Tech Adoption: The Security HurdleSuccessful Implementations Need Security by Design
A major hurdle preventing companies from adopting new technologies is information security, says IBM's Dan Hauenstein.
Organizations cite security as a major inhibitor to adopting four emerging technologies - mobile, cloud, social business media and business analytics - according to IBM's latest Tech Trends Report. The report surveyed more than 1,200 technology decision-makers.
"More and more people are coming to the realization that security has to be brought into the design of these projects," says Hauenstein, IBM's Software Group's academic initiative strategy manager, in an interview with Information Security Media Group [transcript below].
For instance, 61 percent of survey respondents indicated that security would slow down their adoption of mobile technology. "Everyone needs to start thinking about security and how to apply it to their own role," Hauenstein says.
"People who are developers, product managers and those who have other roles in managing the rollout of technologies or new products - they need to be thinking about security right upfront," he explains.
"You're not going to be able to move [your project] forward without understanding security, without applying security principles, without designing security from the beginning into your project," Hauenstein says.
In the interview, Hauenstein, discusses:
- The synergy between the IT skills gap and information security as inhibitors to adopting technologies;
- How organizations labeled "pacesetters" differ from "dabblers" in adopting nascent technologies;
- Why making security a "personal priority" is crucial for organizations to succeed.
The 1,200-plus professionals surveyed for the Tech Trends Report came from 16 industries and 13 countries, spanning mature and growth markets. IBM also surveyed more than 250 academics and 450 students.
Hauenstein leads the worldwide strategy function for IBM skills development programs. His responsibilities include helping students develop skills through the IBM academic program.
IBM Tech Trends Report
ERIC CHABROW: First off, please take a few moments to tell us about the 2012 IBM Tech Trends Report, especially as it deals with information security?
DAN HAUENSTEIN: This is our third annual report. ... We feel that [it's] a very rigorous survey with our Center for Applied Insights, and as mentioned, [we] talked to 1,200 technology decision makers around the world. We also in parallel spoke with 700 educators, faculty and students around the world. We got a good perspective around four rapidly evolving technology spaces, those being mobile, cloud, analytics and social. But we also did quite a deep dive on security.
There were two things that came across loud and clear in this study. The first is there's a skills gap across these spaces. [It's] very clear from the study that the skills gap not only exists, [but] it's larger than we thought it was and it seems to be widening. The second one, as we start to get into the security side, is security is far and away the top barrier to adoption when you look across these four spaces. For example, it's number one in mobile. Sixty-one percent of respondents cited mobile security as a barrier to them adopting the technology. We see this as a real threat to innovation and really to economic growth in these spaces.
CHABROW: When you talk about the skills gap, are you talking about specific areas such as analytics and social, are you talking about security, or are you talking about both?
HAUENSTEIN: We're talking about both, and specifically we dove into and explored the skills gap around the four areas: mobile computing, cloud computing, business analytics and social business. But it's also clear that [with] security, the skills that are needed there, not only is this an area where in other reports we see enormous job growth and a lot of demand from employers for security professionals, but when you look at these four areas, security is the top barrier to adoption. We're seeing that those skills need to be brought into the curriculum around what people are learning in the mobile development space, for example.
CHABROW: When people are being taught different technical skills, are they being taught about security? Or is that something that's just becoming recognized now and people are contemplating how to do that?
HAUENSTEIN: I'd say the answer is sometimes. It varies pretty widely. More and more people are coming to the realization that security has to be brought into the design of these projects. People who are developers, who are product managers, who have other roles in managing the rollout of technologies or new products, they need to be thinking about security right upfront. But it's partly our job here, with the results of this survey, to point out to people just what a significant barrier and threat it might be to moving forward in these spaces. More people need to bring that into their thinking and really everyone needs to start thinking about security and how to apply it to their own role.
Security: Technology Adoption Barrier
CHABROW: As you mentioned, security is becoming a major adoption barrier. You mentioned mobile, for example. In what respect are you talking about? Are organizations reluctant to buy the latest mobile technology or are you talking about BYOD, bring your own device? How is this manifesting itself?
HAUENSTEIN: We did a little bit of a deep dive in the questions around mobile security in particular. I will give you a few examples of the areas where they're most concerned. We saw that 72 percent of people in major markets were concerned about the handling of confidential data, everything that goes around how do we secure data [and] how do we maintain confidentiality. That's a top concern when we start thinking about this explosion of mobile devices, bringing your own device. Literally, the data goes everywhere. Worrying about how that's handled is top of mind.
