All Archives - Page 3 of 79 - Cyber Secure Forum | Forum Events Ltd

All

NETWORK SECURITY MONTH: A decade of evolution to combat networking threats

 960 640 Stuart O'Brien
By:
0
0

In an era marked by sophisticated cyber threats, corporate cybersecurity professionals have had to evolve their strategies and technologies to protect organisational assets effectively. Here we delve into the key developments that have shaped IT network security management for cybersecurity professionals over the last decade, informed be attendees at the Security IT Summit…

1. From Perimeter Defence to Layered Security

Traditionally, network security focused on perimeter defence, akin to a fortress with strong walls. However, this approach has shifted due to the rise of cloud computing, mobile computing, and the Internet of Things (IoT), which have expanded the corporate network beyond traditional boundaries. The modern approach is layered security, also known as defence in depth, where multiple layers of security controls are deployed throughout the IT network. This method ensures that even if one layer is breached, others are in place to protect the network.

2. The Adoption of Advanced Threat Detection Technologies

The last decade has seen a surge in the adoption of advanced threat detection technologies. Tools such as Intrusion Prevention Systems (IPS), advanced malware protection, and anomaly detection systems have become standard. These technologies employ artificial intelligence (AI) and machine learning algorithms to detect and respond to threats in real-time, a significant leap from the traditional, signature-based antivirus and anti-malware software.

3. Emphasis on Network Segmentation

Network segmentation, the practice of splitting a network into subnetworks, has become increasingly popular. This approach limits the spread of cyber-attacks within networks. By segmenting networks, cybersecurity professionals can apply more stringent security controls to sensitive areas, thus reducing the attack surface.

4. Rise of Zero Trust Security Models

The concept of ‘Zero Trust’ has gained traction, fundamentally altering how network access is managed. Under a Zero Trust model, trust is never assumed, regardless of whether the user is inside or outside the network perimeter. This necessitates rigorous identity and access management (IAM) strategies, including multi-factor authentication (MFA) and least privilege access controls.

5. Increased Focus on Compliance and Regulatory Requirements

There has been an increased emphasis on compliance with legal and regulatory standards, particularly with the introduction of the General Data Protection Regulation (GDPR) in the EU. UK businesses have had to ensure that their network security practices comply with GDPR and other regulations, mandating a more rigorous approach to data security and privacy.

6. Integration of Security Information and Event Management (SIEM) Systems

SIEM systems have become a cornerstone of network security, providing a holistic view of an organisation’s security posture. These systems aggregate and analyse data from various sources within the network, enabling cybersecurity professionals to detect patterns and signs of malicious activity more effectively.

7. The Importance of Employee Training and Awareness

Finally, there is a growing recognition of the role of human error in network security breaches. As a result, there has been a concerted effort to enhance employee cybersecurity awareness and training. Regular training sessions, simulations, and awareness campaigns are now common, reducing the likelihood of breaches caused by employee negligence or error.

In conclusion, the evolution of IT network security management in the UK has been marked by a transition from traditional perimeter-based defence to more sophisticated, multi-layered approaches. Today’s cybersecurity professionals must navigate a complex landscape of advanced threats, regulatory requirements, and rapidly changing technologies. By adopting a more holistic, proactive, and adaptive approach to network security, they can better protect their organisations in an increasingly interconnected world.

Are you on the hunt for network security solutions? The Security IT Summit can help!

Photo by JJ Ying on Unsplash

Health Tech and Personal Data: What ‘Powered by Data’ means for healthcare tech

 960 640 Stuart O'Brien
By:
0
0

By Lucy Pegler, partner, and Noel Hung, solicitor, at independent UK law firm Burges Salmon

In June 2023, the NHS launched the ‘Powered by Data’ campaign to demonstrate how use of health data delivers benefits for patients and society. The campaign draws on examples of how the responsible use of patient data can support innovation in the healthcare sector from developing new tools to support patients and helping to understand how to deliver better care.

