today’s enterprise - cyberthreats lurk amid major transformation · 2015-09-01 · [the] problem...

Today’s Enterprise - Cyberthreats Lurk Amid Major TransformationAssessing the Results of Protiviti’s 2015 IT Priorities Survey

12015 IT Priorities Survey • protiviti.com/ITpriorities

INTRODUCTION

“The very Technologies ThaT empower us To do greaT good can also be used To undermine us and inflicT greaT harm. ... cyber ThreaTs are a challenge To our naTional securiTy. … [The] problem of how we secure This digiTal world is only going To increase.”

U.S. President Barack Obama1

Amid major technology transformation and change, danger seemingly lurks everywhere for today’s enterprises. Crafty, cunning and dangerous cyber predators worldwide are threatening to blow the lid off organizational cybersecurity defenses. Defending against these predators is consuming large amounts of IT hours and resources at a time when a majority of organizations are undergoing a major IT transformation (see page 5).

Outwitting the wolves at your organization’s “cyber door” and managing changes in the enterprise with confidence requires IT departments to deploy an impressive and innovative array of information security approaches, processes, tools, skills/personnel, and collaborations – all of which we find at the top of IT’s packed priority list, according to the results of Protiviti’s 2015 IT Priorities Survey.

Not surprisingly, the priority placed on security and privacy capabilities has intensified in our survey this year – often dramatically. To illustrate, in last year’s study the highest-ranked area in this category (“Developing and maintaining security and privacy standards”) had a priority index of 6.4 (on a 10-point scale). This year, a full dozen of the security and privacy capabilities we assessed are ranked 6.7 or higher. As we detail in our report, the results for CIOs and IT executives are even more pronounced.

These trends are, in fact, evident throughout this year’s results, which show that IT leaders and professionals are contending with a vast number of increasing and competing priorities, including but not limited to cybersecurity. This also mirrors key findings from our recent Executive Perspec-tives on Top Risks for 2015 study, in which board members and C-suite executives identified cyberse-curity as one of the top risks their organizations must address in 2015.2

Our key findings in this year’s IT Priorities Survey include:

1. Security concerns are paramount – No surprise here: Addressing and strengthening cyberse-curity represents a critical priority among all respondents, CIOs and companies of all sizes.

2. Major IT changes and upgrades continue – Well over half of all organizations are under-going a major IT transformation that will last a year or longer, intensifying demands on IT departments to manage these changes successfully while addressing other critical business needs (e.g., cybersecurity).

3. The search for balance is underway – As important as cybersecurity and privacy issues have become, they represent just one of many rising priorities, such as virtualization and enterprise

1 Comments made at the White House Summit on Cybersecurity and Consumer Protection, February 13, 2015.2 Executive Perspectives on Top Risks for 2015: Key Issues Being Discussed in the Boardroom and C-Suite, North Carolina

State University’s ERM Initiative and Protiviti, www.protiviti.com/toprisks.

http://www.protiviti.com/ITpriorities

www.protiviti.com/toprisks

2 2015 IT Priorities Survey • protiviti.com/ITpriorities

architecture, on the IT department’s bursting agenda. IT executives and professionals have a vast number of pressing duties on their plates this year, with priorities increasing across the board in volume and significance. To address and manage these challenges successfully, they must develop and strengthen the expertise and business savvy necessary to strike the right balance between activities that enhance business value and those that protect organizational value.

4. IT seeks to manage all assets better: data, hardware, software and more – IT departments are adapting and improving how they manage a broader and more diverse collection of company-owned and third-party assets (including data) as their companies seek to harness more and more business value from them.

5. Collaboration is key – Organizations undergoing and managing major changes are focused on leveraging technology to enable greater collaboration across the enterprise. This not only facili-tates more opportunities for real-time partnering, but also reduces time-to-value significantly.

Top 10 IT Priorities for 2015 (including ties)*

Rank IT Area2015 Priority

Index2014 Priority

IndexYOY Trend

“Significant Priority” Percentage (6-10)

1 Virtualization 7.3 6.5 86%

2Virus/malware advanced threat detection/eradication

7.1 NA NA 83%

3 (tie)

Data breach and privacy laws (various U.S. states)

7.0 6.2 83%

Enterprise architecture 7.0 NA NA 81%

Incident response success (containment, recovery)

7.0 6.3 83%

Monitoring security events 7.0 6.4 84%

7 (tie)

Data architecture 6.9 6.4 81%

Data governance 6.9 6.3 81%

Incident response policy and preparedness

6.9 6.3 82%

Incident response reaction time 6.9 6.3 83%

IT project management 6.9 6.5 82%

Patch management 6.9 NA NA 83%

Vulnerability scanning 6.9 NA NA 82%

* Based on a 10-point scale. See Methodology section for details.



METHODOLOGY

More than 1,000 respondents (n = 1,073), including CIOs, IT vice presidents and IT directors, participated in our study, which was conducted within the prior 90 days. We are grateful for the time invested in our study by these individuals.

Participants answered more than 100 questions in 10 categories:

• Managing Security and Privacy

• Technical Knowledge

• Defining IT Governance and Strategy

• Managing IT Assets

• Management and Use of Data Assets

• Ensuring Continuity

• Managing Application Development

• Deploying and Maintaining Solutions

• Managing IT Infrastructure

• Organizational Capabilities

For each of these categories, respondents were asked to rate, on a scale of 1 to 10, the level of priority for them and their organizations to improve in different issues and capabilities. A “10” rating indicates the issue is a high priority while a “1” indicates the issue is a low priority.

We have classified each issue and capability with an index of 6.0 or higher as a “Significant Priority” for IT functions. Those with an index of 4.5 through 5.9 are classified as a “Moderate Priority,” and those with an index of 4.4 or lower are classified as a “Low Priority.” (Of note, none of the more than 100 IT issues and capabilities addressed in our 2015 survey is rated to be “Low Priority.”)

Our survey also includes a special section, “IT Transformation,” in which we assess how IT organi-zations are managing changes and addressing budget and resource challenges.



IT TRANSFORMATION

Key Findings

• For the second consecutive year, a majority of organizations report they are undergoing a “major IT transformation,” though there was a slight year-over-year decrease in the results.

• Most organizations expect the IT transformation to last a year or longer, and the magnitude of disruption caused by these changes is viewed to be very significant (of note, multiple studies continue to show that many IT projects experience costly delays, exceed established budgets and/or fail to fulfill the original business requirements).