Other things that are [at the] top of the list, with over 50 percent of the respondents naming these as top concerns, [are] identity and access management and then vulnerability to virus and malware. I think you're exactly right. A lot of this is being driven by BYOD-type concerns. We certainly saw that as a trend. If anything, [there's] increase in adoption speed, though a lot of concerns with security when you start heading in that direction.
CHABROW: Can you identify other types of technologies where security is a barrier?
HAUENSTEIN: Absolutely. I will start at the top in our report. When we looked at cloud, [it] was another place where I believe 56 percent of respondents said that security was a barrier to adoption. Everything around pulling cloud and thinking about the unique security concerns that relate there was another big area.
Social business, when we start thinking about the way people communicate, and opening up the gates basically to have everyone in the organization talking and communicating in new ways, it basically opens a lot of potential holes in the organization. There's no surprise there. Forty-seven percent of respondents said that was the top barrier to adoption. And even with business analytics, where skills was by far the top barrier to adoption, security and the concern around how we handle data, access control, that was the number-two concern. It's very pervasive.
CHABROW: When you talk about something being a barrier, what do you mean by that?
HAUENSTEIN: Essentially, if there's something that's going to stop us from rolling out these technologies and applying them more broadly in the business, this is what's going to stop us. If you're thinking about mobile computing and the plans when you look across all these organizations, about 70-percent plan to increase their investment here in the next two years around mobile computing. Sixty-one percent of all respondents are saying that something that's slowing that down and making them back off a bit on that would be security. That's why it needs to be top-of-mind and tackled so that they can move forward on these processes.
CHABROW: I just want to be clear - and I don't know whether your survey would reveal this or not - whether all these organizations don't buy the technology or maybe they're slower to buy the technology or buying it but being nervous about it.
HAUENSTEIN: We didn't quite get that granular. I think it applies to all of those scenarios. For example, we have the numbers on increasing investment. I think if the barriers were lower, we would see higher numbers there.
Pacesetters vs. Dabblers
CHABROW: The study refers to pacesetters and dabblers. I could guess what they mean, but why don't you tell us?
HAUENSTEIN: Essentially, we did a segmentation of the respondents based on whether or not they're out front on two dimensions. One is adoption of these technologies and the second is strategic application of the technology. Pacesetters are those who are not only out ahead in terms of adopting these technologies, but they're also applying them in a very strategic manner to their business and looking for larger benefits than simply a one-off project or a small tactical application.
CHABROW: How do pacesetters and dabblers differ in the way they approach cloud security or mobile adoption?
HAUENSTEIN: I'll give you the overall view on the traits that we saw, the differences between pacesetters and others in this report. There were three traits that really came forward very strongly for pacesetters. The first is that they're market-driven; for example, adopting mobile to better reach and serve customers. They're applying these technologies in a way that really helps them reach their customers.
The second is they're much more analytical. They do much more around dashboarding, data modeling, and they have more aggressive plans going forward.
Then the third is that they're more experimental. They're deploying things that others aren't: getting into app stores in the enterprise, hybrid cloud and social networks in the enterprise. One of the figures that really jumped out is that they're nine times more likely to experiment with technology and build skills around it, even when there isn't yet a project in place. What this tells me on the security front is that they're in a situation where they can try these things. They can begin to build out and figure out how to secure these before they're deployed in a mission-critical situation. They're really getting that experimental opportunity and really tackling security aggressively, given that they're looking at doing this in a very market-focused, outside the firewall-type of way.
CHABROW: I guess your survey wouldn't go into this, but from what you know, are they more successful companies than the dabblers?
HAUENSTEIN: We didn't get into whether these companies are outperforming. Obviously, when you start asking correlation versus causation, there are a lot of factors into financial performance. But what we did see is that this year in our CEO study - IBM does this every other year - the number-one external factor impacting the business from the CEO's point-of-view is technology. They're really thinking about, "How do we apply these technologies? How do we get out front? How do we apply them strategically and drive more value to the business?" With that in mind, we did this segmentation to see what we can learn from those who are out front adopting it and are out front applying it in this strategic manner.
Making Security 'Personal Priority'
CHABROW: Finally, one of the report's recommendations is to make security a personal priority. What do the report's authors mean by that?
HAUENSTEIN: We talked about demand for specialized security skills. If you're building skills or you're an expert in any one of these technology areas, you're not going to be able to move it forward without understanding security, without applying security principles, without designing security from the beginning into your project. If you can become an expert on security within your area of expertise and figure out how to apply it there, that's one element that we're talking about. Make that a personal priority. Take the lead. Drive security into the design of your project as you get rolling, and we know that's going to help you overcome these barriers and have more success with what you're trying to accomplish.