/ regulatory compliance IT risk analysis and reporting Managing project quality Developing and maintaining operations management policies and standards Key performance indicators (KPIs) Developing and maintaining end-user support policies and standards Maintaining IT controls design and operating effectiveness Reporting IT activities and performance Defining IT roles and responsibilities Defining metrics and measurements for monitoring IT performance Managing and monitoring policy exceptions Negotiating, managing and monitoring customer servicelevel agreements Negotiating, managing and monitoring information quality Portfolio management Longterm and short-term planning Defining organizational placement of the IT function CIOs/IT Executives Large Company Respondents Significant Priority of 6.0 or higher Moderate Priority of 4.5 to IT Priorities Survey protiviti.com/itpriorities

19 MANAGING IT ASSETS Key Findings Managing software licensing and compliance, deploying software, and managing hardware maintenance agreements represent the top priorities. The findings in this category reflect a desire to manage IT asset risks while optimizing the value of current assets. Several priorities point to a need to improve vendor risk management. Overall Results, Managing IT Assets Managing IT Assets 2015 Priority 2014 Priority Managing software licensing and compliance YOY Trend Software deployment Managing hardware maintenance agreements Hardware deployment Managing audit process (SAS 70, SSAE 16, others) Monitoring and reviewing contracts/billings Monitoring IT assets Negotiating and establishing agreements Accounting for IT asset management Managing contract analysis and renewal Managing IT asset retirement employee/contractor termination Monitoring external service-level agreements Determining outsourcing strategy and approach Managing IT asset retirement IT asset refresh IT Priorities Survey protiviti.com/itpriorities 17

20 Commentary Based on this year s findings, IT professionals have a clear plan for improving their function s IT asset management capability: 1. Manage risks 2. Maximize value 3. Adapt Both maximizing value and adapting are necessary thanks to the ongoing adoption of new devices (e.g., smartphones and tablets). Additionally, a coming wave of Internet of Things technology and connectivity promises to create even more (and, in many cases, highly unique) IT assets for organizations, along with new questions about how they use data and whether this violates their ethical standards or harms their reputation. These changes already are introducing new devices (and even more data) and are requiring modifications to current IT asset management approaches and processes. It also is clear that like other IT areas and capabilities addressed in our study, IT asset management is growing in importance and priority. Whereas three areas in this category had Significant Priority rankings in our 2014 survey, 12 are ranked 6.0 or higher in this year s findings. Key Questions to Consider Are current asset management policies, processes, technologies and structures (skills, roles, etc.) keeping pace with the organization s changing portfolio of IT assets? Is the IT function monitoring organizational interest in new and emerging IT assets to ensure they can be managed effectively under current policies? Does the current policy governing IT asset retirement following the termination of an employee or contractor sufficiently mitigate information security and privacy risks? How are software licensing agreements monitored, and are current change-management mechanisms regarding these licenses working effectively and efficiently? Are all third-party agreements governed and managed in accordance with applicable auditing standards, such as SSAE 16? Who is responsible for network planning and engineering, as well as ensuring any network build-out is rightsized? Who is responsible for creating, maintaining and monitoring controls and other risk management considerations related to the deployment, maintenance and retirement of software and hardware assets? IT Priorities Survey protiviti.com/itpriorities

21 Focus on CIOs/IT Executives and Large Companies Managing IT Assets Results for CIOs/IT Executives and Large Company Respondents Managing IT Assets Managing software licensing and compliance Software deployment Managing hardware maintenance agreements Hardware deployment Managing audit process (SAS 70, SSAE 16, others) Monitoring and reviewing contracts/billings Monitoring IT assets Negotiating and establishing agreements Accounting for IT asset management Managing contract analysis and renewal Managing IT asset retirement employee/contractor termination Monitoring external service-level agreements Determining outsourcing strategy and approach Managing IT asset retirement IT asset refresh CIOs/IT Executives Large Company Respondents Significant Priority of 6.0 or higher Moderate Priority of 4.5 to IT Priorities Survey protiviti.com/itpriorities 19

