Protiviti's 2013 IT Priorities Survey

352 views
291 views

Published on

Protiviti’s 2013 IT Priorities Survey is designed to help CIOs and IT professionals classify areas in need of attention so that they can better execute the function’s strategic mandate. The survey’s findings and our accompanying analysis should help CIOs and their teams as they assess their own priorities and key areas of focus for 2013.

Benchmark your self against your peers or listen to our in-depth discussion of the survey findings in a recently recorded webinar at www.protiviti.com /ITsurvey.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
352
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Protiviti's 2013 IT Priorities Survey

  1. 1. FPO2013 IT Priorities SurveyMobile Commerce, Social Media, Data Management andBusiness Continuity Dominate the Agendas of IT Departments 2013 IT Priorities Survey 1
  2. 2. IntroductionA cursory glance at nearly any information technology (IT) article, survey or report confirms thatenterprises have plunged into the era of big data. Immersed in bits and bytes in today’s modern ITenvironment, companies of all sizes express a growing hunger for the experience, processes andtools necessary to harvest this data into actionable information that drives decision-making andhelps carve out competitive advantage.Satisfying this hunger falls, of course, to the IT function. Yet a more rigorous inspection of ITreveals a function awash in much more than data. The function’s responsibilities, priorities andto-do lists continue to expand more broadly and more deeply every year (it almost appears as ifIT’s growing workload is governed by Moore’s Law). Compare the results of Protiviti’s inauguralIT survey from 2011 with the 2013 survey results, and it becomes apparent that the number ofareas CIOs and IT professionals have ranked as priorities this year has increased significantly.Protiviti’s 2013 IT Priorities Survey is designed to help IT professionals classify areas in need ofattention so that they can better execute the function’s strategic mandate. The survey’s findingsand our accompanying analysis should help CIOs and their teams as they assess their own priori-ties and key areas of focus for 2013.To that end, the survey results reveal trends and areas of priority that IT functions are currentlyaddressing and planning for in response to what is happening in the market. These issues include: Mobile commerce – Numerous facets of mobile commerce management have emerged as major IT function focal points, including mobile commerce security, mobile commerce policy and mobile commerce integration. IT organizations are proactively looking to put into place more control and regimen around the management of mobile commerce and related new technologies. The management and classification of data – Data classification and management has become an overarching priority for IT functions as organizational information systems con- tinue to generate more and more “big data” that must be managed in accordance with risk management, regulatory compliance management and performance management require- ments. The more the IT function understands what comprises “sensitive” (i.e., valuable and/ or high-risk) data, the more effective and cost-efficient the organization’s data management capabilities will become. Social media – IT departments are investing significant time and resources to support the integration of social media and the governance of these technologies and related activities, which include social media programs for employees, customers and other external stakeholders. Business continuity – In the wake of several catastrophic natural disasters, IT functions are more mindful than ever of the need to plan for and respond to potential business disruptions and outages resulting from hacking, and to evaluate the location of their backup facilities. Risk management – ISO 31000 defines risk as the “effect of uncertainty on objectives.” Given the uncertainty radiating from IT issues such as mobile devices, social media, cloud computing and new compliance requirements, among many others, it’s no surprise that ISO 31000, as well as risk management in general, marks an area of IT function concern. 2013 IT Priorities Survey 1
  3. 3. IT infrastructure planning – Planning activities – specifically platform performance plan- ning, storage management and planning, and network performance planning – represent key priorities for CIOs and their teams. These objectives point to an effort to make the IT func- tion more agile in response to the accelerating pace of change. IT asset management – Given the proliferation of smartphones, tablets and similar devices as well as the new applications and organizational data contained on these devices, IT func- tions have entered a brave new, highly mobile and increasingly risky world of asset manage- ment.Nearly 200 respondents, including CIOs, chief technology officers, chief security officers, andIT vice presidents and directors, participated in the study. Respondents answered more than 100questions in three general categories: Technical Knowledge, IT Process Capabilities and Organi-zational Capabilities. (The IT Process Capabilities category contains several subcategories.) TheIT executives and professionals who participated in our survey represent virtually all industrysectors, including consumer products, distribution, energy, financial services, healthcare, hos-pitality, manufacturing, retail, technology and utilities. More than half of the participants workin publicly traded companies; the other respondents work in private, government and nonprofitorganizations. (Please note that, upon request, Protiviti can provide customized reports based onthe results of respondents from specific groups – industry, company size, etc.)We would like to express our gratitude to all of the IT executives and professionals who par-ticipated in our survey. We look forward to sharing these results and the trends they reveal, andobserving over the next year what new priorities may emerge that will change the landscape yetagain for CIOs and their IT organizations.ProtivitiFebruary 2013 2013 IT Priorities Survey 2