Although framed in the context of public health services, the concept of ‘Powered by Data’ is applicable more widely to the healthcare sector. Public and private providers of healthcare whether in-person in healthcare settings or through increasingly innovative digital services, will collect data in every interaction with their patients or clients. The responsible and trustworthy use of patient data is fundamental to improve care and deliver better, safer treatment to patients. 

What is health data?

The Data Protection Act 2018 (“DPA”) defines “data concerning health” as personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.

Healthcare organisations that typically manage data concerning health have an additional obligation to also maintain “genetic data” and “biometric data” to a higher standard of protection than personal data generally.

If you process (e.g. collect, store and use) health data in the UK, UK data protection laws will apply. Broadly speaking, UK data protection law imposes a set of obligations in relation to your processing of health data. These include:

  • demonstrating your lawful basis for processing health data – health data is considered special category personal data meaning that for the purposes of the UK General Data Protection Regulation, healthcare providers must demonstrate both an Article 6 and an Article 9 condition for processing data. Typically, for the processing of health data, one of the following three conditions for processing must apply:
  1. the data subject must have given “explicit consent”;
  2. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services; or
  3. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices.
  • transparency – being clear, open, and honest with data subjects about who you are, and how and why you use their personal data.
  • data protection by design and default – considering data protection and privacy issues from the outset and integrating data protection into your processing activities and organisation-wide business practices.
  • technical and organisational measures– taking appropriate and proportionate technical and organisational measures to manage the risks to your systems. These measures must ensure a level of security appropriate to the risk posed.
  • data mapping – understanding how data is used and held in your organisation (including carrying out frequent information audits).
  • use of data processors – only engaging another processor (a ‘sub-processor’) after receiving the controller’s prior specific or general written authorisation.

The NHS and the adult social care system have stated their commitment to upholding the public’s rights in law, including those enshrined in the DPA 2018 and the common law duty of confidentiality. These obligations extend to healthcare providers, whether NHS, local authority and private, whether through online, digital healthcare solutions or more traditional in-person settings.

The Caldicott principles

The Caldicott principles were first introduced in 1997 and have since expanded to become a set of good practice guidelines for using and keeping safe people’s health and care data.

There are eight principles that apply, and all NHS organisations and local authorities which provide social services must appoint a Caldicott guardian in place to support with keeping people’s information confidential and maintaining certain standards. Private and third sector organisations that do not deliver any publicly funded work do not need to appoint a Caldicott guardian.

However, the UK Caldicott Guardian Council (“UKCGC”) considers it best practice for any organisation that processes confidential patient information to have a Caldicott Guardian, irrespective of how they are funded.

The role of the Caldicott guardian includes ensuring that health and care information is used ethically, legally and appropriately. The principles also allow for the secure transfer of sensitive information across other agencies, for example the Social Services Education, Police and Judicial System. Further details of the principles can be found here.

The Common Law Duty of Confidentiality (“CLDC”)

Under the CLDC, information that has been obtained in confidence should not be used or disclosed further, unless the individual who originally confided such information is aware or subsequently provides their permission.

All NHS Bodies and those carrying out functions on behalf of the NHS have a duty of confidence to service users and a duty to support professional and ethical standards of confidentiality. This duty of confidence also extends to private and third-sector organisations providing healthcare services.

NHS-specific guidance

Providers who work under the NHS Standard Contract may also utilise the NHS Digital Data Security and Protection Toolkit to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled appropriately.

Furthermore, the toolkit contains a breach assessment grid to support with deciding the severity of the breach using a risk score matrix to determine whether the breach needs to be reported, which supports with reporting security incidents to the ICO, the Department of Health and Social Care and NHS England.

Health and Care Act 2022

As integrated care systems continue to develop, the new Health and Care Act 2022 introduces significant reforms to the organisation and delivery of health and care services in England. In particular, the Act makes numerous changes to NHS England (which has now subsumed NHS Digital) to require data from private health care providers when it considers it necessary or expedient for it to have such data to comply with a direction from the Secretary of State to establish an information system.