• IT transformations are intended to achieve multiple objectives, the most common of which are cost/simplification, new functionality, service assurance and regulatory/compliance.

Key Facts

60

54Percentage of organizations in which the duration of the IT transformation is expected to be a year or longer

Percentage of organizations undergoing a major IT transformation

6.4Level of disruption (scale of 1 to 10) organizations are experiencing as a result of a major IT transformation

What are the objectives of your organization’s IT transformation?*

Cost/simplification 64%

New functionality (mobile, new products, etc.) 55%

Service assurance 47%

Regulatory/compliance 46%

Adoption of emerging technology 43%

Time to market/agility 34%

* Multiple responses permitted



MANAGING SECURITY AND PRIVACY

Key Findings

• The top security and privacy priorities – including virus/malware advanced threat detection/eradication, monitoring security events, and incident response success (containment, recovery) – rank among the highest priorities in the entire survey.

• IT functions plan to invest significant time, staff, technology and budget on numerous specific security and privacy priorities in 2015.

Overall Results, Managing Security and Privacy

Managing Security and Privacy2015 Priority

Index2014 Priority

IndexYOY

Trend

Virus/malware advanced threat detection/eradication 7.1 NA NA

Incident response success (containment, recovery) 7.0 6.3

Monitoring security events 7.0 6.4

Incident response policy and preparedness 6.9 6.3

Incident response reaction time 6.9 6.3

Patch management 6.9 NA NA

Vulnerability scanning 6.9 NA NA

Developing and maintaining security and privacy standards 6.8 6.4

Managing user identities and access 6.8 6.3

End-user security awareness and training 6.7 NA NA

Implementing security/privacy solutions and strategies 6.7 6.3

Managing technical infrastructure configuration 6.7 6.2

Penetration testing (internal/external) 6.7 NA NA

Managing application users 6.5 6.2

Managing IT users 6.5 6.2

Managing third-party vendors 6.5 6.0

U.S. Health Insurance Portability and Accountability Act (HIPAA) 6.5 5.8

Managing and classifying enterprise data 6.4 6.2

Managing contractors 6.4 6.0

Clarity about third-party compliance readiness (partners, vendors) 6.3 6.0

U.S. Gramm-Leach Bliley Act (GLBA) 6.2 5.8

California Security Breach Information Act (CS SB 1386) 6.0 5.9



3 Ibid.4 Protiviti’s Board Perspectives: Risk Oversight, Issue 44, “Managing Cybersecurity Risk,” www.protiviti.com/en-US/

Pages/Board-Perspectives-Risk-Oversight-Issue-44.aspx.

Commentary

Documented occurrences of corporate and governmental data breaches grow larger, more prevalent, more damaging and more complex in nature. Boards and C-suite executives are more focused than ever on security issues.3 And enterprises are adopting a more comprehensive view of their information security. Thus, IT is doubling down on its efforts to strengthen information security and privacy.

Note that each of the 22 areas included in this section of the survey are ranked at the “Significant Priority” level. Virus/malware advanced threat detection/eradication, which we added to the survey this year, received the second-highest index ranking among all of the 100-plus priorities evaluated in this year’s study, and monitoring security events and incident response success (containment, recovery) are among the top six priorities in our survey. We view the responses as indicative of organizations focusing on leveraging technology and automation to improve their ability to identify risks in real-time – and to respond accordingly.

Additionally, of those areas included in last year’s survey, every one of them ranks higher this year compared to last year’s results. In other words, information security and privacy, a longstanding IT priority, is becoming even more important.

That said, this challenge is no longer viewed strictly as an “IT issue” at leading companies, but rather as a critical business issue. Executive management teams and boards of directors are working closely with IT executives to more effectively manage and monitor what qualifies as a strategic risk.4

Key Questions to Consider

• Has an information security model – such as the NIST Cybersecurity Framework, ISO 27001/27002 or Critical Security Controls for Effective Cyber Defense – been adopted? Has the organization done a gap assessment against one of these models?

• Has the company performed an information security risk assessment to understand its tech-nical exposures?

• Does the organization have the tools and processes to effectively prevent, detect and contain targeted malware after a user clicks on a link in a phishing email?

• Does the organization have the right tools and staffing levels to address the security needs of the organization effectively?

• Does the organization’s IT strategy include an incident response plan that is evaluated regularly to ensure it addresses new and emerging types of security and privacy risks and breaches?

• Is an effective incident response team in place and equipped to reduce the occurrence, prolifera-tion and impact of security breaches?

• Who in the IT organization is responsible for keeping executive management and the board updated regarding the company’s information security and privacy risks?

• Do key stakeholders (IT, C-suite executives, board members) support the development of an information security strategy appropriate to the organization’s scale, culture, regulatory obliga-tions and business objectives?


www.protiviti.com/en-US/Pages/Board-Perspectives-Risk-Oversight-Issue-44.aspx

www.protiviti.com/en-US/Pages/Board-Perspectives-Risk-Oversight-Issue-44.aspx


• Does the current incident response plan include procedures that identify specific actions to be taken in response to specific types of security incidents? How often are these procedures exercised (think “fire drill”), and who is responsible for doing so (and taking corrective actions, if necessary)?

• What steps are in place to test and improve incident response speed as well as the quality of the overall incident response capability?

• Have thresholds been identified that indicate when and how executive management and, in some cases, the board, should participate in incident response efforts when appropriate?

• Is there agreement on what metrics are communicated to the board and executive management to keep them sufficiently aware of the organization’s information security status?

• Is the organization clear on the value/importance of its information assets – especially those that could be considered its “crown jewels”? Does the company have a formal data classifica-tion program to help manage both the effectiveness and efficiency of the overall data security and privacy capability? How is this program communicated and taught throughout the entire organization?

• Is security-event monitoring support being performed in-house, through a managed security services provider (MSSP) or both? How is the effectiveness of this monitoring evaluated?

• Are third-party vendors and trading partners addressed in the organization’s security/privacy strategy?

• How is vendor compliance with security and privacy policies and standards monitored (including incident response preparedness)?

• How are internal (“insider”) security threats monitored, managed and communicated?

• What additional technologies are planned for managing security risk?