  4. 4. Technical KnowledgeKey Findings – 2013• Aspects of social media and mobile commerce represent major challenges and top priorities for many IT executives and professionals.• Risk management (and ISO 31000, in particular) as well as specific compliance requirements, such as the European Union Data Directive, also rank as key priorities for IT departments.• CIOs and their staffs intend to strengthen cybersecurity capabilities, in particular, given the growing threat of breaches as well as the quickly increasing number of state and federal information security compliance requirements. Overall Results, Technical Knowledge “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) 1 Social media security 2.9 2 Mobile commerce security 2.8 3 Mobile commerce policy 2.8 4 Mobile commerce integration 2.8 5 Social media integration 2.9Respondents were asked to assess, on a scale of one to five, their competency in 21 areas of tech-nical knowledge in IT, with one being the lowest level of competency and five being the highest. Foreach area, they were then asked to indicate whether they believe their level of knowledge is adequateor requires improvement, taking into account the circumstances of their organization and industry.(For the areas of technical knowledge under consideration, see page 4.) Figure 1 depicts a com-parison of “Need to Improve” versus “Competency” ratings in a Technical Knowledge landscape.IT functions are scrambling to deliver information, products and services via a growing numberof platforms and devices in a secure, compliant, effective and cost-efficient manner to employees,customers, clients and other stakeholders. IT executives and professionals are juggling an impos-ing number of priorities, including integration, policy and security activities related to mobilecommerce, social media and the smart devices more and more professionals use.While this push creates significant work, these demands hardly exist in isolation and must beaddressed along with numerous other, slightly less pressing (for the moment) priorities, such asISO 31000, various state data breach and privacy laws in the United States, the European UnionData Directive, and national cybersecurity directives, including guidance coming from theNational Institute of Standards and Technology’s (NIST’s) Computer Security Division (CSD).There is significant pressure on organizations in the healthcare and financial services industries,in particular, to perform more risk management. 2013 IT Priorities Survey 3
  5. 5. Additionally, cloud computing and virtualization – enabling technologies that can greatly enhanceIT’s value to the business yet also pose risks that must be managed – remain areas IT functionsare targeting for improvement (as respondents to our 2011 survey also noted). Virtualization’spromise of delivering more consistent service as well as improvements to data security and privacy,business continuity management capabilities and overall business agility (i.e., the ability to quicklyand securely scale operations up or down) remain alluring. As such, IT executives and professionalsappear intent on strengthening their virtualization capabilities. Figure 1: Technical Knowledge – Perceptual Map 16 9 8 15 HIGHER 7 5 1 19 DEGREE OF TECHNOLOGY USE 3 2 17 10 13 4 11 14 6 LOWER 21 18 20 12 LOWER NEED TO IMPROVE HIGHER Number Areas Evaluated by Respondents Number Areas Evaluated by Respondents 1 Social media security 12 European Union Data Directive 2 Mobile commerce security 13 ISO/IEC 27001/2 3 Mobile commerce policy 14 CISA 4 Mobile commerce integration 15 COBIT 5 Social media integration 16 Virtualization 6 ISO 31000 17 CISSP 7 Smart device integration 18 HITRUST CSF 8 Social media policy 19 PCI-DSS 9 Cloud computing 20 FISMA Data breach and privacy laws 10 21 GSEC (various U.S. states) 11 NIST (cybersecurity) 2013 IT Priorities Survey 4
  6. 6. Key Questions to Consider:• Can mobile commerce solutions be integrated effectively, efficiently and securely with your overall IT infrastructure and existing management tools?• Does your IT function maintain and update clear mobile commerce and social media policies that clearly convey the acceptable use and security requirements of these capabilities to employees who engage in mobile commerce and/or social media activities? How are these policies monitored and audited?• Is the overall state of your company’s social media security sufficient? How can social media capabilities be integrated more extensively into appropriate business processes to deliver value?• How can smartphones, tablets and similar devices be integrated into the normal flow of business in a more effective and secure manner?• How robust are your information security measures? Are these measures applied differently depending on the sensitivity or importance of the data being processed and stored?• Is your organization in compliance with all relevant industry standards for security and privacy as well as applicable laws and regulations?• Does your organization have efficient systems and processes for monitoring the quality of com- pliance as well as processes for monitoring ongoing regulatory issues and anticipating new rules and regulations? Two-Year Comparison – Overall Results, Technical Knowledge* 2013 2011 Social media security Virtualization Mobile commerce security Social media integration Mobile commerce policy Cloud computing Mobile commerce integration Social media security Social media integration Mobile commerce security* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Mobile commerce issues – policies, security, integration – have emerged clearly as top priorities. Interestingly, challenges related to areas such as virtualization and cloud comput- ing appear to have receded somewhat, perhaps suggesting a higher level of confidence within IT departments in managing these areas and the relationships with vendors potentially pro- viding these capabilities. However, virtualization, cloud computing and related technologies remain significant areas of focus, especially in understanding how they can be leveraged. 2013 IT Priorities Survey 5
  7. 7. RESPONSES FROM IT EXECUTIVES1IT executives appear to place greater emphasis on cybersecurity. By rating NIST’s cybersecuritydevelopments among their top priorities, CIOs and other IT executives express a desire to ensurethat their functions keep abreast of leading cybersecurity practices, guidance and requirements. IT Executive Results, Technical Knowledge “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) 1 Mobile commerce security 3.0 2 Mobile commerce integration 2.9 NIST (cybersecurity) 2.8 3 (tie) Mobile commerce policy 3.1 5 ISO 31000 2.4 Two-Year Comparison – IT Executive Results, Technical Knowledge* 2013 2011 Mobile commerce security Social media integration Mobile commerce integration Social media security NIST (cybersecurity) Data breach and privacy laws (various U.S. states) Mobile commerce policy Agile development ISO 31000 COBIT Cloud computing* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Mobile commerce issues also have risen to the top of the priority list for IT executives, whereas in 2011 they did not crack the top five.1 Includes responses from survey respondents with the following titles: chief information officer, chief information security officer, chief technology officer, chief privacy officer, chief security officer, IT vice president/director and IT audit vice president/director. 2013 IT Priorities Survey 6