The Act also allows the Secretary of State for Health and Social Care to mandate standards for processing of information to both private and public bodies that deliver health and adult social care, so that data flows through the system in a usable way, and that when it is accessed or provided (for whatever purpose) it is in a standard form, both readable by and consistently meaningful to the user or recipient.

Benefits of sharing personal data  

Healthcare professionals have a legal duty to share information to support individual care (unless the individual objects). This is set out in the Health and Social Care Act 2012 and the Health and Social Care (Quality and Safety) Act 2015. The sharing of health and social data between NHS organisations and pharmacies could better transform the way healthcare services are provided as well as grant continuity between the various providers. Having a single point of contact with patients is what makes the healthcare system in the UK distinct from other systems around the world. In addition, patient information could be used for research purposes as well as in the development and deployment of data-driven technologies.

A note on cyber security

Given the sensitive nature of health data and patient information, healthcare providers are particularly susceptible to data breaches. In response to the UK government’s cyber security strategy to 2030, the Department of Health & Social Care published a policy paper entitled ‘A cyber resilient health and adult social care system in England: cyber security strategy to 2023’ in March 2023.

Cyber resilience is critical in the healthcare sector and providers must be able to prevent, mitigate and recover from cyber incidents. Strong cyber resilience dovetails with providers’ obligations under UK GDPR to maintain appropriate technical and organisational measure. For public providers and those providing into the public sector, a deep awareness of the DHSC’s Strategy is critical.

Consequences for failure to comply

Whilst there is a lot of focus on the maximum fines under UK GDPR of £17.5 million or 4% of the company’s total worldwide annual turnover (whichever is higher), in the context of the healthcare sector, there is also significant reputational risk in terms of both an organisation’s relationship with its patients and with its customers and supply chain. Organisations should also be aware of their potential liability resulting from claims from patients and potential contractual liability and consequences.

Photo by Irwan @blogcious on Unsplash

Have you registered for the 2024 Security IT Summit?

 960 640 Stuart O'Brien
By:
0
0

Do you have an upcoming security project that you need help with? The Security IT Summit is a bespoke and highly targeted event, where you can meet with a selection of suppliers, who can help with your upcoming business plans and projects.

You will be provided with a personalised itinerary of pre-arranged, 1-2-1 meetings with suppliers relevant to you. No hard sell, and no time wasted.

The event is entirely free for security professionals, like you, to attend.

19th & 20th March 2024

Radisson Hotel & Conference Centre, London Heathrow

Your free pass includes;

A corporate itinerary of one-to-one meetings with solution providers

A seat at our industry seminar sessions (live attendance only)

All meals and refreshments throughout

Networking breaks to make new connections in your field

Register Here

Private wireless networks set for ‘substantial’ growth as demand for security soars

 960 640 Stuart O'Brien
By:
0
0

The global private wireless network market is on the cusp of substantial growth, driven by the escalating demand for reliable and secure wireless connectivity across various industries. Against this backdrop, the market is set to grow at a compound annual growth rate (CAGR) of 23.3% from $2.8 billion in 2022 to $7.9 billion in 2027.

That’s according to GlobalData’s latest report, “Private Wireless Networks Market Opportunity Forecasts by Geography, Technology Segments and Industry Verticals to 2027,” which reveals that the US emerged as the largest market for private wireless networks in 2022, capturing 21% of the total revenue share, followed by China at 11%. Furthermore, the US is expected to record the highest growth rate with a CAGR of 30.6% over the forecast period, with Germany and the UK following closely at CAGRs of 26.4% and 26.2%, respectively.

The early availability of spectrum for private cellular networks has been a key driver behind the growth of the private wireless network market in these countries. In Europe, there is a strong emphasis on industry automation and smart factories, which is fueling the growing adoption of private wireless networks in a number of sectors.

Rohit Sharma, Lead Analyst at GlobalData, commented: “Businesses are increasingly adopting private wireless networks, recognizing the importance of dependable and secure connectivity in the age of increasingly connected business operations and the proliferation of the industrial Internet of Things (IoT). This surge is enabled by the rollout of 5G technology by major industry players including availability of flexible solutions designed for use in private enterprise networks.”

