IT Managers Archives

Security Awareness Training FAQ: Why it’s absolutely vital for every employee

Posted on March 1, 2021November 10, 2021 by Simon Gadsby

In 2021, experts estimate there will be a cyber-attack incident every 11 seconds.

That’s twice what it was in 2019.

And four times the rate five years ago.

These shocking statistics probably aren’t even that shocking. Every Director knows that security is a pressing issue. It’s a topic of conversation in every board room and a significant budget has been allocated to invest in various security measures and solutions.

However, there’s a weak link in the business which is often overlooked. Your employees. While they might not mean to put the business at risk, their actions can do just that.

From clicking on links in phishing emails and actioning fraudulent bank transfer requests, through to connecting to insecure Wi-Fi networks and sharing personal data incorrectly. All these actions can result in a breach or successful attack, causing financial and reputational damage.

Most employees are not malicious, they simply are not aware of the risks. They don’t understand that they are a target, and they don’t know how to spot the danger signs. Many don’t understand that security is their personal responsibility and even fewer understand sensitive data privacy best practices. Thankfully, this can be easily addressed with effective security awareness training. In this article, we will cover the benefits and types of security awareness training, as well as best practice tips to follow for an effective program.

What is security awareness training?

Security awareness training is designed to educate employees about the important role they play in helping prevent information breaches. It provides formal education about the type of risks facing the businesses, how employees might interact with them or be targeted by them, and how their actions can have a positive or negative affect.

‘Real-life’ scenarios – for example, demonstrating how their response to a phishing email could cost the business thousands of pounds – are often included to drive the message home and show the employee what a breach would feel like.

Quizzes, questionnaires, and games can also be used to test employees’ knowledge post-training and identify any weak spots. There are also various online systems that train and test employees in an automated manner, flagging those users who need additional focus and training.

Turn your employees from a SERIOUS RISK into A STRONG LINE OF DEFENCE.

Sign up for our free webinar: Going Beyond Technology – the critical role of your people in cyber-security.

Why is security awareness training important?

Security awareness training ensures everyone in the business is aware of the threats and how they might present themselves. It helps build a security-aware culture and encourages everyone to follow best practice. For example, instead of the accounts department immediately actioning a bank transfer due to an email from the Financial Director, they know to double-check the request with another method (e.g., a call, a Teams message).

A more security-aware culture will significantly reduce the chance of a successful attack against your business. Research found that security awareness training could reduce the threat of socially engineered cyber threats by up to 70%

Training is also a requirement for compliance purposes in certain industries. The Financial Conduct Authority (FCA) states:

“Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets – hardware, software, and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.”

Types of security awareness training

Phishing – Trains employees on how to recognise potential phishing messages by demonstrating what could happen if they respond to one.
Passwords – Promotes password best practice, ensuring strong passwords are created and are not used across multiple accounts or shared with others.
Privacy PII – Shows employees how to protect personal information in the business, including clients, prospects, colleagues, and partners.
PCI Compliance – This training is required to comply with the PCI DSS (Requirement 12.6). Educates staff on the requirements, roles and processes and demonstrates the severe financial and reputational damage of a payment card data breach. Reinforces best practice to help staff actively keep card data safe and reduce the likelihood of a breach.
Ransomware – Demonstrate to employees just how easy it is to be attacked and the destructive consequences.
CEO/Wire Fraud – Fraudulent emails designed to trick the employee to think they are responding to the CEO (or another senior executive), which shows them how easy it is to be conned. Helps employees to recognise the first signs of risk and encourages the practice of double-checking when unsure how genuine a request is.
Data in Motion – Teaches employees data security best practices to ensure vulnerable data is not put at risk. Highlights the dangers of behaviours such as sending company attachments to home email accounts, copying company data to personal cloud storage, plugging ‘found’ USB drives into company devices
Office Hygiene – Educate employees on the importance of physical security, demonstrating the risk of unsecured paper, unlocked screens, open buildings and more.
GDPR – Ensure all employees are aware and understand data privacy rights – and the severe penalties for breach or non-compliance.
Social Engineering – Train employees on the various methods and guises hackers may use to gain illegal access to their computer, including phone, email, mail or direct contact.