Key Facts

To whom or where does the CIO and IT organization report?*

4221

22

87

COO

Other

CEO

CFO

Board of Directors

* Percentages shown



Focus on CIOs/IT Executives and Large Companies

Managing Security and Privacy – Results for CIOs/IT Executives and Large Company Respondents

Managing Security and PrivacyCIOs/IT

ExecutivesYOY Trend

(Priority Level)Large Company

RespondentsYOY Trend

(Priority Level)

Virus/malware advanced threat detection/eradication

NA NA

Incident response success (containment, recovery)

Monitoring security events

Incident response policy and preparedness

Incident response reaction time

Patch management NA NA

Vulnerability scanning NA NA

Developing and maintaining security and privacy standards

Managing user identities and access

End-user security awareness and training

NA NA

Implementing security/privacy solutions and strategies

Managing technical infrastructure configuration

Penetration testing (internal/external) NA NA

Managing application users

Managing IT users

Managing third-party vendors

U.S. Health Insurance Portability and Accountability Act (HIPAA)

Managing and classifying enterprise data

Managing contractors

Clarity about third-party compliance readiness (partners, vendors)

U.S. Gramm-Leach Bliley Act (GLBA)

California Security Breach Information Act (CS SB 1386)

Significant Priority Index of 6.0 or higher

Moderate Priority Index of 4.5 to 5.9



TECHNICAL KNOWLEDGE

Key Findings

• Virtualization, data breach and privacy laws, and enterprise architecture (a new addition to this year’s study) not only are the top priorities in this category, but also represent three of the highest-ranked priorities in the entire survey.

• Cybersecurity guidance, including NIST, is prevalent in the Technical Knowledge priority list.

• Data governance and data architecture (another new area in the survey) also rank as significant priorities.

• As is the case throughout this year’s survey, many technical capabilities rank higher as priorities this year compared to last year’s results.

Overall Results, Technical Knowledge

Technical Knowledge2015 Priority

Index2014 Priority

IndexYOY

Trend

Virtualization 7.3 6.5

Data breach and privacy laws (various U.S. states) 7.0 6.2

Enterprise architecture 7.0 NA NA

Data architecture 6.9 6.4

Data governance 6.9 6.3

IT project management 6.9 6.5

Cloud computing 6.7 6.3

Cloud storage of data 6.7 6.1

IT program management 6.7 6.3

NIST (cybersecurity) 6.7 6.1

Big data 6.5 6.0

Business process automation 6.5 NA NA

ERP systems 6.5 6.2

ITIL 6.4 NA NA

Agile methodologies 6.3 NA NA

Data discovery/e-discovery 6.3 NA NA

Mobile development 6.3 NA NA

PCI DSS 6.3 5.8

Smart device integration 6.3 6.1

Mobile commerce security 6.2 6.1

Open Web Application Security Project (OWASP) 6.2 NA NA



Technical Knowledge2015 Priority

Index2014 Priority

IndexYOY

Trend

PMP 6.2 6.1

BYOD policies/programs 6.1 6.1

CISSP/CISM 6.1 5.9

ISO/IEC 27001 and 27002 6.1 6.2

Mobile commerce integration 6.1 6.0

Mobile commerce policy 6.0 5.9

Social media policy 6.0 5.8

Social media security 5.9 6.0

COBIT 5.8 5.9

Social media integration 5.8 5.9

ISO 31000 5.7 6.0

CISA 5.6 5.8

European Union Data Directive 5.6 5.9

HITRUST CSF 5.6 5.6

CGEIT 5.5 5.7

Commentary

Given the prevalence of IT transformation and the resulting challenges for organizations, it is not surprising to find numerous multidimensional knowledge areas ranking as key priorities in this category, as IT functions strive to both enhance and protect business value. These twin objectives are evident at the top of the Technical Knowledge priority rankings, where equal weight is given to addressing data breach and privacy laws (protecting value) and improving enterprise architecture (enhancing value).

Interestingly, the highest-ranked priority in the entire survey, virtualization (7.3), is not tied directly to security. Rather, virtualization serves the dual purpose of enhancing and protecting value by helping IT functions boost efficiency and productivity, reduce power usage and operating costs, and strengthen security and disaster recovery capabilities.

While virtualization ranks highly as a priority this year, it certainly is not the only priority in this category. In fact, compared to our 2014 results, there are higher priority index scores throughout the category. Last year, two areas (virtualization and IT project management) each had a priority index of 6.5, while other Technical Knowledge areas scored 6.3 or lower. This year, 10 areas scored 6.7 or higher, with three scoring 7.0 or higher.

Relating back to the earlier discussion regarding security and privacy challenges, cybersecurity issues, including data breach and privacy laws (various U.S. states) and the NIST Cybersecurity Framework, also rank among the most important of all issues that IT functions are confronting in this category.




• How can the IT department strengthen its current approach to virtualization (server, network, desktop) through new collaborations, investments and skills?

• Is the IT department’s knowledge and expertise concerning virtualization, enterprise architecture and cloud computing sufficient? If not, how can this knowledge be enhanced or supplemented?

• Is the IT department maintaining current knowledge of changing data breach, information secu-rity and information privacy laws, rules, directives, standards and guidance?

• Has IT evaluated the organization’s cybersecurity program against the NIST Cybersecurity Framework?

• Is data security sufficiently addressed in current data governance, data architecture, IT project management and IT program management activities?

• Does IT maintain formal mobile commerce and social media policies that lay out the security requirements for those who engage in mobile commerce and/or social media activities?

• Does IT maintain a “bring your own device” (BYOD) policy that serves as the foundation for a current, secure and business-value-enabling BYOD program?

• What applications are running in a cloud environment? What data is processed there and how is it protected and monitored?

• Are staff members strengthening their knowledge and expertise through formal training (e.g., professional certifications) and informal approaches (e.g., stretch assignments, rotational work, etc.)?


Technical Knowledge – Results for CIOs/IT Executives and Large Company Respondents

Technical KnowledgeCIOs/IT

ExecutivesYOY Trend



(Priority Level)

Virtualization

Data breach and privacy laws (various U.S. states)

Enterprise architecture NA NA

Data architecture

Data governance

IT project management

Cloud computing

Cloud storage of data

IT program management

NIST (cybersecurity)

Big data

Business process automation NA NA

ERP systems

ITIL NA NA



Technical KnowledgeCIOs/IT

ExecutivesYOY Trend



(Priority Level)

Agile methodologies NA NA

Data discovery/e-discovery NA NA

Mobile development NA NA

PCI DSS

Smart device integration

Mobile commerce security

Open Web Application Security Project (OWASP)

NA NA

PMP

BYOD policies/programs

CISSP/CISM

ISO/IEC 27001 and 27002

Mobile commerce integration

Mobile commerce policy

Social media policy

Social media security

COBIT

Social media integration

ISO 31000

CISA

European Union Data Directive

HITRUST CSF

CGEIT





DEFINING IT GOVERNANCE AND STRATEGY

Key Findings

• Top priorities include monitoring IT costs and benefits, monitoring and achieving legal/regulatory compliance, and integration/alignment of IT planning and business strategy.

