What are the top CIO challenges in 2015? According to a survey reported yesterday on CIO.com, security, downtime, and staffing top the list of workplace issues “keeping CIOs up at night.”
No surprises there. After a flurry of recent high-profile cyber-attacks and internal security breaches, the majority of CIO executives will ramp up the security and availability of their systems in 2015, according to the report. Unfortunately, this often means that teams are scrambling to finish a checklist of CIO security concerns to patch up the most immediate vulnerabilities, rather than taking a longer view and building rigorous and monitored security practices into all layers of their IT deployments.
At Logicworks, our clients are CIOs of precisely the kinds of industries that hackers target: Healthcare, Financial Services, and Media. It is our job to recommend, design, implement and manage highly secure infrastructures for our clients, and our engineers begin all new projects with a thorough audit and plan document. It all comes down to asking the right questions about CIO issues– and inviting people from outside IT to weigh in on the real-world business implications of downtime or security threats.
Here are some common questions we use to frame the initial discovery phase in any conversation with a client and their CIO or Chief Information Security Officer (CISO). We hope they help you in your approach to these CIO concerns in 2015 and beyond.
More than half of Chief Information Officers believe that security planning should be the last item to receive budget cuts in 2015, according to the survey. Two-thirds of CIOs plan to enforce stricter security policies for employees.
Increasingly, with the big-data and advanced-analytics management revolution in full swing, data is stored and handled on public clouds like Amazon Web Services. This presents an entirely new engineering paradigm to most IT teams, and the result is large (and quickly growing) amounts of sensitive data managed by staff or vendors who lack expertise at maintaining the security of those cloud platforms.
Here are the questions Logicworks asks internal IT teams before we begin security planning:
- How specifically would a data breach affect your business (and your bottom line)?
- How do you currently manage access and root credentials to systems?
- Do you connect with a static IP or are your users roaming?
- Do you have the ability to help set up a VPN?
- Do you have policies for multi-factor authentication?
We then go into much greater detail about the specific network access and controlled access management system in place to store and maintain passwords for the team. If a system is run on AWS, optimizing and further securing IAM systems is one of the first steps we usually take. Learn more about how we monitor password security through IAM.
Downtime is the second largest CIO challenge, according to the survey. But it is not the most glamorous topic and risks are not necessarily clear to the rest of the C-Suite.
CIO executives know that downtime is really about a loss of reputation – and great vendors will see your downtime as an unacceptable loss of their own brand equity.
Before CIOs develop response plans and tighten SLAs, the first step is measuring and communicating the impact of downtime. Here are some conversations we typically hold with clients:
- Which applications are mission-critical?
- How much downtime have you experienced in the last year?
- Are you following AWS High Availability best practices, such as load balancers across Availability Zones in each tier or using OpsWorks to automate capacity estimation and server provisioning?
- What are your single points of failure?
- How often do you test your plan? If you are operating on AWS, do you employ the Simian Army to randomly disable your production instances, to test if your auto scaling functions?
This process of discovery helps Logicworks understand core business objectives and build systems that consistently meet and exceed those objectives. As the state of the art moves to infrastructure-as-code and more workloads migrate to the public cloud, it is now possible to build self-healing, auto scaling AWS deployments that support applications with 100% uptime.
It does not matter how many security or availability plans you create if you do not have the appropriate staff – or the staff time – to implement them. And even if a staff engineer does develop new security and optimization procedures, they might not stick around to maintain them.
This is why CIOs often consider a managed services provider, or MSP. For the price of finding and keeping a senior engineer who specializes in what they need, an MSP can bring a fleet of engineers and a wider context of experience to help them achieve their plans. A managed services provider should both implement new practices and play an active role in maintaining those systems. This allows you to focus on other CIO responsibilities and refocus internal teams on innovation and development.
If you are developing a new hiring strategy, begin this year with an audit of how and why you hire or reject candidates. At Logicworks, we do not just hire for just knowledge and ability; candidates must consistently take ownership of their projects and yet be humble enough to collaborate in a low-ego environment. We have found that this recruiting philosophy attracts the talent we need to keep our clients’ systems up and running, and reducing worry for those in a CIO position.
CIOs have plenty of cause for worry. However, developing the right strategy and facing these CIO challenges upfront can mean the difference between capitalizing on growth in 2015 and becoming the next headline.
By Lindsay Van Thoen