GlobalData highlights manufacturing, mining, utilities, and government as the key verticals for private wireless network market, which collectively accounted for 51.3% of the overall market in 2022. The rollout of devices supporting 5.5G technology starting in 2025 is set to enhance 5G private networks significantly. This advancement will unlock a plethora of new device capabilities, harnessing advanced features like NR-Light (Redcap) and expanded side link functionality.

John Marcus, Senior Principal Analyst at GlobalData, explained: “The convergence of operational technologies (OT) with IT systems in the manufacturing industry is further bolstering the adoption of private wireless networks as it requires a robust and reliable communications infrastructure. Private 5G networks will accelerate this integration with their ability to provide ultra-reliable, low-latency communications to enable real-time automation of industrial processes.”

Additionally, innovations in indoor/outdoor positioning techniques and passive IoT tag technology will further amplify the potential of these networks. These groundbreaking developments are poised to facilitate the emergence of novel applications and foster growth in sectors such as manufacturing, energy, and utilities, where sensitive data and critical operations require a high level of protection and will benefit greatly from the ability of private wireless networks to provide enhanced security and control over the network.

Sharma continueed: “With the evolving use cases in industrial IoT, traditional LAN/WiFi connectivity can often have limitations in coverage and stability. Private 4G/5G wireless provides consistently stable connections using fewer access points, increasing performance for connected devices on an organization’s premises whether the devices move around the campus or are fixed in one location. Digital twins, computer vision, autonomous vehicles/drones, and AR/VR-assisted applications will all benefit from the private wireless connectivity integrated with edge computing for local data processing.”

Marcus concludes: “As organizations continue to embrace their digital transformation, private wireless networks are positioned to become the fundamental element of future operations, enabling seamless connectivity and empowering industries to innovate and thrive. With the ongoing technological advancements, robust security measures, and a growing demand for IoT solutions, the private wireless network market is on a strong growth trajectory which is reshaping the future of wireless enterprise connectivity.”

Choosing Secure Web Hosting Environments: Seven top tips for IT Managers

 960 640 Stuart O'Brien
By:
0
0

The security of a brand’s website is paramount. For IT managers, selecting a hosting environment is a crucial decision that significantly impacts security, performance, and reliability. So what are the essential factors? Here are seven to get you started…

1. Security Features

The foremost consideration is the security features offered by the hosting provider. This includes firewalls, intrusion detection and prevention systems (IDPS), regular malware scanning, and DDoS (Distributed Denial of Service) protection. It’s essential that the provider implements robust measures to safeguard against common threats such as SQL injection, cross-site scripting (XSS), and other types of cyberattacks. Additionally, options for SSL (Secure Sockets Layer) certificates are crucial for encrypting data transmitted between the server and the users.

2. Compliance and Data Protection

Compliance with legal and regulatory standards, particularly the General Data Protection Regulation (GDPR), is a critical factor. The hosting provider must ensure that their operations comply with these regulations, especially in handling and storing user data. This includes having clear data protection policies and potentially offering data hosting within specific geographical locations to meet regulatory requirements.

3. Server Location

The physical location of the servers can significantly impact website performance and latency. Server locations closer to the website’s primary user base can improve loading times, enhancing user experience. Furthermore, IT managers must consider the legal and political stability of the server location, as it can affect data security and accessibility.

4. Scalability and Performance

The ability of the hosting environment to scale according to the website’s traffic and resource demands is vital. IT managers should assess the hosting provider’s capacity to handle traffic spikes and scalability options to accommodate business growth. Performance metrics such as uptime guarantees are also critical, as downtime can severely impact the brand’s reputation and revenue.

5. Backup and Disaster Recovery

Effective backup and disaster recovery solutions are crucial in maintaining data integrity. IT managers must ensure that the hosting provider offers regular backups, easy data retrieval, and a comprehensive disaster recovery plan. This is essential for mitigating data loss risks due to hardware failures, cyberattacks, or other unforeseen events.