How often should train employees?

Ideally, every four to six months. There are various software solutions that test and train users more frequently than this, perhaps weekly, however they do not cover all areas of cyber-security.

Research found that after four months, employees were easily able to spot phishing emails but after six, they began to forget the learning. Although this research was specifically about identifying phishing emails, it can be applied to all types of security awareness training.

However, it is up to you to determine the right cadence. Use this timeframe as a starting point. In the beginning, you may need to test employees more frequently.

The key is to strike the right balance. Employees need to be informed and educated, but you want them to be proactively engaged. Training that occurs too frequently risks becoming a chore and treated as a tick box exercise. Employees rush to get it done, rather than engage with the learning, as they know they will have to do it again in a few weeks.

How expensive is security awareness training?

The cost of security awareness training will largely depend on the provider, the type of training and the number of employees. Some providers often tiered pricing with different training methods at each tier. As an example, some of the automated training and testing systems for training users, particularly around phishing and ransomware can be in the region of £12 a year per user.

However, with the average cost of a data breach $3.86 million, the cost of your training program will unlikely ever come close to the cost of a successful data breach. In fact, research shows that employees with less than 1,000 employees will see an ROI of 69% from a security training program.

Best practice tips for an effective training program

Effective training needs to deliver the right information, at the right level, at the right time.

1. Repeat, repeat, repeat

Staff will only recall approximately 90% of training after a month. So, a programme of sustained and repeated training is the best way to ensure knowledge retention.

Plus, the cyber-security landscape is rapidly and constantly developing. New threats occur all the time and you need to equip your staff to deal with them.

2. Gamify your training

Mandatory training can seem dull, leading employees to switch off and become disengaged. You need to ensure these important messages are hitting home. Experiential learning through game-like approaches can help some staff members remember things more effectively.

Studies show that using humour and entertainment in the training process boosts engagement. Nearly 60% of employees prefer training which mixes serious and entertaining content.

3. Break training down into manageable chunks

Hours of back-to-back training is unlikely to engage anyone. In fact, your employees will probably just see it as another ‘tick box’ chore – not ideal for building a security-aware culture. Instead, break your training into bite-size chunks, spread out across the year.

4. Try different methods

Employees all have different methods of learning. What suits one may not suit another, so it’s important to switch up training delivery. Posters, books, quizzes, games, interactive demos and small group training are just some of the ways to educate employees. Unfortunately, you can’t just buy an online training and testing package and believe that’s your training box ticked.

5. Cover a range of topics

While phishing is a top attack vector, it’s important that your training does not focus solely on one area. You need to educate your employees on a wide variety of topics, including those which they might not connect directly with the workplace. For example:

Not to overshare information on social media
Dangers of public Wi-Fi and how to use it safely
Not to plug unknown USB devices into corporate devices
How to manage passwords

Are you ready to build a security aware culture?

How to get the Board engaged in IT: An IT Manager’s guide

Posted on February 1, 2021February 1, 2021 by Chris White

If you’ve ever had to request budget from the board or tried to get buy-in for an IT project, you will know how difficult it can be to get the board engaged with IT. Despite the critical role IT plays in operations, too many senior executives still see it solely as a cost to the business rather than as a competitive advantage.

Research shows that regular conversations between IT and the board actually decreases IT and cyber risk, while increasing innovation and IT project ROI. These achievements improve the more frequently the conversations occur. Conversations that occur every quarter hold more value than those held bi-annually or annually.

YOUR ON-DEMAND STRATEGIC IT PARTNER – DISCOVER HOW QUOSTAR’S CIO SERVICE HELPS IT MANAGERS DEMONSTRATE THE FINANCIAL & OPERATIONAL VALUE OF IT TO SENIOR MANAGEMENT

However, getting these conversations to happen in the first place is often the most difficult part. IT Managers can struggle to get their voice heard at board level and IT often does not feature on the agenda as often as it should. Part of the problem is this often requires a change in culture, but the good news is IT Managers can facilitate this by framing their conversations with the board in the right way.

