When polled on the issue of cybersecurity and data privacy in mid-September, 80 percent of the 87 U.S.-based CIOs surveyed rated the threat level of a cyberattack or data breach for their organization as major to severe, on our 10-point scale. CIOs say there are several factors at play—including budget allocation and supply chain management—but the most important is building awareness throughout the organization.
“User education and acceptance is key,” says Bill Nixon, CIO and director of technology and innovation, Johnson County Kansas Government. “Staff and management need to understand that cybersecurity, and especially data privacy, is not just a ‘IT thing.’”
“Employees are the biggest risk. Training and zero trust are the only viable solutions at this stage,” said the CIO of an East Coast higher education institution, who says employee compliance is the biggest threat to cybersecurity at this time.
“Education is critical as the users are the best defense,” echoed a veteran IT executive at a global wholesale distributor.
Another challenge, they say, is the continued emergence of new threats. This has further been exacerbated by remote or hybrid work arrangements, which CIOs say increase the risk of cybersecurity breaches.
“Remote/distributed work necessitates replacing ‘bastion defense’ with ‘zero-trust’ security. Moving to the cloud requires designing for minimized blast radius. We’ve been doing this for several years,” says the senior director of a non-profit trade association.
“Data theft and extortion will continue to grow as a risk,” says the CIO of a global electronics manufacturing organization, who also believes remote work increases the risk of breaches. “New emerging risks in software integrity across all software vendors will continue to expand the attack surface.”
Barbara Fugate, CIO and CISO at United Bankers’ Bank, agrees that third-party management is a challenge: “The close second-place concern [to employee compliance] is supply chain. We have so little control, and no good way to implement controls, of upstream vendors,” she says.
The solution: Be prepared, they say.
“As CIOs, we need to aggressively push the focus from preventing cyberattacks to responding to cyberattacks. It is ultimately about how we recover,” says Robert Culpon, CIO of Anderson ZurMuehlen, a certified public accounting and business advisory firm, headquartered in Helena, Montana.
Forty-one percent agree that if the organization is well-prepared, the threat level diminishes significantly. For some, this means increasing the cyber budget and onboarding the right talent, both of which can be particularly challenging in the current market.
“As a non-profit, we lack both skilled talent/expertise to build and manage cybersecurity mitigation, specifically because we lack the financial ability to recruit such expertise,” says Steve Adamczyk, CIO of Michigan-based Holy Cross Services.
“Sometimes it is about prioritizing cybersecurity initiatives over that shiny project meant to solve all the problems,” says Joy Hatch, VP for IT/CIO at Fairmont State University in West Virginia.
“In the last few years [cybersecurity] has emerged into the most significant area in my company’s IT infrastructure,” says Gerald Edwards, CTO of The Sourcing Group, a New York-based consumer manufacturer. Thankfully, he says, “my expenditures dwarf other budget lines.”