Keepit has found that CISOs and CIOs need help with data protection challenges exacerbated by AI and the cloud. Of concern is that both show critical gaps in disaster recovery strategies. They also show that greater data security is needed.
The Foundry survey involved 107 companies with over 1,000 employees and is titled “Can data protection keep pace with the shifting landscape?.” The second study, “The Great Balancing Act” (gated), is a qualitative document compiled from interviews with 30 top security professionals across the US, UK, and Europe.
Kim Larsen, CISO at Keepit, said, “Good data protection is essentially ‘data classification plus good recovery capabilities’: If you understand your data, and can recover uncorrupted versions of it fast, you have a solid foundation to ensure business continuity, compliance and recovery.
“But this is easier said than done: The complexity of implementing new initiatives, such as governance over data used by large language models (LLMs), and the need to balance conflicting IT demands, pose additional challenges for any industry.”
What do we learn from the survey?
Neither document paints a positive picture of the state of backup and recovery. Only 70% said that financial applications are incorporated within data protection strategies. While a further 24% expect that to happen in 2024, it still leaves 6% with nothing.
The story gets worse for e-commerce and human resource management. Only half of the respondents say that the same strategies cover them. Of concern is that others “hope” to catch up this year. The story gets worse when looking at CRM (46%), ERP (42%), custom apps (32%) and collaboration and productivity tools (26%).
There is no clear breakdown of cloud vs. on-premises strategies. However, the survey does reveal that only half have included cloud-stored SaaS data in their disaster recovery plans. 40% plan to add it but haven’t said when. That leaves a gap of 10% who either don’t value data or don’t care.
What is interesting is that virtually all respondents are prioritising AI data protection. It would have been interesting to understand what use cases they have. Is it for regulatory or compliance? Is it about concerns over deleted data destabilising AI?
Moving forward, the top four challenges for respondents to address are:
- 73% – Data Protection
- 53% – Data Governance
- 49% – Data Compliance
- 45% – Enterprise backup and recovery
What do we learn from the more in-depth study?
The study, which is 45 pages long, delivers significant insights and guidance for CISOs and CIOs. It’s divided into four sections, plus a reading list and an appendix. The sections are market trends, pain points, the path forward, and a conclusion.
Market trends
This looks at four technologies: cloud, AI, interconnected risks, and budget pressures. 80% of companies are now cloud-savvy. However, this comes with challenges, including maintaining data governance and compliance across multiple environments. Compounding the problem is the mismatch of security protocols.
Gen AI is on everyone’s radar, but significant concerns exist over how to use it, meet regulatory requirements, and protect data.
Regulation and compliance are causing problems in other areas. While systems are becoming interconnected and sharing data, regulation tends to be siloed. This means that organisations are navigating a spider’s web of regulation to create unified systems and assess risk.
Budget pressures continue to grow. New technologies like AI add extra pressure on security budgets. CISOs need to find better ways to articulate benefits to the board.
Pain points
Data management and data security are the primary pain points for CISOs. However, the interviews also tell another story. They found that the CISOs they talked to came from a variety of backgrounds and had differing responsibilities. Enterprise Times has covered this subject area in multiple podcasts and interviews.
This study highlights how the differing backgrounds make the CISOs adept at different things. It also reinforces that there are differing requirements for CISOs. In doing so although the study doesn’t explicitly say it, there is still a case for multiple CISOs depending on their responsibilities and backgrounds.
CISOs also recognise that they have 24-36 months to implement their strategies. Any CISO who expects to arrive, understand the organisation, and then put plans in place will struggle.
The CIO is in the same position as the CISO, with constantly evolving responsibilities.
In both cases, the increase in workload around risk management and compliance is evident. Some organisations have recognised this and created the Chief Risk Officer and Chief Compliance Officer roles. What this needs to address is who they should report to. The CISO or the CIO?
Also identified is the need for a data governance compliance framework. However, doing that requires a lot of other data management work. This is where the roles of a Chief Data Officer and a Chief Compliance Officer overlap and complement each other.
The path forward
This section deals with strategies from those interviewed regarding how the business needs to move forward. It contains a lot of interesting suggestions and ideas. Chief among them is the need for a risk-impact framework. It lists six components that a framework should include:
- Risk Identification
- Risk Assessment
- Impact Analysis
- Prioritisation
- Mitigation Planning
- Monitoring and Review
Importantly, one CISO commented, “The risk-impact conversation has to come from the board, not the CISO …. The board needs to acknowledge this responsibility and take on the task as well as its implications.”
That comment about the board driving risk impact goes deeper. The board and investors must be involved in cybersecurity and governance strategies. It might seem obvious they are involved, but as this study discovered, that is not a given.
This section also contains an extremely useful table covering Data Governance Mode. It would be interesting to see how many reading the study fare when comparing it to their organisations.
Conclusion
The conclusion is brief but to the point. Data is at the centre of everything. Effective CISOs and CIOs have a mindset of continuous improvement. They look for collaboration and best practices to resolve their challenges. And the future for both roles will be defined by data and how they innovate around it.
Reading List & Appendix
The reading list is short, which is a surprise and consists mainly of Keepit blogs and three external documents.
The appendix, however, is something that everyone reading the study can take something from. It contains five assessments that all tie back to the sections in the study. Each assessment is broken into questions for the reader to ask the organisation, department, and themselves. It is a thought-provoking exercise that deserves time.
Enterprise Times: What does this mean?
This is a tale of two documents. The survey stresses that too many organisations have poorly thought out or implemented backup and recovery processes. The numbers should make everyone sit up and take notice. These core applications are essential to running the business, and boards should be asking what is going wrong.
The second qualitative study is also an eye-opener. It shows how the pace of technology and compliance are colliding and creating unforeseen problems. That both CISOs and CIOs are struggling should be a red flag. In both cases, the rate of change and expansion of roles needs to be rethought and even broken down with a more viable management structure.
While the survey and study raise many concerns, none are unfixable. However, fixing them requires buy-in at the board level, which comes out clearly here. While most boards believe they are engaged, especially around cybersecurity, there are questions to be asked.
Any organisation using the tables in the appendix will get answers it won’t expect. These will undoubtedly help shape a better technology environment in the future.