• IT functions are focused on achieving highly effective IT governance and strategy, which is designed to manage and run the IT function in a way that enhances and protects organizational value.

• While all of the areas again have “Significant Priority” rankings (similar to the 2014 results), the priority index numbers for 13 of the 16 areas measured last year increased on a year-over-year basis.

Overall Results, Defining IT Governance and Strategy

Defining IT Governance and Strategy2015 Priority

Index2014 Priority

IndexYOY

Trend

Monitoring IT costs and benefits 6.8 6.5

Integration/alignment of IT planning and business strategy 6.7 6.5

Monitoring and achieving legal/regulatory compliance 6.7 6.4

IT risk analysis and reporting 6.6 6.4

Managing project quality 6.6 6.4

Developing and maintaining operations management policies and standards 6.5 6.3

Key performance indicators (KPIs) 6.5 6.5

Developing and maintaining end-user support policies and standards 6.4 6.3

Maintaining IT controls design and operating effectiveness 6.4 6.3

Reporting IT activities and performance 6.4 6.3

Defining IT roles and responsibilities 6.3 6.2

Defining metrics and measurements for monitoring IT performance 6.3 6.3

Managing and monitoring policy exceptions 6.3 6.3

Negotiating, managing and monitoring customer service-level agreements 6.3 6.2

Negotiating, managing and monitoring information quality 6.3 6.2

Portfolio management – Long-term and short-term planning 6.3 6.4

Defining organizational placement of the IT function 6.1 6.2

Commentary

Why is strong IT governance and strategy so critical? Consider that almost all companies today – regardless of industry, location or size – are technology organizations. They cannot function with-out technology, and the innovative use of technology almost always represents a critical differentiator and success factor for the company.



More broadly, technology is transforming most industries and driving a wave of innovation and creativity. The pace of change is increasing, and technology is breaking down barriers between industries and transforming business models. In addition, “shadow IT” and the need to harness it while fostering innovation and creativity represents another critical consideration. As many organi-zations are learning, there is both risk and reward in this space.

These are among the many reasons underscoring the critical importance of IT governance and strategy. From monitoring IT costs and benefits to aligning IT planning and business strategy, we see that numerous IT governance areas rank among the many demanding priorities CIOs and IT professionals are addressing today. As further context, note that last year the highest index ranking in this category was 6.5 (integration/alignment of IT planning and business strategy, key perfor-mance indicators (KPIs), and monitoring IT costs and benefits). This year, there are five items with ratings of 6.6 or higher.

What other factors are driving changes in the enterprise and the increasing need for strong IT governance processes?

• Cloud/XaaS is presenting new opportunities and operating models that businesses are exploring – at the same time, they must manage key changes and risks that these operating models are introducing.

• Cybersecurity (as we noted earlier in our report) represents a major area of focus in terms of IT governance and strategy.

• Despite the increasing need for strong IT governance to help manage the changing enterprise and address increasing risks, IT budgets remain under pressure, requiring the IT organization to do more with the same level of resources.

Ultimately, CIOs and IT leaders recognize that failure to define and execute on IT strategy to support the organization’s objectives will, for many, lead to failure of the business strategy.


• Do we have the right leadership and skills to engage effectively with other leaders in the business so that we can help manage changes underway throughout the enterprise?

• How is IT leadership communicating the importance of IT’s mission to enhance and protect value throughout the department’s ranks and, more importantly, across the enterprise? What types of collaboration between IT executives and other business leaders can help IT more effec-tively execute its enhance-and-protect mission?

• Is the technology organization able to influence business strategy? And is technology and its use a key driver when defining business strategy?

• Are we able to articulate business risk issues in the context of technology?

• Do we have a clear view of the cyber risks that we face? And when it comes to cybersecurity, do we know what our risk appetite is?

• What processes ensure that IT risk analysis and reporting insights and outputs are fed into stra-tegic planning (within the IT department and at an overall business level)? How can IT risks be most effectively represented in an enterprise’s operational risks?

• What is our exposure to third-party risk? Which third parties present the highest risk to the enterprise?

• Are we spending enough on technology innovation as opposed to security, operations, etc.?

• What disruptive technologies/innovations exist (e.g., “shadow IT”) that could destabilize our business strategy? What opportunities are presented by these disruptive technologies?



• Is the drive to measure, manage and monitor IT costs and benefits – and IT performance – consistent throughout every level of the IT department? How can this objective be executed more consistently? How can this be used to change behaviors?

• Are there ways that IT and finance can partner to strengthen IT’s focus on monitoring costs and benefits? How do we communicate cost/value to the business? And how can IT costs be repre-sented in a manner that is meaningful and actionable for business partners?


Defining IT Governance and Strategy – Results for CIOs/IT Executives and Large Company Respondents

Defining IT Governance and Strategy

CIOs/IT Executives

YOY Trend (Priority Level)

Large Company Respondents


Monitoring IT costs and benefits

Integration/alignment of IT planning and business strategy

Monitoring and achieving legal/regulatory compliance

IT risk analysis and reporting

Managing project quality

Developing and maintaining operations management policies and standards

Key performance indicators (KPIs)

Developing and maintaining end-user support policies and standards

Maintaining IT controls design and operating effectiveness

Reporting IT activities and performance

Defining IT roles and responsibilities

Defining metrics and measurements for monitoring IT performance

Managing and monitoring policy exceptions

Negotiating, managing and monitoring customer service-level agreements

Negotiating, managing and monitoring information quality

Portfolio management – Long-term and short-term planning

Defining organizational placement of the IT function





MANAGING IT ASSETS

Key Findings

• Managing software licensing and compliance, deploying software, and managing hardware maintenance agreements represent the top priorities.

• The findings in this category reflect a desire to manage IT asset risks while optimizing the value of current assets.

• Several priorities point to a need to improve vendor risk management.