  8. 8. IT Process Capabilities: Managing Security and PrivacyKey Findings – 2013• Managing and classifying big data remains a major challenge for IT departments.• IT functions are looking to improve several other security and privacy areas, including monitoring security events, incident response, and managing user identities and access, as well as compliance requirements and the management of third-party vendors. Overall Results, Managing Security and Privacy “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) Managing and classifying 1 3.2 enterprise data 2 Incident response 3.3 3 Monitoring security events 3.2 4 Managing third-party vendors 3.4 Managing user identities and access 3.4 5 (tie) Implementing security/privacy 3.3 solutions and strategiesRespondents were asked to assess, on a scale of one to five, their competency in 13 areas of processcapabilities relating to managing security and privacy, with one being the lowest level of competencyand five being the highest. They were then asked to indicate whether they believe their level ofknowledge is adequate or requires improvement, taking into account the circumstances of theirorganization and industry. (For the areas of managing security and privacy under consideration,see page 9.) Figure 2 depicts a comparison of “Need to Improve” versus “Competency” ratings ina Managing Security and Privacy landscape.There are two elements of managing data security and privacy. First, the data should be classified.Second, the data should be protected according to its classification. The most sensitive data in theorganization warrants the strongest protection. Less sensitive data requires less protection (andtherefore requires fewer resources to manage). Survey respondents identified this area, managingand classifying enterprise data, as their top priority in this category.They are wise for doing so; after all, companies in virtually every industry have invested large sumsof money in an effort to get to know their customers and their customers’ activities in order topersonalize service to them. This knowledge requires companies to capture a wealth of data on adaily basis, and some of this big data is considered personally identifiable information. Organizationsmust understand how to classify, manage and secure that data, not only for the sake of their cus-tomers and clients, but also to remain in compliance with numerous privacy laws and regulations. 2013 IT Priorities Survey 7
  9. 9. Concerns over data classification and management also are driven by current and emerging lawsand regulations. At least 46 of the 50 states in the United States currently have data privacy laws. Inaddition, many industries, including healthcare and financial services, have their own data privacyregulations. This explains why survey respondents also identified specific compliance requirements,such as the Gramm-Leach-Bliley Act (GLBA), California Security Breach Information Act andHealth Insurance Portability and Accountability Act (HIPAA), as top priorities. Although eachdata security/privacy regulation features unique aspects and requirements, one of the consistentprovisions that can be found in most, if not all, of them is that any person or organization hold-ing private data and information is accountable if that information is breached.Incident response and security event management also are key areas of concern for IT executivesand professionals. These challenges go hand-in-hand with data classification and management –clearly, the management and protection of data, confidential and otherwise, is critical for companiestoday, and IT functions are at the forefront of ensuring proper security.One more priority area, managing third-party vendors, bears mentioning. The importance as wellas the complexity of this capability continues to increase as a) companies outsource and offshoremore IT capabilities and functions; b) the nature of outsourcing relationships evolves (e.g., the useof hybrid models that blend aspects of shared services and traditional outsourcing); and c) newfinancial reporting, risk management (including business continuity management) and regulatorycompliance requirements create additional relationship management needs and challenges. 2013 IT Priorities Survey 8
  10. 10. Figure 2: Managing Security and Privacy – Perceptual Map 4 13 5 11 HIGHER 9 2 6 8 3 1LEVEL OF COMPETENCY 12 7 LOWER 10 LOWER NEED TO IMPROVE HIGHER Number Areas Evaluated by Respondents Number Areas Evaluated by Respondents Managing technical infrastructure 1 Managing and classifying enterprise data 8 configuration 2 Incident response 9 Managing contractors California Security Breach Information Act 3 Monitoring security events 10 (SB 1386) 4 Managing third-party vendors 11 Managing application users U.S. Health Insurance Portability and 5 Managing user identities and access 12 Accountability Act (HIPAA) Implementing security/privacy solutions and 6 13 Managing IT users strategies 7 U.S. Gramm-Leach-Bliley Act (GLBA) 2013 IT Priorities Survey 9
  11. 11. Key Questions to Consider• What is your IT function’s and your management team’s understanding (e.g., “excellent,” “good” or “limited”) of what comprises “sensitive” organizational data and information?• Is there a formal effort under way to define and classify the data the organization generates as part of its day-to-day operations? Is the organization clear about what information is sensitive or requires special attention – especially data that is regulated by privacy laws?• Has specific responsibility or stewardship been assigned for the organization’s most sensitive data types?• Is the management of data conducted over its full lifecycle, from acquisition through retention (identifying the duration of retention) through disposal/destruction?• Does your organization have a written information security policy (WISP) in place? Is it being implemented/executed?• To what extent does the IT function, as well as the risk management and compliance areas of the business, monitor and anticipate regulatory changes related to information security and privacy?• Are third-party vendors and contractors managed via a process that ensures they are in compli- ance with the organization’s policies related to data security and privacy, as well as remaining in current compliance with all relevant laws and regulations?• How are new vendors evaluated regarding their risk profile with required security standards? Two-Year Comparison – Overall Results, Managing Security and Privacy* 2013 2011 Managing and classifying enterprise data Managing and classifying enterprise data Incident response California Security Breach Information Act (SB 1386) Monitoring security events U.S. Gramm-Leach-Bliley Act (GLBA) Managing third-party vendors Managing user identities and access Managing user identities and access Managing third-party vendors Implementing security/privacy solutions and strategies Incident response Monitoring security events Implementing security/privacy solutions and strategies* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trends • In the two years of this study, managing and classifying enterprise data has stood out as a top priority for IT organizations. • Specific laws identified among the top priorities in the previous study rank lower in the 2013 results – a possible indicator of less uncertainty regarding these requirements. 2013 IT Priorities Survey 10