6. Technical Support and Service Level Agreements (SLAs)

Reliable technical support is a key aspect of a secure hosting environment. IT managers should seek providers who offer 24/7 support with a proven track record of responsiveness and technical expertise. Additionally, clear SLAs outlining service expectations, responsibilities, and response times can provide assurance of the hosting provider’s commitment to quality service.

7. Reviews and Reputation

Lastly, the reputation and reviews of the hosting provider should be considered. IT managers can gain valuable insights from other customers’ experiences, particularly regarding the provider’s reliability, customer service, and security incident handling.

When selecting a hosting environment for a brand’s website, IT managers must undertake a thorough assessment of security features, compliance, server location, scalability, performance, backup, support, and provider reputation. By carefully considering these factors, they can ensure a secure and reliable online presence for the brand, safeguarding both the company and its customers against the ever-present threats in the digital landscape.

Photo by Desola Lanre-Ologun on Unsplash

New research from Vanson Bourne highlights cloud security concerns among IT professionals

 960 640 Guest Post
By:
0
0

Nearly all organizations are relying on the cloud to store sensitive data and run critical systems. But for many, cloud security hasn’t kept up.

New research from Vanson Bourne surveyed 1,600 IT and security decision makers across eight countries to discover that more than 60 percent believe their organization’s cloud security poses a significant risk.

What’s the solution? 93 percent agree that Zero Trust Segmentation is essential to their cloud security strategy.

Download the Cloud Security Index 2023 to learn:

  • Why cloud breaches and ransomware attacks are so widespread
  • The ways traditional cloud security tools are failing us
  • How Zero Trust Segmentation can increase cloud resilience

Ready for a demo? Contact the Illumio Team now.

MALWARE MONTH: Devising effective anti-malware strategies

 960 640 Stuart O'Brien
By:
0
0

In the complex cybersecurity landscape of the UK, Chief Information Security Officers (CISOs) face the daunting task of protecting their organisations against a multitude of evolving malware threats. An effective anti-malware strategy is essential for safeguarding sensitive data and maintaining business continuity. Here we delve into the key considerations that CISOs must weigh when formulating such a strategy…

1. Comprehensive Threat Analysis

The first step in crafting an anti-malware strategy is a thorough understanding of the current threat landscape. CISOs need to analyse the types of malware most likely to target their sector, including ransomware, spyware, Trojans, and worms. Understanding the techniques employed by cybercriminals, such as phishing, drive-by downloads, or zero-day exploits, is crucial. This analysis should guide the development of a strategy that addresses specific vulnerabilities and potential attack vectors.

2. Layered Defence Mechanisms

In the world of cybersecurity, relying on a single line of defence is insufficient. CISOs must adopt a multi-layered approach that encompasses not just anti-malware software but also firewalls, intrusion detection systems, and email filtering. Each layer serves to block different types of threats and provides redundancy should one layer fail.

3. Integration with Existing IT Infrastructure

Any anti-malware solution must seamlessly integrate with the existing IT infrastructure. CISOs should ensure compatibility with current systems to avoid any disruptions in operations. This also involves considering the scalability of the solution to accommodate future organisational growth and technological advancements.

4. Regular Software Updates and Patch Management

Keeping software up-to-date is a fundamental aspect of an anti-malware strategy. CISOs must implement robust policies for regular updates and patches, as outdated software is a common entry point for malware. This includes not only security software but also operating systems and other applications.

5. Employee Education and Awareness

Human error remains one of the largest vulnerabilities in cybersecurity. CISOs must prioritise educating employees about safe online practices, recognising phishing attempts, and the importance of reporting suspicious activities. Regular training sessions, simulations, and awareness campaigns can significantly reduce the risk of malware infections.

6. Incident Response Planning

Despite the best preventive measures, malware breaches can still occur. Therefore, a well-defined incident response plan is vital. This plan should outline the steps to be taken in the event of an infection, including containment procedures, eradication of the threat, recovery actions, and communication protocols.

7. Compliance and Legal Considerations

CISOs must also consider legal and regulatory requirements, such as the General Data Protection Regulation (GDPR), which mandates stringent data protection measures. Failure to comply can result in substantial fines and reputational damage.