Overall Results, Managing IT Assets

Managing IT Assets2015 Priority

Index2014 Priority

IndexYOY

Trend

Managing software licensing and compliance 6.4 6.1

Software deployment 6.3 6.2

Managing hardware maintenance agreements 6.2 5.9

Hardware deployment 6.1 6.1

Managing audit process (SAS 70, SSAE 16, others) 6.1 5.9

Monitoring and reviewing contracts/billings 6.1 5.9

Monitoring IT assets 6.1 5.9

Negotiating and establishing agreements 6.1 5.9

Accounting for IT asset management 6.0 5.9

Managing contract analysis and renewal 6.0 5.9

Managing IT asset retirement – employee/contractor termination 6.0 5.8

Monitoring external service-level agreements 6.0 5.9

Determining outsourcing strategy and approach 5.9 5.9

Managing IT asset retirement – IT asset refresh 5.9 5.9



Commentary

Based on this year’s findings, IT professionals have a clear plan for improving their function’s IT asset management capability:

1. Manage risks

2. Maximize value

3. Adapt

Both maximizing value and adapting are necessary thanks to the ongoing adoption of new devices (e.g., smartphones and tablets). Additionally, a coming wave of “Internet of Things” technology and connectivity promises to create even more (and, in many cases, highly unique) IT assets for organizations, along with new questions about how they use data and whether this violates their ethical standards or harms their reputation. These changes already are introducing new devices (and even more data) and are requiring modifications to current IT asset management approaches and processes.

It also is clear that like other IT areas and capabilities addressed in our study, IT asset management is growing in importance and priority. Whereas three areas in this category had “Significant Prior-ity” rankings in our 2014 survey, 12 are ranked 6.0 or higher in this year’s findings.


• Are current asset management policies, processes, technologies and structures (skills, roles, etc.) keeping pace with the organization’s changing portfolio of IT assets?

• Is the IT function monitoring organizational interest in new and emerging IT assets to ensure they can be managed effectively under current policies?

• Does the current policy governing IT asset retirement following the termination of an employee or contractor sufficiently mitigate information security and privacy risks?

• How are software licensing agreements monitored, and are current change-management mecha-nisms regarding these licenses working effectively and efficiently?

• Are all third-party agreements governed and managed in accordance with applicable auditing standards, such as SSAE 16?

• Who is responsible for network planning and engineering, as well as ensuring any network build-out is rightsized?

• Who is responsible for creating, maintaining and monitoring controls and other risk manage-ment considerations related to the deployment, maintenance and retirement of software and hardware assets?




Managing IT Assets – Results for CIOs/IT Executives and Large Company Respondents

Managing IT AssetsCIOs/IT

ExecutivesYOY Trend



(Priority Level)

Managing software licensing and compliance

Software deployment

Managing hardware maintenance agreements

Hardware deployment

Managing audit process (SAS 70, SSAE 16, others)

Monitoring and reviewing contracts/billings

Monitoring IT assets

Negotiating and establishing agreements

Accounting for IT asset management

Managing contract analysis and renewal

Managing IT asset retirement – employee/contractor termination

Monitoring external service-level agreements

Determining outsourcing strategy and approach

Managing IT asset retirement – IT asset refresh





MANAGEMENT AND USE OF DATA ASSETS

Key Findings

• Business intelligence and reporting tools, data analytics platforms and support, short- and long-term enterprise information management strategy, and data and information governance programs represent the top priorities.

Overall Results, Management and Use of Data Assets

Management and Use of Data Assets2015 Priority

Index2014 Priority

IndexYOY

Trend

Business intelligence and reporting tools 6.5 6.1

Data analytics platforms and support 6.4 6.1

Data and information governance program 6.3 6.1

Short- and long-term enterprise information management strategy 6.3 6.1

Data lifecycle management 6.2 6.1

Master data management 6.2 6.1

Big data initiatives 6.1 5.9

End-user adoption of data tools 6.1 5.9

Commentary

As more companies implement cloud computing technology, the protection and use of data – and organizational data assets, in particular – become more important and valuable to businesses. The priorities identified herein point to a heightened need for IT functions to protect and optimize data assets.

Two priorities identified in this year’s survey – short- and long-term enterprise information management strategies, and data and information governance programs – suggest that IT organi-zations are intent on integrating the management and use of data assets into their strategies and oversight capabilities.

The emphasis on master data management and data lifecycle management shows that IT organiza-tions also are keen to protect the rapidly increasing value of organizational data.

Not surprisingly, business intelligence and reporting tools as well as data analytics platforms and support are at the very top of the IT function’s data asset management priority list. These activities, the reach of which now extends to every function in the enterprise, are intended to derive value from the organization’s data assets.




• Is a formal data and information governance program in place? If so, who is responsible for over-seeing the program as data analytics tools are leveraged increasingly throughout the company?

• Beyond IT, what other functional leaders should be involved in shaping and monitoring data and information governance?

• How can IT and internal audit collaborate more effectively to ensure the data and information governance program is an effective risk management mechanism?

• How is the data and information governance program marketed to internal stakeholders? How is it applied with regard to vendors, including offshore resources?

• What are the most important data risks related to third-party relationships, and how are these risks managed?

• What current mechanisms ensure the data and information governance program remains relevant and sufficient in light of the organization’s rapidly changing use of data and data analysis tools? What additional mechanisms should be considered?

• How is the IT function’s short- and long-term enterprise information planning integrated into IT planning and the overall business strategy?

• How can data assets be managed in a more secure manner as well as in a way that generates more business value?

• How is master data management quality/security governed and monitored?


Management and Use of Data Assets – Results for CIOs/IT Executives and Large Company Respondents

Management and Use of Data Assets

CIOs/IT Executives




Business intelligence and reporting tools

Data analytics platforms and support

Data and information governance program

Short- and long-term enterprise information management strategy

Data lifecycle management

Master data management

Big data initiatives

End-user adoption of data tools





ENSURING CONTINUITY

Key Findings

• Top priorities include business continuity management and disaster recovery program testing, and ensuring business alignment.

• Every BCM area has increased year-over-year in priority at a time when concerns related to cybersecurity and cyberattacks continue to rise.