  12. 12. RESPONSES FROM IT EXECUTIVESThe responses for this category generally mirror those from the overall group with one exception:IT executives rank specific compliance requirements, including the GLBA and the CaliforniaSecurity Breach Information Act, as more important “Need to Improve” areas compared to allsurvey respondents. IT Executive Results, Managing Security and Privacy “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) Managing and classifying 1 3.4 enterprise data 2 Incident response 3.7 3 U.S. Gramm-Leach-Bliley Act (GLBA) 2.8 4 Monitoring security events 3.6 California Security Breach Information 5 2.5 Act (SB 1386) Two-Year Comparison – IT Executive Results, Managing Security and Privacy* 2013 2011 Managing and classifying enterprise data Managing and classifying enterprise data Incident response Managing user identities and access U.S. Gramm-Leach-Bliley Act (GLBA) Managing third-party vendors Monitoring security events Implementing security/privacy solutions and strategies California Security Breach Information Act (SB 1386) Incident response* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trends • For IT executives, managing and classifying enterprise data is a consistent top priority. • Interestingly, unlike the overall findings, specific privacy-related laws and regulations have increased as priorities for 2013 compared to the 2011 results. 2013 IT Priorities Survey 11
  13. 13. IT Process Capabilities: Defining IT Strategy and OrganizationKey Findings – 2013• The IT function’s top priorities in this category reflect a commitment to enhancing the clarity and precision with which IT performance is measured, monitored and reported to the business.• IT professionals want to strengthen the customer service they provide to their internal customers (as laid out in service-level agreements).• The integration and alignment of IT planning with business strategy remains an ongoing priority. IT Process Capabilities, Defining IT Strategy and Organization “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) Defining metrics and measurements 1 3.1 for monitoring IT performance Reporting IT activities and 2 3.2 performance Negotiating, managing and 3 3.2 monitoring information quality Negotiating, managing and 4 monitoring customer service-level 3.2 agreements (SLAs) Developing and maintaining 5 3.1 enterprise information architectureRespondents were asked to assess, on a scale of one to five, their competency in 16 areas of processcapabilities relating to defining IT strategy and organization, with one being the lowest level ofcompetency and five being the highest. For each area, they were then asked to indicate whetherthey believe their level of knowledge is adequate or requires improvement, taking into accountthe circumstances of their organization and industry. (For the areas of IT strategy and organizationunder consideration, see page 13). Figure 3 depicts a comparison of “Need to Improve” versus“Competency” ratings in a Defining IT Strategy and Organization landscape.It wasn’t long ago that many IT functions funneled significant effort to aligning IT planning withoverall business strategy. Today, that alignment appears to have matured, and survey respondentsindicate that they are applying more attention, resources and time – and much more precision – toexecuting the IT plan while managing performance in a highly transparent way.The top priority areas in this survey category – defining metrics and measurements for monitoringIT performance; reporting IT activities and performance; negotiating, managing and monitoringcustomer SLAs, among others – reflect less of an emphasis on “designing” and place much moreimportance on “measuring,” “analyzing,” and “reporting” IT’s actual performance. 2013 IT Priorities Survey 12
  14. 14. Do these results indicate that IT strategy generally has achieved a more evolved and sophisticatedstate? Possibly. The findings suggest it is more certain that IT is demonstrating a commitment totransparency and a measurement mindset to help it convey its value to the business more clearlyand on a more real-time basis. Figure 3: Defining IT Strategy and Organization – Perceptual Map HIGHER 16 9 12 15 10 6 14 11 LEVEL OF COMPETENCY 13 8 7 2 4 3 1 LOWER 5 LOWER NEED TO IMPROVE HIGHER Number Areas Evaluated by Respondents Number Areas Evaluated by Respondents Defining metrics and measurements for 1 9 IT risk analysis and reporting monitoring IT performance 2 Reporting IT activities and performance 10 Long-term and short-term planning Negotiating, managing and monitoring Developing and maintaining end-user support 3 11 information quality policies and standards Negotiating, managing and monitoring 4 12 Defining IT roles and responsibilities customer SLAs Developing and maintaining enterprise Defining organizational placement of the IT 5 13 information architecture function Integration/alignment of IT planning and Developing and maintaining operations 6 14 business strategy management policies and standards Monitoring and achieving legal/regulatory 7 Monitoring IT costs and benefits 15 compliance Developing and maintaining security and 8 Managing and monitoring policy exceptions 16 privacy standards 2013 IT Priorities Survey 13
  15. 15. Key Questions to Consider• Is your IT department collaborating effectively with the business to manage shifting priorities in an agile manner?• To what extent are CIOs and the IT leadership team collaborating with the business to proac- tively identify potential business opportunities and threats that require IT support?• Are the expectations of C-suite and business-unit executives with regard to IT consistent with how technology is funded and managed?• Does IT have visibility into strategic events planned in the near or long term, such as mergers or acquisitions, initial public offerings, divestitures or business expansions?• What metrics are used to measure the quality of work being performed by IT?• How effective and timely are the quantifiable metrics and/or key performance indicators IT shares with the business regarding IT’s ongoing performance?• Is there a process in place to monitor the effectiveness of IT performance measurement/manage- ment activities?• How are customer SLAs monitored, managed and continuously improved? Two-Year Comparison – Overall Results, Defining IT Strategy and Organization* 2013 2011 Defining metrics and measurements for monitoring Communication of strategy and governance IT performance Defining metrics and measurements for monitoring Reporting IT activities and performance IT performance Negotiating, managing and monitoring information quality Monitoring and achieving legal/regulatory compliance Developing and maintaining enterprise Negotiating, managing and monitoring customer SLAs information architecture Developing and maintaining enterprise Performing and maintaining the IT risk assessment information architecture* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trends • While defining metrics and measurements for monitoring IT performance has ranked as a top priority area in both studies, there are more performance management-related areas that rank as priorities in the 2013 findings. • Of note, legal and regulatory compliance, which was among the top priorities for IT functions in 2011, falls near the bottom of the 2013 priority list in this category. 2013 IT Priorities Survey 14