3 strategies to engage the Board of Directors with IT

Most organisations spend a significant portion of their revenue on their IT, so they need to be sure that it is being invested wisely and delivers a return for the business.

This can only happen when senior executives fully embrace the potential of IT and view it as a strategic asset. While it’s important that IT has a voice at board level, the conversations themselves need to be effective too. We’ve compiled three best practice tips to help IT Managers frame the conversation in a way the board will engage with.

1. Make Technology a Routine Part of Conversation

IT Managers need to think strategically about how they can navigate technology conversations with the board. Assess the levels of technical knowledge and understanding to determine whether an educational component is required and build conversations accordingly.

Some members of the board may be more technologically-savvy or be more. Identify these allies and build relationships with them as they can help you garner support for IT investment and focus from other members of the board.

Consistent communication is key so ensure IT features as standing item on the agenda or designate regular meetings where you can focus solely on IT. Strike the balance between protection and growth and build a narrative which focuses on the short term (6-12 months) and the long-term (5+ years).

Any conversations about long-term strategic planning should be a collaborative effort. IT Managers should be fully briefed on the intended strategic direction of the business so they can educate the board about the relevant risks, opportunities, and industry changes, ensuring the IT strategy supports the business objectives and the budget is allocated effectively.

2. Demonstrate the business value of strategic IT investment

You will need to make the case for IT investment, so be prepared to convey the financial, operational and reputational benefits. Back your pitches with data and present the information clearly and concisely e.g., by utilising dashboards and scorecards.

You may need to ‘connect the dots’ and give context to the risks facing the business. If board members do not understand the mitigating effects of benefits a particular solution or service will deliver, they may not be willing to allocate the funds. For example, data security might be a concern for the board, but they may not understand why the business is a target, where they are vulnerable, the effects a successful attack can have and how it can be prevented. Take into context the board’s own appetite for risk and align your recommendations and scorecards to reflect this.

Budgets can vary widely so you may wish to present a shortlist of options to the board. However, if you do decide to do this you need to ensure the board is fully aware of the limitations of each one, so they do not decide based purely on flat costs.

3. Focus the conversation on the right topics

Try not to get bogged down in the technical detail during conversations with the board. It’s unlikely that their level of technical knowledge will match your own, so they will be less likely to engage if it doesn’t seem directly relevant to the business. Instead, focus the conversations on the potential impact and deliverables of IT.

Performance

Ensure that the board understand how IT can positively or negatively impact the performance of the business.

Financial – Link technology investments to financial performance such as profitability, margin and revenue. Demonstrating the positive impact can help the board see IT as more than an operational cost.
Operational – Demonstrate how IT can improve the efficiency of operations and free up budget for innovation and business transformation. This may include things like automating processes, replacing legacy systems, and embracing cloud services. IT Managers can support this process by measuring, reporting, and discussing the impact of technology-driven business transformation.

Risk

Ensure the board keeps up to date with current and emerging threats, be it cyber-attacks or disruptive technologies. IT Managers can help develop the risk appetite and measures to prevent unnecessary risks from being taken. IT and Business must be wholly aligned on risk appetite levels to ensure neither side make inappropriate risk management decisions.

Cyber Risk – Businesses must be able to protect their assets from cyber-attacks if they want to achieve strategic goals. IT Managers have the responsibility to educate the board on current and emerging risks, the potential threat to the business and remedial actions.
Regulations – Technology can help businesses comply with regulations, but it also the subject of regulations itself – such as data privacy. Boards need to be aware of how technology can speed the process of meeting compliance policies, as well as where regulations may require additional investment or affect company priorities. Conversations should focus on the positive and negative implications of the regulations, the opportunities for rationalisation and any other business impacts.
Industry Challenges – New technologies can topple a company’s competitive position and business models. Help board members understand the risks and opportunities of technology-driven industry disruption to ensure the business doesn’t fall behind.