Overall Results, Ensuring Continuity

Ensuring Continuity2015 Priority

Index2014 Priority

IndexYOY

Trend

Business continuity management and disaster recovery program testing 6.5 6.2

Ensuring business alignment 6.5 6.2

Designing and maintaining business continuity strategies 6.4 6.1

Developing and maintaining IT disaster recovery plans 6.4 6.2

Developing and maintaining risk assessment/business impact analysis 6.4 6.0

Ensuring executive management support and sponsorship 6.4 6.1

Developing and maintaining business resumption plans 6.2 6.0

Developing and maintaining crisis management plans 6.2 6.0

Commentary

In recent years, IT functions that focused on strengthening their companies’ business continu-ity management (BCM) and disaster recovery (DR) capabilities typically worked to adapt their programs to address more integrated global supply chains, more frequent weather-related disasters, and an increasingly mobile and remote workforce. More recently, IT functions have witnessed firsthand the speed, scale and impact of an equally challenging business continuity threat: cyber-attacks. Well-known cybersecurity intrusions over the past year have resulted in the loss of intellectual property and business intelligence. These events provide painful reminders of the risks companies confront as they become more and more data-driven.5

Given the central enabling role that technology systems, applications and data provide for most companies, IT functions must ensure that a BCM/DR capability remains robust and ready at both a strategic and tactical level. Testing also has become more complicated as organizations deal with an increasing number of third-party vendors. Considering the priorities indicated in our findings (e.g., ensuring business alignment), they seem well-aware of these needs and their importance. Although the business realm’s growing reliance on data and information systems exposes compa-nies to new challenges, technology breakthroughs and developments (e.g., cloud computing) also provide valuable new BCM defenses and capabilities.

5 Executive Perspectives on Top Risks for 2015: Key Issues Being Discussed in the Boardroom and C-Suite, North Carolina State University’s ERM Initiative and Protiviti, www.protiviti.com/toprisks.


www.protiviti.com/toprisks



• Which IT leaders are responsible for 1) developing and maintaining IT disaster recovery plans, and 2) playing a key role in the company’s overall BCM/DR program?

• Are business interruptions and crises that would stem from potential data breaches reflected in the current BCM program? Do current BCM/DR plans contain specific incident response approaches and escalation protocols?

• From an IT perspective, are current levels of BCM rigor, funding and attention sufficient?

• What, if any, new investments in technology, process improvement or skills would benefit your organization’s BCM efforts?

• What monitoring mechanisms are in place to ensure the BCM program keeps pace with changes to IT infrastructure, applications, external relationships and data?

• How are IT-related BCM and disaster recovery capabilities, activities and updates shared with executive management and the board of directors, and how is their feedback incorporated into the BCM planning process?

• How frequently are BCM plans tested? Are concrete improvement plans enacted in response to the learnings from these exercises?


Ensuring Continuity – Results for CIOs/IT Executives and Large Company Respondents

Ensuring ContinuityCIOs/IT

ExecutivesYOY Trend



(Priority Level)

Business continuity management and disaster recovery program testing

Ensuring business alignment

Designing and maintaining business continuity strategies

Developing and maintaining IT disaster recovery plans

Developing and maintaining risk assessment/business impact analysis

Ensuring executive management support and sponsorship

Developing and maintaining business resumption plans

Developing and maintaining crisis management plans





MANAGING APPLICATION DEVELOPMENT

Key Findings

• Similar to prior years’ results, risk management represents the top application development priority.

• Other key areas of focus include project monitoring and control, collaboration platforms (such as SharePoint) and ERP application security.

Overall Results, Managing Application Development

Managing Application Development2015 Priority

Index2014 Priority

IndexYOY

Trend

Risk management 6.4 6.1

Project monitoring and control 6.3 6.0

Collaboration platforms (for example, SharePoint) 6.2 6.0

ERP application security 6.2 6.0

Configuration management 6.1 5.9

ERP system “bolt-on” applications (BI, CRM, etc.) 6.1 5.9

Mobile application development 6.1 6.0

Requirements management 6.1 6.0

ERP system implementation 6.0 5.9

Organizational performance management 6.0 5.9

Organizational process performance 6.0 5.8

Organizational training 6.0 5.8

Secure development/code review 6.0 NA NA

Software selection 6.0 5.9

Decision analysis and resolution 5.9 5.9

Rapid application development framework 5.9 5.7

Scrum development methodology 5.9 5.7

Service-oriented architecture (SOA) 5.9 NA NA

ERP system selection 5.8 5.8

Object-oriented programming 5.8 5.8

Open application programming interface (API) 5.8 NA NA

Causal analysis and resolution 5.7 5.6

Spreadsheet risk 5.6 5.7

Spiral iterative framework 5.5 5.7



Commentary

Managing application development requires large amounts of work as well as numerous and complex considerations. There are risks to be managed, project management expertise to be applied, controls to enact, intense collaborations to be conducted, methodologies to be mastered, requirements and configurations to be managed, and much more.

In many ways, application development is both an essential and representative IT activity – the findings in this category signify trends evident throughout our report, from managing risk to effec-tive project management and collaboration.

The results also show that, similar to most other categories, there are a greater number of applica-tion development priorities this year compared to 2014. Last year’s respondents scored six areas to be of “Significant Priority” (those with a priority index score of 6.0 or higher); this year’s respon-dents ranked more than twice that number as “Significant Priority” areas.


• Does the IT function possess the resources necessary to manage application development in a secure manner?

• What are the top current application development risks, and how are these risks addressed?

• What are notable emerging application development risks, and to what extent do (or would) current risk management practices address these emerging issues?

• To what extent are vendor-related application development risks monitored and managed?

• Is the current level of ERP security sufficient?

• Are current and planned ERP system changes – most notably, the integration of bolt-on applica-tions (BI, HRIS, CRM, marketing automation, etc.) – performed in a way that mitigates ERP security risks?

• Are collaboration platforms being utilized sufficiently to strengthen applications development?

• Does the IT function possess the resources and expertise necessary to apply the right level of project monitoring and control to application development activities?




Managing Application Development – Results for CIOs/IT Executives and Large Company Respondents

Managing Application Development

CIOs/IT Executives




Risk management

Project monitoring and control

Collaboration platforms (for example, SharePoint)

ERP application security

Configuration management

ERP system “bolt-on” applications (BI, CRM, etc.)