  16. 16. RESPONSES FROM IT EXECUTIVESThe results from IT executives generally mirror the study’s overall response in this category. IT Executive Results, Defining IT Strategy and Organization “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) Reporting IT activities and 1 3.5 performance Defining metrics and measurements 2 3.4 for monitoring IT performance Negotiating, managing and 3 3.5 monitoring information quality Negotiating, managing and 4 3.6 monitoring customer SLAs Developing and maintaining 3.4 enterprise information architecture 5 (tie) Managing and monitoring policy 3.5 exceptions Two-Year Comparison – IT Executive Results, Defining IT Strategy and Organization* 2013 2011 Defining metrics and measurements for monitoring Reporting IT activities and performance IT performance Defining metrics and measurements for monitoring Communication of strategy and governance IT performance Negotiating, managing and monitoring information quality Performing and maintaining the IT risk assessment Developing and maintaining enterprise Negotiating, managing and monitoring customer SLAs information architecture Developing and maintaining enterprise Negotiating, managing and monitoring customer SLAs information architecture Managing and monitoring policy exceptions Negotiating, managing and monitoring information quality* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Areas related to performance management – topped by reporting IT activities and perfor- mance – have risen as key priorities for IT executives since the last survey. 2013 IT Priorities Survey 15
  17. 17. IT Process Capabilities: Managing IT InfrastructureKey Finding – 2013• Planning related to platform and network performance, along with storage management and planning, stand out as top concerns. Overall Results, Managing IT Infrastructure “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) 1 Platform performance planning 2.8 2 Storage management and planning 2.8 3 Network performance planning 2.8 Managing and maintaining job 4 3.2 processing 5 IT infrastructure change management 3.3Respondents were asked to assess, on a scale of one to five, their competency in nine areas ofprocess capabilities relating to managing IT infrastructure, with one being the lowest level ofcompetency and five being the highest. They were then asked to indicate whether they believe theirlevel of knowledge is adequate or requires improvement, taking into account the circumstancesof their organization and industry. (For the areas of managing IT infrastructure under consideration,see page 17.) Figure 4 depicts a comparison of “Need to Improve” versus “Competency” ratingsin a Managing IT Infrastructure landscape.Data management qualifies as an overarching need among most companies as they collect, storeand transmit vast and rapidly growing amounts of data. Executive teams and boards of directorswant assurance that sensitive information not only is secure, but also is stored in a cost-efficient andeffective manner, thus maximizing the organization’s investment in the data and storage capabili-ties. In addition, these capabilities must be compliant with e-discovery and records managementrequirements. In response, IT executives and professionals indicate their functions are addressing anumber of issues associated with platform performance and storage management, including whatinformation can be collected and maintained, how the information should be stored, how andwhere information can be transmitted, and what required actions should be initiated in the eventof a security breach and/or a break in continuity.It is noteworthy that each of the three top priorities respondents identified involve planning activities.These rankings suggest IT functions are striving to become more agile. While it remains absolutelynecessary today to achieve effective platform performance, storage management and networkperformance, this achievement alone is not sufficient. IT functions also appear intent on strength-ening these planning capabilities so that they are flexible and agile enough to support rapidlychanging business needs in the future. 2013 IT Priorities Survey 16
  18. 18. Figure 4: Managing IT Infrastructure – Perceptual Map 9 5 HIGHER 8 6 7 4LEVEL OF COMPETENCY LOWER 3 2 1 LOWER NEED TO IMPROVE HIGHERNumber Areas Evaluated by Respondents Number Areas Evaluated by Respondents 1 Platform performance planning 6 Database change management Managing and administering backup and 2 Storage management and planning 7 recovery 3 Network performance planning 8 Operating system change management 4 Managing and maintaining job processing 9 Managing data center environmental controls 5 IT infrastructure change management 2013 IT Priorities Survey 17
  19. 19. Key Questions to Consider:• How is your IT function working to ensure that platform performance, storage management and network performance capabilities are agile enough to support – quickly and effectively – sudden business shifts in response to new threats and new opportunities?• To what extent does this work extend to vendors responsible for handling and storing corporate data?• Do current storage management capabilities support and align with the ways in which the IT function classifies, manages and protects organizational data?• Has your organization conducted a risk assessment that identifies the nature of information col- lected, where it is stored, and how and where it is transmitted?• Has your company established data protection policies that are monitored and enforced throughout the organization?• How is the IT department addressing the business’s expectations of increasingly faster – and increasingly reliable – network performance? Two-Year Comparison – Overall Results, Managing IT Infrastructure* 2013 2011 Platform performance planning Storage management and planning Storage management and planning Network performance planning Network performance planning Database change management Managing and maintaining job processing Platform performance planning IT infrastructure change management IT infrastructure change management Operating system change management* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Results are relatively consistent between the two surveys, though managing and maintain- ing job processing rose to the top five list of priorities in this year’s study. 2013 IT Priorities Survey 18
