I spied the the latest Gartner CIO priorities list the other day on Twitter. No surprise that business analytics (aka big data) was at the top, but perhaps what was a surprise was that security was at the bottom. Assuming this list is order of priority, that's actually shocking, especially in the context of the number high profile IT security breaches we've seen in recent years -- and the standard anti-cloud argument from some CIOs and IT pros that usually involves security and how much better they can do it themselves.
Of course, these priorities do not all live alone in their own little priority silos. They mix and match and overlap in all kinds of interesting ways. In fact, you could argue that #8, security is a part of the other seven priorities, and you could take the #1 priority business analytics and also apply it to every other item on the list including security.
That's because cyber security in particular has become a big data analytics problem. As we have more and more data in the cloud and on premises, we have more and more data being thrown at us just related to security --and the challenge is finding ways to make sense of all this data. If security is down the list, and big data and analytics is the top priority, how do you reconcile this if you're a a CIO?
As HD Moore, who chief security researcher at security firm Rapid7, a firm that uses data to find anomalies in the data pile that could point to a breach told me, all it takes is one major breach for it to move up the priority list very rapidly.
He's right. When I was at the MIT-Sloan CIO Symposium in May one speaker noted that when he talked to CIOs he kept hearing they didn't want to be "Target-ed" as in they didn't want their companies to become the next Target breach (target in both senses of the word). In other words, it seems that CIOs were scared to death about being the next major breach. You would think that would make security a bigger priority, but I suppose it's one thing to have a major public security embarrassment, but it would be far worse for publicly traded companies to make cyber security a bigger priority than say running a profitable business, so as always it comes down to trade-offs and strategic initiatives have greater priority than practical ones like security.
But as Moore told me you can bet that security is a big priority for Target now because they experienced the breach first hand. When it's somebody else's problem, it's easier to ignore it, but once it happens to you, it's another matter. And perhaps that's what reflected in the list.
Companies are under pressure today to innovate, to move faster, to be more responsive to their customers --and when you throw up the security card, you put an obstacle in the way of that kind of change, but that doesn't mean you ignore security either, no matter where you're storing your data. You still have to consider it and build it into everything you do. You just can't let it stop you from moving forward.