Balancing Security vs Agility

As part of the Thought Leadership Partnership between Telus and CIOCAN, the first meeting of the Telus Advisory Board was held recently.  Designed to create a community of CIOs who discuss common issues such as trends and challenges faced by CIOs in navigating their firm’s digital transformation and technology choices, the Board’s first meeting succeeded in bringing out a number of different perspectives, and stimulating interesting and relevant debate. 

Here are some brief insights from the discussion about Security concerns:

An ongoing challenge facing IT leaders is the need to balance speed and agility – the ability to respond to new opportunities or new requirements – with the heightened need to have internal security that is capable of protecting data and processes from the risks that are increasing in number and complexity every day.  The human factor remains the biggest concern.  Just one inadvertent click on a wrong link can cause havoc in a company’s network.  As soon as vulnerability is identified, IT staff have to drop everything and patch it.   In some industries, this is an almost daily challenge. For companies that have experienced a data breach, there is heightened governance and even fear that has to be managed.  Internal processes need to address securing the data while teaching employees safe computing practices.  But all this has to be done at a pace that meets the speed of change, while living within a budget that hasn’t changed in way too long.  The traditional 5% of budget that used to be assigned to security isn’t keeping up; a more realistic figure would be 20-25%.

This balancing act is hard enough in the current context where data breaches are often considered to be an organization’s private business.  However, in the fall of 2017, new legislation is coming to all provinces that will require data breaches to be reported to Boards, to the general public, and to any individual whose data was exposed.  Companies will no longer be able to sweep a data breach under the rug.  If a company cannot demonstrate superior security levels, customers may take their business elsewhere. 

How do you balance the competing needs for security and agility?

Are you struggling to convince colleagues and/or Board members that IT needs more, not less investment?

Have you had an experience that others can learn from?