  20. 20. RESPONSES FROM IT EXECUTIVESThe results from IT executives generally mirror the study’s overall response in this category, withone exception: CIOs and other senior IT leaders rank database change management as a slightlyhigher improvement need compared to all respondents. IT Executive Results, Managing IT Infrastructure “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) 1 Platform performance planning 3.3 2 Storage management and planning 3.4 3 Network performance planning 3.4 4 Database change management 3.7 Managing and maintaining job 5 3.8 processing Two-Year Comparison – IT Executive Results, Managing IT Infrastructure* 2013 2011 Platform performance planning IT infrastructure change management Storage management and planning Database change management Network performance planning Managing and administering backup and recovery Database change management Network performance planning Managing and maintaining job processing Managing and maintaining job processing Managing data center environmental controls Operating system change management Storage management and planning* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Platform performance planning is elevated to the top of the priority list for IT executives in 2013 (this area ranked ninth in the previous survey), while IT infrastructure change management dropped out of the top five priorities. 2013 IT Priorities Survey 19
  21. 21. IT Process Capabilities: Managing IT AssetsKey Findings – 2013• Monitoring and accounting for IT assets has grown more complex due to smart-device proliferation, “bring your own device” policies, growing workforce mobility and the IT function’s reliance on external partners.• Survey respondents ranked monitoring IT assets, accounting for IT assets and monitoring external SLAs as their top priorities. Overall Results, Managing IT Assets “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) 1 Monitoring IT assets 3.1 2 Accounting for IT asset management 3.1 3 Monitoring external SLAs 3.2 Monitoring and reviewing contracts/ 4 3.3 billings Managing hardware maintenance 5 3.1 agreementsRespondents were asked to assess, on a scale of one to five, their competency in 14 areas of processcapabilities relating to managing IT assets, with one being the lowest level of competency and fivebeing the highest. They were then asked to indicate whether they believe their level of knowledgeis adequate or requires improvement, taking into account the circumstances of their organizationand industry. (For the areas of managing IT assets under consideration, see page 21.) Figure 5depicts a comparison of “Need to Improve” versus “Competency” ratings in a Managing ITAssets landscape.The findings suggest IT functions are searching for ways to address a brave new world of assetmanagement. No longer tethered to desks or on-site servers, more – and smaller – IT assets ziparound the world in the briefcases, backpacks and pockets of increasingly mobile employees. Thedays of assigning bulky desktops are long gone; today, employees access organizational data andapplications through tablets, smartphones, netbooks and other mobile devices. Moreover, employ-ees are accessing enterprise networks through their own devices thanks to a growing number oforganizations with “bring your own device” (BYOD) policies.Given the growing complexity of IT asset management, it is understandable to see monitoringIT assets, accounting for IT asset management and managing IT asset retirement (as a result ofemployees leaving the company and/or the company’s adoption of next-generation devices) astop priorities in the results. 2013 IT Priorities Survey 20
  22. 22. IT professionals and IT executives, in particular, also indicated they want to improve asset manage-ment activities dependent on external relationships, as noted in higher-ranked “Need to Improve”areas such as monitoring external SLAs, monitoring and reviewing contracts/billings, and manag-ing software licensing and compliance.Given the growing reliance on cloud computing and external vendor support as well as the prolif-eration of smart devices among an increasingly mobile workforce, it is clear that the challenge ofachieving effective IT asset management is intensifying. Figure 5: Managing IT Assets – Perceptual Map 11 HIGHER 13 9 LEVEL OF COMPETENCY 10 4 8 6 3 7 5 1 2 12 14 LOWER LOWER NEED TO IMPROVE HIGHER Number Areas Evaluated by Respondents Number Areas Evaluated by Respondents 1 Monitoring IT assets 8 Managing software licensing and compliance 2 Accounting for IT asset management 9 Managing contract analysis and renewal Determining outsourcing strategy and 3 Monitoring external SLAs 10 approach Managing audit process (SAS 70, SSAE 16, 4 Monitoring and reviewing contracts/billings 11 others) 5 Managing hardware maintenance agreements 12 Software deployment Managing IT asset retirement – employee/ 6 13 Negotiating and establishing agreements contractor termination Managing IT asset retirement – IT asset 7 14 Hardware deployment refresh 2013 IT Priorities Survey 21
  23. 23. Key Questions to Consider• What processes does the IT organization have in place to monitor IT assets in a risk-savvy manner?• What is the IT function’s role in accounting for IT asset management and how can it collaborate with the finance and accounting function to strengthen the accuracy and efficiency of this activity?• Are there defined standards for entering into an SLA, and is there an audit process in place to monitor external parties operating under an SLA?• How effective is the IT function in monitoring external SLAs, contracts, and billing and soft- ware licenses?• What are the greatest risks to IT asset management in your organization, and how are these risks managed?• Does the company’s and the IT function’s outsourcing strategy align with and support IT asset management needs? Two-Year Comparison – Overall Results, Managing IT Assets* 2013 2011 Monitoring IT assets Monitoring external SLAs Accounting for IT asset management Determining outsourcing strategy and approach Monitoring external SLAs Accounting for IT asset management Managing IT asset retirement – employee/ Monitoring and reviewing contracts/billings contractor termination Managing hardware maintenance agreements Managing IT asset retirement – IT asset refresh* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Monitoring IT assets ranks as the top priority this year, compared to sixth (not shown) in 2011 – not a surprise considering the proliferation of new devices (smartphones, tablets, etc.) being used today by company employees. 2013 IT Priorities Survey 22
  24. 24. RESPONSES FROM IT EXECUTIVESCIOs and other IT executives rank the importance of improving two externally focused areas –determining outsourcing strategy and approach, and managing software licensing and compliance– higher than the overall survey group. This suggests IT executives are a) interested in ensuring thatan outsourcing strategy limits IT asset management risks as much as possible, and b) concerned aboutthe magnitude of risk related to software licensing issues. IT Executive Results, Managing IT Assets Competency “Need to Improve” Rank Areas Evaluated by Respondents (5-pt. scale) 1 Monitoring IT assets 3.5 Monitoring and reviewing contracts/ 2 3.7 billings 3 Accounting for IT asset management 3.4 Monitoring external SLAs 3.5 Determining outsourcing strategy and 4 (tie) 3.6 approach Managing software licensing and 3.6 compliance Two-Year Comparison – IT Executive Results, Managing IT Assets* 2013 2011 Monitoring IT assets Monitoring external SLAs Monitoring and reviewing contracts/billings Accounting for IT asset management Accounting for IT asset management Determining outsourcing strategy and approach Managing IT asset retirement – Monitoring external SLAs employee/contractor termination Determining outsourcing strategy and approach Negotiating and establishing agreements Managing software licensing and compliance* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Similar to the overall results, monitoring IT assets has jumped to the top of the priority list for IT executives. 2013 IT Priorities Survey 23