Strategy

IT Managers should help guide the overall business strategy by educating board members on the strategic potential of IT and other disruptive technologies

Innovation – IT Managers can help create a bolder risk appetite by demonstrating how the effective use of technology can result in business growth. Successful innovation requires a culture of continual incremental improvements. Boards need to give IT Manager the opportunities to test, experiment and analyse.
Data – Help the board understand how technologies such as machine learning, natural language engines and AI, can help businesses better collect, process, and analyse customer data. Highlight how this data be used for more effective decision making and monetised for business success.
Client Experience – Customer demands are constantly changing and increasing. Businesses need to keep pace with this is they want to both attract new customer and retain their existing ones. Service levels are a key battleground. As service levels increase across all industries, tolerance levels have declined, and customers are no longer prepared to accept reduced levels out of brand loyalty. IT Managers can help the board meet these challenges by showing how to leverage technology to proactively anticipate and address customer needs. These conversations can help ensure the pace of technology change aligns with customer readiness.

Strategic development for IT Managers

IT Managers have a huge wealth of technical experience and understanding, so it makes sense why they are often heavily focused on the technical details.

This knowledge is highly valuable to a business, but it doesn’t always translate to the board. If they do not understand, they will not engage. They need to see the business benefits of investing in IT. Requesting budget to replace an old server, for example, is not enough. However, if you explain that the new server will help increase resilience, availability, and network performance, and enable employees to deliver faster customer service, the board can begin to understand the ROI of that investment.

If you’re used to focusing on the technical details, then framing conversations in this way can feel a little uncomfortable initially. IT Managers who want to take a more strategic standpoint should seek out additional training and mentorship from experienced CIOs and IT Consultants. A dedicated Coach can give IT Managers advice and direction, provide education (where required), share knowledge and best practice, help develop a commercial mindset, and talk through challenges faced by the business and how to overcome them.

Book a free, online discovery session today to find out more about QuoStar’s IT Coaching & Mentorship Service and see how a dedicated Coach can support you.

8 ways IT Managers can more effectively support remote workers

Posted on September 14, 2020September 14, 2020 by QuoStar

Many businesses simply were not equipped for full-scale remote working and, with little time to prepare, it’s understandable why some had to piece together partial solutions just to get everyone set-up and working. However, with large numbers reporting that they’d like to retain some element of remote working and business reaping the benefits (without seeing huge downturns in productivity), it seems this trend could be here to stay for the long term.

To ensure remote working doesn’t put the business at risk, from a security and operational standpoint, IT Managers should begin to review policies and procedures in this area. While things may have worked ‘fine’ in the context of a pandemic, there are likely some gaps that need to be addressed in order to optimise remote working, improving the process for employees and the business alike.

How to support remote workers in 2020 and beyond

1. Complete network visibility

IT Managers must be able to confirm who is working remotely, which devices are being used and which critical applications are being accessed, so they can ensure the business remains secure. This is particularly important where employees are connecting to a VPN.

2. Understand the end user’s perspective

In order to improve the digital experience for employees, IT Managers need to ensure they have the tools and technology in place to identify, assess and resolves issues as they happen. Implementing a monitoring platform that can collect real-time, accurate data from end-users’ devices would allow IT teams to promptly identify issues and prevent issues before they arise. In the case where the issue points to a larger problem across the network, it also gives IT teams a chance to issue a resolution before it affects others.

3. Be proactive

Just responding to IT requests or issues in a timely manner is no longer enough. IT teams need to operate in a proactive manner in order to reduce productivity losses. Implementing a monitoring platform which collects accurate, real-time data from employees’ devices, web browsers and collaboration tools, will help IT Managers identify potential issues and address them before they cause pain.

4. Help end-users to help themselves

IT teams can often find themselves stretched thin, trying to resolve issues for on-premise and remote workers. By utilising the right engagement and automation tools, IT Managers can empower end-users to resolve common problems themselves by implementing a self-help system. This may include creating troubleshooting guides for low-level, recurrent issues, utilising Microsoft Teams bots like FAQ Plus and Quick Responses or encouraging remote workers to log IT issues with certain information so they can be resolved more efficiently.