Mobile application development

Requirements management

ERP system implementation

Organizational performance management

Organizational process performance

Organizational training

Secure development/code review

NA NA

Software selection

Decision analysis and resolution

Rapid application development framework

Scrum development methodology

Service-oriented architecture (SOA)

NA NA

ERP system selection

Object-oriented programming

Open application programming interface (API)

NA NA

Causal analysis and resolution

Spreadsheet risk

Spiral iterative framework





DEPLOYING AND MAINTAINING SOLUTIONS

Key Findings

• Managing changes in applications developed in-house represents a top priority, along with integrating applications.

• Other priorities include developing applications and managing changes in third-party applications.

Overall Results, Deploying and Maintaining Solutions

Deploying and Maintaining Solutions2015 Priority

Index2014 Priority

IndexYOY

Trend

Managing changes – applications developed in-house 6.4 6.1

Integrating applications 6.3 6.1

Developing applications 6.2 6.0

Managing changes – third-party applications 6.2 6.1

Managing and testing security in SDLC 6.1 NA NA

Acquiring applications 5.9 5.9

Commentary

IT organizations continue to wrestle with coordination across the business as they deploy solutions and updates. This is particularly the case for homegrown applications.


• Who is responsible for overseeing and managing changes to in-house applications? And who is responsible for overseeing and managing changes to third-party applications?

• How is the change process monitored and audited, and how can this process be improved?

• How can security be managed and tested more effectively throughout the system develop-ment lifecycle?




Deploying and Maintaining Solutions – Results for CIOs/IT Executives and Large Company Respondents

Deploying and Maintaining Solutions

CIOs/IT Executives




Managing changes – applications developed in-house

Integrating applications

Developing applications

Managing changes – third-party applications

Managing and testing security in SDLC

NA NA

Acquiring applications



54

64

Key Facts

Percentage of organizations that have a chief information security officer (or equivalent position)

Percentage of organizations that utilize offshore resources to support/augment the IT function



MANAGING IT INFRASTRUCTURE

Key Findings

• There are notable year-over-year increases in priority index scores for IT infrastructure, with IT infrastructure change management leading the way.

• IT organizations also are focusing on the management and administration of backup and recovery systems, network performance planning, and change management in operating systems and databases.

Overall Results, Managing IT Infrastructure

Managing IT Infrastructure2015 Priority

Index2014 Priority

IndexYOY

Trend

IT infrastructure change management 6.6 6.1

Managing and administering backup and recovery 6.6 6.3

Network performance planning 6.5 6.1

Operating system change management 6.5 6.1

Database change management 6.4 6.1

Managing and maintaining real-time operations 6.4 NA NA

Managing capacity 6.4 NA NA

Storage management and planning 6.4 6.2

Platform performance planning 6.3 6.0

Managing and maintaining hybrid operations (on-site, ASP, cloud, etc.) 6.2 NA NA

Managing application service providers 6.2 NA NA

Managing data center environmental controls 6.2 6.0

Managing and maintaining batch processing 6.1 6.1

Commentary

The emphasis that IT functions place on most elements of managing IT infrastructure is clearly increasing. The highest priority index ranking that survey respondents identified in this area last year was 6.3; this year, respondents ranked eight different areas of managing IT infrastructure at 6.4 or higher. Quite simply, as is the case throughout this year’s survey findings, respondents have longer to-do lists packed with more pressing priorities.

The overarching digital transformation has upped the need for IT functions to store, manage and protect their data-driven company’s lifeblood. As newer and better data management and data protec-tion tools and approaches emerge, IT functions must conduct a much greater amount of change management work – to IT infrastructure, operating systems, databases (all top priorities) and more.

Planning, protecting and managing change represent core activities IT functions are employing to improve their management of IT infrastructure. These activities also extend to vendors, such as application service providers. The IT function’s data, particularly in the cloud, becomes more



complicated. Increasingly, the mandate for these infrastructure improvements originates with executive management and the board of directors, who recognize that one of their organization’s top sources of business value must be managed carefully.


• How are senior executives and the board of directors kept abreast of changing IT infrastructure risks and needs?

• How can current change management strategies and processes related to infrastructure, operat-ing systems and databases be improved?

• To what extent do current storage management capabilities support and align with the ways in which the organization classifies, manages and protects data?

• How do daily storage management processes, decisions and investments align with business continuity management plans?

• How does the IT function plan to meet changing – and growing – business demands as those demands affect network performance?


Managing IT Infrastructure – Results for CIOs/IT Executives and Large Company Respondents

Managing IT InfrastructureCIOs/IT

ExecutivesYOY Trend



(Priority Level)

IT infrastructure change management

Managing and administering backup and recovery

Network performance planning

Operating system change management

Database change management

Managing and maintaining real-time operations

NA NA

Managing capacity NA NA

Storage management and planning

Platform performance planning

Managing and maintaining hybrid operations (on-site, ASP, cloud, etc.)

NA NA

Managing application service providers

NA NA

Managing data center environmental controls

Managing and maintaining batch processing





ORGANIZATIONAL CAPABILITIES

Key Findings

• Working effectively with C-level/senior executives, leadership (within your organization), working effectively with business-unit executives, and recruiting IT talent are the top priorities.

• Strategic collaborations – both inside and outside the organization – are a key area of focus for IT professionals.

Overall Results, Organizational Capabilities

Organizational Capabilities2015 Priority

Index2014 Priority

IndexYOY

Trend

Working effectively with C-level/senior executives 6.3 6.0

Leadership (within your organization) 6.2 6.0

Recruiting IT talent 6.2 6.0

Working effectively with business-unit executives 6.2 6.0

Leadership (in outside organizations, groups, etc.) 6.0 5.8

Working effectively with regulators 6.0 5.9

Coaching/mentoring 5.9 5.9

Leveraging outside expertise 5.9 5.8

Working effectively with outside parties 5.9 5.9

Business process disciplines (Lean, Six Sigma, etc.) 5.7 5.8

Negotiation 5.7 5.8

Developing outside contacts/networking 5.6 5.8

Dealing with confrontation 5.5 5.8

Commentary

As detailed in prior sections of our report, the number and importance of competing priorities simmering throughout the IT organization are reaching a fever pitch. It is positive to see that in this environment, IT professionals are looking to sharpen their personal skills to help them expand their expertise, deepen their relationships throughout the business, and recruit more help that offers a more diverse set of capabilities.

Not surprisingly, the top priorities identified by respondents in this category have a decidedly strategic bent: working effectively with C-level/senior executives, leadership (within your orga-nization), working effectively with business-unit executives, and recruiting IT talent. As the data within IT systems becomes more pivotal to strategic planning and execution, IT professionals are seeking to solidify relationships with senior executives and business-unit executives to help shape and safeguard these plans.