  25. 25. IT Process Capabilities: Ensuring ContinuityKey Finding – 2013• Three top-of-mind priorities in this category are developing and maintaining business resumption plans, developing and maintaining IT disaster and recovery plans, and developing and maintaining crisis management plans. Overall Results, Ensuring Continuity “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) Developing and maintaining business 1 3.1 resumption plans Developing and maintaining IT 3.2 disaster and recovery plans 2 (tie) Developing and maintaining crisis 3.2 management plans Developing and maintaining risk 4 3.4 assessment/business impact analysis Ensuring executive management 3.4 5 (tie) support and sponsorship Ensuring business alignment 3.4Respondents were asked to assess, on a scale of one to five, their competency in seven areas ofprocess capabilities relating to ensuring continuity, with one being the lowest level of competencyand five being the highest. They were then asked to indicate whether they believe their level ofknowledge is adequate or requires improvement, taking into account the circumstances of theirorganization and industry. (For the areas of ensuring continuity under consideration, see page 25.)Figure 6 depicts a comparison of “Need to Improve” versus “Competency” ratings in an EnsuringContinuity landscape.In recent months, as Hurricane Sandy and numerous high-profile information security breaches havedemonstrated, business continuity in the face of expanding disruption threats has become a growingexecutive and board-level concern. The growing use of social media and mobile commerce, alongwith increased privacy legislation, are driving these concerns, as well. Additionally, organizations arerevisiting the location of backup facilities and potentially placing them in different geographies wherenatural disaster risk is lessened. It is clear that the growing reliance on technology systems andapplications requires IT to play a central role in corporate business continuity management (BCM)and disaster recovery efforts.22 For more information, read Protiviti’s Guide to Business Continuity Management, available at www.protiviti.com. 2013 IT Priorities Survey 24
  26. 26. The top priorities identified by respondents – developing and maintaining business resumptionplans, developing and maintaining IT disaster and recovery plans, and developing and maintain-ing crisis management plans – suggest more companies and their IT functions are integrating ITdisaster recovery capabilities with crisis management activities and business resumption plans tostrengthen the organization’s overall BCM capability. Figure 6: Ensuring Continuity – Perceptual Map HIGHER 6 4 5 7 LEVEL OF COMPETENCY 2 3 1 LOWER LOWER NEED TO IMPROVE HIGHER Number Areas Evaluated by Respondents Number Areas Evaluated by Respondents Developing and maintaining business Ensuring executive management support and 1 5 resumption plans sponsorship Developing and maintaining IT disaster and 2 6 Ensuring business alignment recovery plans Developing and maintaining crisis Designing and maintaining business 3 7 management plans continuity strategies Developing and maintaining risk assessment/ 4 business impact analysis 2013 IT Priorities Survey 25
  27. 27. Key Questions to Consider:• Has your company developed a crisis management and communications plan or strategy? Are there processes in place to update and audit these plans regularly?• To what degree are BCM and disaster recovery capabilities and activities supported at the execu- tive management and board level?• Does your company have a formal overarching BCM strategy and continuity plan in place (and do these contain IT considerations among the key priorities)?• Has your company undertaken a pandemic risk management assessment?• How frequently does your organization test the plans that are in place? How are the results of these tests reviewed, analyzed and acted upon?• How often is the information reviewed in all BCM-related plans and what is the process used to maintain, review and update them? Two-Year Comparison – Overall Results, Ensuring Continuity* 2013 2011 Developing and maintaining risk assessment/ Developing and maintaining business resumption plans business impact analysis Developing and maintaining IT disaster and recovery plans Developing and maintaining crisis management plans Developing and maintaining crisis management plans Designing and maintaining business continuity strategies Developing and maintaining risk assessment/ Ensuring business alignment business impact analysis Ensuring executive management support and sponsorship Developing and maintaining business resumption plans Ensuring business alignment* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Year-over-year results are relatively consistent, though business resumption plans moved to the top of the priority list in the 2013 results. 2013 IT Priorities Survey 26
  28. 28. RESPONSES FROM IT EXECUTIVESIT executives identified the same top three “Need to Improve” areas within the Ensuring Continu-ity category that all survey respondents selected. Of note, half of the IT executive-level respondentscited the top two areas (developing and maintaining business resumption plans, and developing andmaintaining IT disaster and recovery plans) as areas for improvement. IT Executive Results, Ensuring Continuity “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) Developing and maintaining business 1 3.3 resumption plans Developing and maintaining IT 2 3.5 disaster and recovery plans Developing and maintaining crisis 3 3.5 management plans Ensuring executive management 4 3.7 support and sponsorship Ensuring business alignment 3.7 Designing and maintaining business 5 3.6 continuity strategies (tie) Developing and maintaining risk 3.6 assessment/business impact analysis Two-Year Comparison – IT Executive Results, Ensuring Continuity* 2013 2011 Developing and maintaining business resumption plans Developing and maintaining crisis management plans Developing and maintaining IT disaster and recovery plans Ensuring business alignment Developing and maintaining crisis management plans Designing and maintaining business continuity strategies Ensuring executive management support and sponsorship Developing and maintaining business resumption plans Developing and maintaining risk assessment/business Ensuring business alignment impact analysis Designing and maintaining business continuity strategies Developing and maintaining risk assessment/ business impact analysis* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Year-over-year results are relatively consistent, but developing and maintaining business resumption plans moved to the top of the priority list for IT executives in the 2013 results. 2013 IT Priorities Survey 27