22 MANAGEMENT AND USE OF DATA ASSETS Key Findings Business intelligence and reporting tools, data analytics platforms and support, shortand long-term enterprise information management strategy, and data and information governance programs represent the top priorities. Overall Results, Management and Use of Data Assets Management and Use of Data Assets 2015 Priority 2014 Priority Business intelligence and reporting tools YOY Trend Data analytics platforms and support Data and information governance program Short- and long-term enterprise information management strategy Data lifecycle management Master data management Big data initiatives End-user adoption of data tools Commentary As more companies implement cloud computing technology, the protection and use of data and organizational data assets, in particular become more important and valuable to businesses. The priorities identified herein point to a heightened need for IT functions to protect and optimize data assets. Two priorities identified in this year s survey short- and long-term enterprise information management strategies, and data and information governance programs suggest that IT organizations are intent on integrating the management and use of data assets into their strategies and oversight capabilities. The emphasis on master data management and data lifecycle management shows that IT organizations also are keen to protect the rapidly increasing value of organizational data. Not surprisingly, business intelligence and reporting tools as well as data analytics platforms and support are at the very top of the IT function s data asset management priority list. These activities, the reach of which now extends to every function in the enterprise, are intended to derive value from the organization s data assets IT Priorities Survey protiviti.com/itpriorities

23 Key Questions to Consider Is a formal data and information governance program in place? If so, who is responsible for overseeing the program as data analytics tools are leveraged increasingly throughout the company? Beyond IT, what other functional leaders should be involved in shaping and monitoring data and information governance? How can IT and internal audit collaborate more effectively to ensure the data and information governance program is an effective risk management mechanism? How is the data and information governance program marketed to internal stakeholders? How is it applied with regard to vendors, including offshore resources? What are the most important data risks related to third-party relationships, and how are these risks managed? What current mechanisms ensure the data and information governance program remains relevant and sufficient in light of the organization s rapidly changing use of data and data analysis tools? What additional mechanisms should be considered? How is the IT function s short- and long-term enterprise information planning integrated into IT planning and the overall business strategy? How can data assets be managed in a more secure manner as well as in a way that generates more business value? How is master data management quality/security governed and monitored? Focus on CIOs/IT Executives and Large Companies Management and Use of Data Assets Results for CIOs/IT Executives and Large Company Respondents Management and Use of Data Assets Business intelligence and reporting tools Data analytics platforms and support Data and information governance program Short- and long-term enterprise information management strategy Data lifecycle management Master data management Big data initiatives End-user adoption of data tools CIOs/IT Executives Large Company Respondents Significant Priority of 6.0 or higher Moderate Priority of 4.5 to IT Priorities Survey protiviti.com/itpriorities 21

24 ENSURING CONTINUITY Key Findings Top priorities include business continuity management and disaster recovery program testing, and ensuring business alignment. Every BCM area has increased year-over-year in priority at a time when concerns related to cybersecurity and cyberattacks continue to rise. Overall Results, Ensuring Continuity Ensuring Continuity 2015 Priority 2014 Priority Business continuity management and disaster recovery program testing YOY Trend Ensuring business alignment Designing and maintaining business continuity strategies Developing and maintaining IT disaster recovery plans Developing and maintaining risk assessment/business impact analysis Ensuring executive management support and sponsorship Developing and maintaining business resumption plans Developing and maintaining crisis management plans Commentary In recent years, IT functions that focused on strengthening their companies business continuity management (BCM) and disaster recovery (DR) capabilities typically worked to adapt their programs to address more integrated global supply chains, more frequent weather-related disasters, and an increasingly mobile and remote workforce. More recently, IT functions have witnessed firsthand the speed, scale and impact of an equally challenging business continuity threat: cyberattacks. Well-known cybersecurity intrusions over the past year have resulted in the loss of intellectual property and business intelligence. These events provide painful reminders of the risks companies confront as they become more and more data-driven. 5 Given the central enabling role that technology systems, applications and data provide for most companies, IT functions must ensure that a BCM/DR capability remains robust and ready at both a strategic and tactical level. Testing also has become more complicated as organizations deal with an increasing number of third-party vendors. Considering the priorities indicated in our findings (e.g., ensuring business alignment), they seem well-aware of these needs and their importance. Although the business realm s growing reliance on data and information systems exposes companies to new challenges, technology breakthroughs and developments (e.g., cloud computing) also provide valuable new BCM defenses and capabilities. 5 Executive Perspectives on Top Risks for 2015: Key Issues Being Discussed in the Boardroom and C-Suite, North Carolina State University s ERM Initiative and Protiviti, IT Priorities Survey protiviti.com/itpriorities