8. Continuous Monitoring and Analysis

Finally, continuous monitoring and analysis of network traffic and system activities are essential for early detection of malware. Implementing advanced analytics and AI-driven tools can help in identifying anomalies that might indicate a malware infection.

For CISOs in the UK, devising an anti-malware strategy requires a balanced approach that combines technological solutions with employee training and robust policies. As malware threats continue to evolve, so must the strategies to combat them. A proactive, dynamic, and comprehensive approach is key to safeguarding an organisation’s digital assets against the ever-present threat of malware.

Are you searching for Anti-Malware solutions for your company or organisation? The Security IT Summit can help!

Photo by Michael Geiger on Unsplash

NETWORK SECURITY MONTH: A CISO’s guide to choosing the best solutions and partners

 960 640 Stuart O'Brien
By:
0
0

In an era where cyber threats are increasingly sophisticated, the role of Chief Information Security Officers (CISOs) in sourcing and selecting network security solutions is more crucial than ever. For those operating in the UK, this task involves navigating a complex landscape of emerging technologies and evolving threats. Here are essential tips for CISOs to consider when choosing network security solutions and partners…

1. Comprehensive Threat Assessment

Begin with a thorough assessment of your organisation’s specific security needs. Understand the nature of the data you are protecting, the potential vulnerabilities in your network, and the types of threats most likely to target your sector. This assessment will guide you in identifying the solutions that best address your unique security challenges.

2. Evaluate Solution Robustness and Versatility

Seek solutions that offer robust protection against a wide range of threats, including malware, ransomware, DDoS attacks, and insider threats. The ideal solution should be versatile enough to adapt to the ever-changing threat landscape and scalable to grow with your business.

3. Integration with Existing Infrastructure

The chosen solution should seamlessly integrate with your existing IT infrastructure. Compatibility issues can lead to security gaps and operational inefficiencies. Ensure that the new network security solutions can work harmoniously with your current systems.

4. Compliance with Regulatory Standards

In the UK, compliance with regulations such as GDPR is paramount. Your network security solution should facilitate compliance, ensuring that data protection and privacy standards are met. This includes features for data encryption, access control, and audit trails.

5. Reputation and Reliability of the Partner

Research the reputation and track record of potential security partners. Look for providers with proven experience in delivering high-quality network security solutions. Check references, read case studies, and consider the provider’s history of innovation and customer support.

6. Ongoing Support and Services

Post-implementation support is vital. A good security partner should offer comprehensive support services, including regular updates, technical assistance, and training for your IT team. Evaluate the level of ongoing support offered to ensure that your network remains secure against emerging threats.

7. Consideration of Future-Proofing

In the fast-evolving field of cyber security, future-proofing is key. Choose solutions that are flexible and can evolve with advancements in technology. Consider partners who invest in research and development and stay ahead of emerging security trends.

8. Prioritise User Training and Awareness

Finally, recognise that technology is just one part of the solution. Effective network security also depends on user behaviour. Select a partner who can provide training and raise awareness among your staff, as human error remains one of the biggest security vulnerabilities.

Conclusion

In summary, for CISOs in the UK, selecting network security solutions and partners is a decision that requires a strategic approach, balancing technical requirements, regulatory compliance, compatibility, support, and the human element. By carefully considering these aspects, CISOs can establish a robust network security posture that protects their organisation’s assets and fosters a culture of cyber resilience.

Are you on the hunt for network security solutions? The Cyber Secure Forum can help!

Photo by Mario Gogh on Unsplash

Anti-Virus

Do you specialise in Anti Virus solutions? We want to hear from you!

 960 640 Stuart O'Brien
By:
0
0

Each month on Cyber Security Briefing we’re shining the spotlight on a different part of the cyber security market – and in January we’re focussing on Anti Virus solutions.

It’s all part of our ‘Recommended’ editorial feature, designed to help IT security buyers find the best products and services available today.