5. Promote collaboration tools

Collaboration tools have seen huge uptakes as employees look for ways to maintain effective communication across the business. Microsoft Teams alone reported a 70% increase, with active daily user numbers jumping to more 75 million. The performance of these tools is tied largely to the performance of the local device and network, which the IT team has less visibility in a remote working environment. So, in order to be able to provide sufficient support and seamless collaboration experience for end-users, IT Managers should consider solutions which will give them the level of visibility they need.

6. Address shadow IT

When it comes to remote workers, security is often one of the biggest challenges for IT Managers. Away from the office, employees can wind up using their personal devices to conduct business or start accessing personal applications (such as instant messaging, streaming services and cloud storage) from their work device.

It’s critical that the IT team take steps to address this, but at the same time, they should also seek to understand why employees are using these tools instead of company authorised ones. Is it a case that they don’t know the tool is available? They don’t know how it works? Or it doesn’t have the features and functionality they require?

7. Ensure regular communication

One of the most oft-cited downsides of remote working is isolation. It’s important that lines of communication are kept open so remote workers still feel part of the business. To ensure remote workers are receiving the support they need, IT Managers should consider using engaging feedback tools such as email surveys and polls.

Microsoft Teams comes with several personal apps, bots and connectors which IT Managers could utilise to manage the feedback process. Microsoft Forms, which allows users to easily create survey, quizzes and polls, and Polly, which gathers real-time insights with simple polls, are just two examples of the tools available.

8. Implement training and educate employees

Many employees have needed to quickly adopt new collaboration tools in order to effectively work from home. While they may have gotten used to them, having to learn how to use tools ‘on the fly’ probably means they’re probably missing out on features which could significantly improve their day to day activity, productivity and efficiency.

Training will also help strengthen security parameters by ensuring employees are aware of the types of attack, how they should respond and how their actions could affect the business. There was a big uptick in the number of cyber-security attacks during the first wave of the pandemic, but generally, the landscape changes so regular security training for end-users should be carried out on a regular basis.

Conclusion

The switch to remote working happened at incredibly short notice for most companies. What typically would require months of planning, pilot tests and stress tests to successfully rollout simply had to happen there and then, and this has likely created a lot of new challenges for IT departments.

It seems that it might still be some time from businesses can have their entire workforce back in the office at once – if they even wish to revert to that – but there are steps IT managers can take now to improve the remote working experience.

With employees more reliant on technology than ever before, IT teams need to ensure they have effective communications channels in place to understand and address the needs to end-users. A proactive, security-first approach will not only improve the user experience but also help prevent remote working from posing a risk to the business.

Join the IT Leaders’ Community

Are you an IT pro looking to keep up to date with the latest technology news, get a first look at product releases and upgrades, and engage with like-minded peers?

Join the IT Leaders’ Forum for exclusive content, downloadable assets and exclusive invites to free events with top-tier tech partners.

Top 13 challenges for IT Managers right now

Posted on September 1, 2020September 1, 2020 by QuoStar

Challenges for IT Managers

While this change in perspective is positive, it does mean the scope of an IT Manager’s role has increased considerably and, with this, come new challenges to address.

1. Big data

Businesses are generating more data than ever. Unfortunately, most of this is unstructured so it can’t really add any value. Transforming this data into measurable and actionable insights is one of the largest challenges facing IT pros but get it right and it has the power to completely transform a business, giving greater insight into operations, customers and the wider marketplace.

2. Asset and data management

The ever-increasing number of devices in the workplace means more monitoring and maintenance. To effectively and safely deal with this, it’s crucial that the IT strategy includes appropriate information governance programs and mobile device management policies.

As well as managing the known hardware, IT Managers must also be aware of the threat of the unknown. Shadow IT, hardware and software used by staff without the IT department’s approval or knowledge, is an increasing problem in mid-market businesses. In fact, it’s estimated that the number of software programs in use is 14 times higher than thought. This can include things like using cloud file stores like DropBox or Google Drive to share files, personal instant messaging apps or online CRM solutions.