25 Key Questions to Consider Which IT leaders are responsible for 1) developing and maintaining IT disaster recovery plans, and 2) playing a key role in the company s overall BCM/DR program? Are business interruptions and crises that would stem from potential data breaches reflected in the current BCM program? Do current BCM/DR plans contain specific incident response approaches and escalation protocols? From an IT perspective, are current levels of BCM rigor, funding and attention sufficient? What, if any, new investments in technology, process improvement or skills would benefit your organization s BCM efforts? What monitoring mechanisms are in place to ensure the BCM program keeps pace with changes to IT infrastructure, applications, external relationships and data? How are IT-related BCM and disaster recovery capabilities, activities and updates shared with executive management and the board of directors, and how is their feedback incorporated into the BCM planning process? How frequently are BCM plans tested? Are concrete improvement plans enacted in response to the learnings from these exercises? Focus on CIOs/IT Executives and Large Companies Ensuring Continuity Results for CIOs/IT Executives and Large Company Respondents Ensuring Continuity Business continuity management and disaster recovery program testing Ensuring business alignment Designing and maintaining business continuity strategies Developing and maintaining IT disaster recovery plans Developing and maintaining risk assessment/business impact analysis Ensuring executive management support and sponsorship Developing and maintaining business resumption plans Developing and maintaining crisis management plans CIOs/IT Executives Large Company Respondents Significant Priority of 6.0 or higher Moderate Priority of 4.5 to IT Priorities Survey protiviti.com/itpriorities 23

26 MANAGING APPLICATION DEVELOPMENT Key Findings Similar to prior years results, risk management represents the top application development priority. Other key areas of focus include project monitoring and control, collaboration platforms (such as SharePoint) and ERP application security. Overall Results, Managing Application Development Managing Application Development 2015 Priority 2014 Priority Risk management YOY Trend Project monitoring and control Collaboration platforms (for example, SharePoint) ERP application security Configuration management ERP system bolt-on applications (BI, CRM, etc.) Mobile application development Requirements management ERP system implementation Organizational performance management Organizational process performance Organizational training Secure development/code review 6.0 NA NA Software selection Decision analysis and resolution Rapid application development framework Scrum development methodology Service-oriented architecture (SOA) 5.9 NA NA ERP system selection Object-oriented programming Open application programming interface (API) 5.8 NA NA Causal analysis and resolution Spreadsheet risk Spiral iterative framework IT Priorities Survey protiviti.com/itpriorities

27 Commentary Managing application development requires large amounts of work as well as numerous and complex considerations. There are risks to be managed, project management expertise to be applied, controls to enact, intense collaborations to be conducted, methodologies to be mastered, requirements and configurations to be managed, and much more. In many ways, application development is both an essential and representative IT activity the findings in this category signify trends evident throughout our report, from managing risk to effective project management and collaboration. The results also show that, similar to most other categories, there are a greater number of application development priorities this year compared to Last year s respondents scored six areas to be of Significant Priority (those with a priority index score of 6.0 or higher); this year s respondents ranked more than twice that number as Significant Priority areas. Key Questions to Consider Does the IT function possess the resources necessary to manage application development in a secure manner? What are the top current application development risks, and how are these risks addressed? What are notable emerging application development risks, and to what extent do (or would) current risk management practices address these emerging issues? To what extent are vendor-related application development risks monitored and managed? Is the current level of ERP security sufficient? Are current and planned ERP system changes most notably, the integration of bolt-on applications (BI, HRIS, CRM, marketing automation, etc.) performed in a way that mitigates ERP security risks? Are collaboration platforms being utilized sufficiently to strengthen applications development? Does the IT function possess the resources and expertise necessary to apply the right level of project monitoring and control to application development activities? 2015 IT Priorities Survey protiviti.com/itpriorities 25