  29. 29. Organizational CapabilitiesKey Finding – 2013• Six Sigma, dealing with confrontation, coaching/mentoring, leadership (in outside organizations) and negotiation are top priorities for IT executives and professionals as they look to enhance performance and operational efficiencies as well as collaboration with other organizational functions. Overall Results, Organizational Capabilities “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) 1 Six Sigma 2.7 2 Dealing with confrontation 3.4 Coaching/mentoring 3.6 3 (tie) Leadership (in outside organizations, 3.4 groups, etc.) 5 Negotiation 3.4Respondents were asked to assess, on a scale of one to five, their competency in 12 areas of organi-zational capabilities, with one being the lowest level of competency and five being the highest. Theywere then asked to indicate whether they believe their level of knowledge is adequate or requiresimprovement, taking into account the circumstances of their organization and industry. (For theorganizational capabilities under consideration, see page 29.) Figure 7 depicts a comparison of“Need to Improve” versus “Competency” ratings in an Organizational Capabilities landscape.The IT challenges identified throughout this survey indicate that workloads of IT executives andprofessionals have become crowded with improvement priorities. These priorities are less a matterof “or” (“Should we focus on improving social media security or mobile commerce integration?”)than they are a matter of “and” (“How can we improve social media security and mobile commerceintegration and smart device integration and data classification and BCM and …?”). To address theirexpanding responsibilities and improvement efforts, IT professionals and executives are applying acombination of process-improvement methodology and interpersonal skills.The relatively low competency rating for Six Sigma (the highest ranking “Need to Improve” area)compared to other areas in this survey category indicates that IT leaders and professionals also seeample room for improvement with regard to making IT functions and processes more efficientand productive, particularly as IT organizations continue to deal with slimmed-down staff levelsafter the financial challenges of the past few years. 2013 IT Priorities Survey 28
  30. 30. Also, survey respondents point to dealing with confrontation, coaching/mentoring, leadership (inoutside organizations) and negotiation as top “Need to Improve” areas that can help them partnermore effectively with other parties inside and outside the IT department.The need for greater efficiency and productivity – both within IT and the larger business (whereIT plays a key enabling role) – is unlikely to subside any time soon. IT professionals appear torecognize that improvements in interpersonal skills, such as leadership and negotiation, will helpthem address cultural issues that require attention while managing change. Figure 7: Organizational Capabilities – Perceptual Map 10 9 HIGHER 11 6 3 12 8 7 5 4 2 LEVEL OF COMPETENCY LOWER 1 LOWER NEED TO IMPROVE HIGHER Number Areas Evaluated by Respondents Number Areas Evaluated by Respondents 1 Six Sigma 7 Developing outside contacts/networking 2 Dealing with confrontation 8 Leveraging outside expertise Working effectively with C-level/senior 3 Coaching/mentoring 9 executives Leadership (in outside organizations, Working effectively with business-unit 4 10 groups, etc.) executives 5 Negotiation 11 Working effectively with outside parties 6 Leadership (within your organization) 12 Working effectively with regulators 2013 IT Priorities Survey 29
  31. 31. Key Questions to Consider:• Can a better understanding and improvement in capability around Six Sigma concepts help the IT function add more value and improve its effectiveness?• How are efficiency gains being tracked and reported?• Are there formal training and development processes in place to help IT professionals improve their ability to deal with confrontation and enhance negotiation skills and related attributes?• What sort of leadership training and development opportunities are available to rising IT professionals?• What is the quality of the coaching/mentoring offerings to which IT managers have access?• To what extent are IT professionals encouraged and supported in efforts to demonstrate leader- ship in external industry and business groups? Two-Year Comparison – Overall Results, Organizational Capabilities* 2013 2011 Six Sigma Six Sigma Dealing with confrontation Dealing with confrontation Coaching/mentoring Working effectively with C-level executives Leadership (in outside organizations, groups, etc.) Developing rapport with senior executives Negotiation Leadership (within your organization)* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Several new entries in the top priorities for 2013 suggest a stronger focus on coaching and mentoring other employees, as well as demonstrating leadership outside the company in professional groups. 2013 IT Priorities Survey 30
  32. 32. RESPONSES FROM IT EXECUTIVESWhile IT executives also identify Six Sigma as the top “Need to Improve” organizational capability,they differ from overall survey respondents in two respects. First, IT executives view leading inter-nally as well as leadership in outside organizations as higher improvement priorities than the overallsurvey group. Second, IT executives rank developing outside contacts/networking higher comparedto the overall response. All respondents, however, place nearly identical importance on improvingthe coaching/mentoring opportunities available to IT professionals, suggesting that executives andprofessionals throughout the IT functional hierarchy see value in this type of development approach. IT Executive Results, Organizational Capabilities “Need to Improve” Competency Areas Evaluated by Respondents Rank (5-pt. scale) 1 Six Sigma 3.0 Leadership (in outside organizations, 2 3.5 groups, etc.) 3 Leadership (within your organization) 3.8 4 Negotiation 3.8 Coaching/mentoring 3.8 5 (tie) Developing outside contacts/ 3.7 networking Two-Year Comparison – IT Executive Results, Organizational Capabilities* 2013 2011 Six Sigma Change management Leadership (in outside organizations, groups, etc.) Coaching/mentoring Leadership (within your organization) Developing outside contacts/networking Negotiation Developing rapport with senior executives Coaching/mentoring Developing rapport with business-unit executives Developing outside contacts/networking* Certain competencies and skill areas in this category were not included in both years of the survey. Notable Trend • Six Sigma, which ranked sixth on the list of priorities in the 2011 results, jumped to the top of the list in the 2013 study, suggesting IT leaders are focusing sharply on gaining greater efficiencies and productivity in their operations. 2013 IT Priorities Survey 31

×