The next tier of top priorities, which includes working effectively with regulators and leadership (in outside organizations, groups, etc.), also demonstrates the IT function’s strategic intentions. Together, these priorities reflect how IT functions, and IT professionals themselves, are transform-ing – quickly and intensely – to highly collaborative enhancers and protectors of business value.


• What opportunities exist for future IT leaders to collaborate with the senior executive team as well as business-unit and other functional leaders throughout the organization?

• What leadership development does the IT function offer to rising executives?

• What types of training and assignments can help IT professionals become more effective collab-orators and business partners?

• How is IT leadership working with human resources executives to ensure that current and future IT talent needs are addressed?

• Are there opportunities for IT leaders to learn from other functional heads (e.g., legal, compli-ance, finance) and board members about working effectively with regulators?

• Are outside leadership activities encouraged and/or rewarded?


Organizational Capabilities – Results for CIOs/IT Executives and Large Company Respondents

Organizational CapabilitiesCIOs/IT

ExecutivesYOY Trend



(Priority Level)

Working effectively with C-level/senior executives

Leadership (within your organization)

Recruiting IT talent

Working effectively with business-unit executives

Leadership (in outside organizations, groups, etc.)

Working effectively with regulators

Coaching/mentoring

Leveraging outside expertise

Working effectively with outside parties

Business process disciplines (Lean, Six Sigma, etc.)

Negotiation

Developing outside contacts/networking

Dealing with confrontation





SURVEY DEMOGRAPHICS

All demographic information was provided voluntarily and not all participants provided data for every demographic question.

Position

Chief Information Officer 7%

Chief Information Security Officer 3%

Chief Technology Officer 3%

Chief Security Officer 2%

Chief Financial Officer 2%

IT VP/Director 27%

IT Manager 48%

Other 8%

Industry

Financial Services 14%

Manufacturing 13%

Government/Education/Not-for-profit 10%

Technology 10%

Professional Services 7%

Healthcare Provider 6%

Insurance 6%

Retail 4%

Services 3%

Telecommunications 3%

Consumer Products 2%

Energy 2%

Healthcare Payer 2%

Hospitality 2%

Life Sciences/Biotechnology 2%

Media 2%

Real Estate 2%

Communications 1%

Distribution 1%

Utilities 1%

Other 7%



Size of Organization (by Gross Annual Revenue)

$20 billion+ 10%

$10 billion - $19.99 billion 9%



$500 million - $999.99 million 18%

$100 million - $499.99 million 15%

Less than $100 million 15%

Type of Organization

Public 36%

Private 49%

Government 5%

Not-for-profit 8%

Other 2%

Organization Headquarters

North America 97%

Asia-Pacific 1%

Europe 1%

South America 1%



ABOUT PROTIVITI

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its indepen-dently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

About Our IT Consulting Services

In today’s rapidly evolving technological environment, a trusted adviser – one who not only provides relevant insights, but delivers a combination of strategic vision, proven expertise and prac-tical experience – can enhance the value of your business with technology.

Our global IT Consulting practice has helped CIOs and IT leaders at more than 1,200 companies worldwide design and implement advanced solutions in IT governance, security, data manage-ment, applications and compliance. By partnering with us, you ensure that your IT organization performs with the same focus and excellence with which you manage day-to-day business opera-tions. We will work with you to address IT security and privacy issues and deploy advanced and customized application and data management structures that not only solve problems, but add value to your business.


http://www.protiviti.com


PROTIVITI GLOBAL IT CONSULTING PRACTICE

Tom Andreesen [email protected]

Grant Barker [email protected]

Steve Cabello – Leader, Portfolio & Program Management [email protected]

Samir Datt [email protected]

David Dawson [email protected]

Nikhil Donde [email protected]

Hernan Gabrieli [email protected]

Scott Gracyalny – Leader, Custom-developed Software [email protected]

Chris Grant [email protected]

Rocco Grillo – Leader, Incident Response & Forensics [email protected]

John Harrison [email protected]

Greg Hedges [email protected]

Rob Hustick [email protected]

Sudarsan Jayaraman [email protected]

Senthil Kumar [email protected]

Scott Laliberte – Leader, Vulnerability & Penetration Testing [email protected]

Sidney Lim [email protected]

Mark Lippman [email protected]

Chris Louden [email protected]

Tom Luick [email protected]

Trey MacDonald [email protected]

Masato Maki [email protected]

Ronan O’Shea [email protected]

Ed Page [email protected]

Michael Pang [email protected]

Michael Porier [email protected]

Aric Quinones [email protected]

Carol Raimo – Leader, ERP Solutions [email protected]

Kalyan Raman [email protected]

Siamak Razmazma [email protected]

Andrew Retrum [email protected]

Ryan Rubin – Leader, Identity & Access Management [email protected]

Jeff Sanchez – Leader, Data Security & Privacy [email protected]

Michael Schultz – Leader, Strategy & Architecture [email protected]

Cal Slemp – Leader, Security Program, Strategy & Policy [email protected]

Mike Steadman [email protected]

Andrew Struthers-Kennedy [email protected]

David Taylor [email protected]

Tomomichi Tomiie [email protected]

Kurt Underwood – Global Leader, IT Consulting [email protected]

Michael Walter – Leader, Security Operations Centers [email protected]

Jeff Weber – Leader, IT Operations Improvement [email protected]

Scott Williams [email protected]

Scott Wisniewski – Leader, Risk Technologies [email protected]

Jonathan Wyatt – Leader, Technology Strategy and Operations [email protected]


ASIA-PACIFIC

AUSTRALIA

BrisbaneCanberraMelbournePerthSydney

CHINA

BeijingHong KongShanghaiShenzhen

INDIA*

BangaloreMumbaiNew Delhi

JAPAN

Osaka Tokyo

SINGAPORE

Singapore

* Protiviti Member Firm

THE AMERICAS

UNITED STATES

AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro São Paulo

CANADA

Kitchener-WaterlooToronto

CHILE*

Santiago

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas SOUTH AFRICA*

Johannesburg

EUROPE/MIDDLE EAST/AFRICA

FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

UNITED ARAB EMIRATES*

Abu Dhabi Dubai

© 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. PRO-0315-101075Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

today’s enterprise - cyberthreats lurk amid major transformation · 2015-09-01 · [the] problem...

Documents