28 Focus on CIOs/IT Executives and Large Companies Managing Application Development Results for CIOs/IT Executives and Large Company Respondents Managing Application Development Risk management Project monitoring and control Collaboration platforms (for example, SharePoint) ERP application security Configuration management ERP system bolt-on applications (BI, CRM, etc.) Mobile application development Requirements management ERP system implementation CIOs/IT Executives Large Company Respondents Organizational performance management Organizational process performance Organizational training Secure development/code review Software selection Decision analysis and resolution Rapid application development framework Scrum development methodology Service-oriented architecture (SOA) ERP system selection Object-oriented programming Open application programming interface (API) Causal analysis and resolution Spreadsheet risk Spiral iterative framework NA NA NA NA NA NA Significant Priority of 6.0 or higher Moderate Priority of 4.5 to IT Priorities Survey protiviti.com/itpriorities

29 DEPLOYING AND MAINTAINING SOLUTIONS Key Findings Managing changes in applications developed in-house represents a top priority, along with integrating applications. Other priorities include developing applications and managing changes in thirdparty applications. Overall Results, Deploying and Maintaining Solutions Deploying and Maintaining Solutions 2015 Priority 2014 Priority Managing changes applications developed in-house YOY Trend Integrating applications Developing applications Managing changes third-party applications Managing and testing security in SDLC 6.1 NA NA Acquiring applications Commentary IT organizations continue to wrestle with coordination across the business as they deploy solutions and updates. This is particularly the case for homegrown applications. Key Questions to Consider Who is responsible for overseeing and managing changes to in-house applications? And who is responsible for overseeing and managing changes to third-party applications? How is the change process monitored and audited, and how can this process be improved? How can security be managed and tested more effectively throughout the system development lifecycle? 2015 IT Priorities Survey protiviti.com/itpriorities 27

30 Focus on CIOs/IT Executives and Large Companies Deploying and Maintaining Solutions Results for CIOs/IT Executives and Large Company Respondents Deploying and Maintaining Solutions Managing changes applications developed in-house Integrating applications Developing applications CIOs/IT Executives Large Company Respondents Managing changes third-party applications Managing and testing security in SDLC Acquiring applications NA NA Significant Priority of 6.0 or higher Moderate Priority of 4.5 to 5.9 Key Facts Percentage of organizations that utilize offshore resources to support/augment the IT function Percentage of organizations that have a chief information security officer (or equivalent position) IT Priorities Survey protiviti.com/itpriorities

31 MANAGING IT INFRASTRUCTURE Key Findings There are notable year-over-year increases in priority index scores for IT infrastructure, with IT infrastructure change management leading the way. IT organizations also are focusing on the management and administration of backup and recovery systems, network performance planning, and change management in operating systems and databases. Overall Results, Managing IT Infrastructure Managing IT Infrastructure 2015 Priority 2014 Priority IT infrastructure change management YOY Trend Managing and administering backup and recovery Network performance planning Operating system change management Database change management Managing and maintaining real-time operations 6.4 NA NA Managing capacity 6.4 NA NA Storage management and planning Platform performance planning Managing and maintaining hybrid operations (on-site, ASP, cloud, etc.) 6.2 NA NA Managing application service providers 6.2 NA NA Managing data center environmental controls Managing and maintaining batch processing Commentary The emphasis that IT functions place on most elements of managing IT infrastructure is clearly increasing. The highest priority index ranking that survey respondents identified in this area last year was 6.3; this year, respondents ranked eight different areas of managing IT infrastructure at 6.4 or higher. Quite simply, as is the case throughout this year s survey findings, respondents have longer to-do lists packed with more pressing priorities. The overarching digital transformation has upped the need for IT functions to store, manage and protect their data-driven company s lifeblood. As newer and better data management and data protection tools and approaches emerge, IT functions must conduct a much greater amount of change management work to IT infrastructure, operating systems, databases (all top priorities) and more. Planning, protecting and managing change represent core activities IT functions are employing to improve their management of IT infrastructure. These activities also extend to vendors, such as application service providers. The IT function s data, particularly in the cloud, becomes more 2015 IT Priorities Survey protiviti.com/itpriorities 29