So, if you’re an Anti Virus solutions specialist and would like to be included as part of this exciting new shop window, we’d love to hear from you – for more info, contact Jenny Lane on j.lane@forumevents.co.uk.

Here’s our full features list:

Jan 2024 – Anti Virus
Feb 2024 – Access Control
Mar 2024 – Intrusion Detection & Prevention
Apr 2024 – Phishing Detection
May 2024 – Advanced Threat Dashboard
Jun 2024 – Browser/Web Security
July 2024 – Authentication
Aug 2024 – Penetration Testing
Sep 2024 – Vulnerability Management
Oct 2024 – Employee Security Awareness
Nov 2024 – Malware
Dec 2024 – Network Security Management

Just 12% of IT infrastructure & operations leaders exceed performance expectations

 960 640 Stuart O'Brien
By:
0
0
Only 12% of infrastructure and operations (I&O) leaders rate their function’s performance as exceeding CIO expectations in the face of continued economic headwinds.

“I&O leaders must support senior leadership by proactively contributing to their organization’s ability to navigate economic uncertainty,” said Cameron Haight, VP Analyst at Gartner. “Their destinies are interlinked, as a failure by the business to execute the proper strategy will have repercussions across the organization.”

The Gartner survey was conducted from April through July 2023 among 122 I&O leaders from enterprises in North America, EMEA and Asia/Pacific whose growth was impacted by external threats in 2022 and 2023.

I&O leaders cited cybersecurity risks as the most frequent threat impacting enterprise growth this year. Supply chain disruptions and talent and skills shortages are listed as the second- and third-most-important external threats deemed to impact growth, closely followed by inflationary pressures (see Fig. 1).

Figure 1. I&O Leaders’ Top External Threats Impacting Enterprise Growth

Source: Gartner (December 2023)

While seeking to combat many of these threats, I&O leaders are also being asked to meet organizational expectations with funding that only keeps pace with inflation at best. In 2023, 41% of I&O leaders’ budgets increased but stayed steady relative to inflation, while 37% of budgets were either cut or stayed steady but declined in real terms due to inflation. Just 27% of I&O leaders’ budgets increased and grew relative to inflation.

“While it remains to be seen what 2024 budgets will look like, the lack of real funding growth observed to date could cause projects to be deferred into next year, causing a cascading appropriations challenge,” said Haight. “Given this scenario, I&O leaders must work smarter to achieve business outcomes with fewer resources.”

Top Actions for I&O Leaders to Navigate Economic Headwinds
Based on the survey findings, Gartner identified three key actions that successful I&O organizations were adopting to counteract the forces of economic uncertainty. I&O leaders that leveraged these practices were three times more likely to help their enterprises better navigate a turbulent economy.

These actions include:

1. Developing a workplace environment that improves well-being and inclusiveness.
I&O leaders often face challenges recruiting and retaining the necessary talent to achieve their objectives. Within I&O teams that were rated as the most effective, 84% of leaders reported building a welcoming and inclusive workplace. Furthermore, 79% of I&O leaders at highly effective organizations ensured the holistic wellness of employees by holding them accountable for personalizing their well-being progress.

2. Undertaking actions that improve I&O efficiency through enhanced analysis capabilities.
Maximizing the impact of technology and other investments remains a critical focus for I&O leaders amidst continued economic uncertainty. According to the survey, 89% of leaders in highly effective I&O organizations formulate strategies for process transformation and optimization, and 82% identify opportunities to reduce technology costs through economies of scale or cross-enterprise synergies.

3. Enhancing I&O’s ability to become a full-fledged partner in digital business activities
I&O leaders may struggle to be viewed as a key partner with business leaders, due to an inability to easily link IT investments to business outcomes. To enhance their contribution to the organization’s digital business strategy, the survey found that 92% of effective I&O leaders foster better coordination of I&O digital investments across lines of business or product lines. Additionally, 84% apply objective analysis to translate enterprise priorities into investments that advance digital business potential, and 79% provide a common language for business and I&O stakeholders to coordinate digital investment decisions.

Photo by Austin Distel on Unsplash