Shadow IT FAQ: Everything you need to know about the hidden risks and how to address them

3. Data protection

Forward-thinking mid-market businesses will have already taken a ‘privacy by design’ approach, but meeting regulatory and compliance standards around data protection is a continuing concern. Customers demand – and expect – their data to be private and secure, and any potential threat can easily drive them to a competitor.

4. New technologies

While keeping up with new technology is a challenge, a greater one is working out what’s the best fit for the business and communicating the reasons why to senior leadership.

This can be a particular problem for IT Managers who don’t have a seat on the board. It’s all too easy to get swept up by the wave of new, shiny tech and become concerned that your business is missing out because others appear to be investing. Yet this is exactly the type of spend that puts the business at risk and, in turn, creates ‘bad feeling’ towards IT. It’s crucial that IT Managers advocate for ‘a seat at the table’ to address the challenge of new technology and use their experience and expertise to guide the business towards effective investment.

5. Evolving cybersecurity threats

Cyber-security is a huge challenge, with attacks constantly growing in size, sophistication, and frequency. This rise coupled with rapidly deployed remote working solutions during COVID has led to new risks being introduced to IT environments that quickly need evaluating and controlling.

Businesses cannot take this threat lightly, as it presents a financial, reputational and operational risk. However, it’s also the area with one of the largest skills gaps – there simply aren’t enough IT security professionals worldwide to meet demand. In Europe alone, the cyber-security skills gap doubled in 2019 and two-thirds of organisations have reported a shortage of skilled or experienced security personnel.

As cyber-security is such a vast and rapidly developing area, it can be difficult for IT Managers in mid-size companies to keep up with all the latest threats whilst also managing day-to-day activity, projects and continual improvement. To address this challenge, IT Managers should consider deploying advanced technologies and services, such as SIEM and MDR, and explore co-sourcing to obtain specialist cyber-security knowledge and experience.

6. Mobile device management

BYOD is nothing new, but the introduction of multiple corporate and personal devices into the workplace during the pandemic continues to cause issues for IT Managers. The threat landscape and companies risk profiles have grown significantly and controls and so has the need to control it. Keeping users productive and engaged whilst working fulltime is going to need some focus and strategy in the medium and long-term.

7. Skills gap

IT Managers not only have to contend with a cyber-security skills shortage but, overall, there is a general gap when it comes to tech and IT skills. This has been partly driven by the breadth and pace of innovation, but also because businesses are beginning to recognise the notable role technology plays in attaining their strategic objectives and require a different skillset from their IT pros.

Businesses attribute skills gaps to lower staff productivity, fewer sales, a lack of innovation and new product development and increased operating costs. Yet, despite recognising the harm it causes, few have the processes in place to address skills gaps and do not offer formal training to technical employees to upskill.

These gaps will only continue to grow and cause further harm unless action is taken. IT Managers must convey to senior management the value of continual and strategic training for technical employees and secure budget to ensure this can happen.

However, even with training, it’s unlikely that one or two IT professionals will be able to meet all the technical and strategic skill requirements of a mid-sized business unless you’re solely focused on ‘keeping the lights on’. It can be prohibitively expensive to build out a large internal IT team and retain individuals for the long term, which is why IT managers often turn to co-sourced IT support as a way to gain the specific skills they need, often at a fraction of the cost.

8. Cloud computing

The fallout from the pandemic is only expected to further accelerate the move to the cloud and between cloud platforms, such as a shift to hybrid public and private environments. The flexibility, scalability and potential of different cloud platforms are just too greater opportunities to ignore. However, it’s important that IT Managers oversee the selection process to prevent rash decision making and budget wastage.

For those exploring new cloud-based services, it’s essential to consider security across multiple platforms. Traditionally, multiple clouds meant also managing multiple inconsistent and incompatible security systems. Now, a better option would be a cross-cloud, cloud-agnostic security platform which ensures complete enterprise-wide security, regardless of asset location.

9. Digital transformation

Digital transformation is complex, and it can be difficult to achieve success. Yet in order to prevent savvy competitors from overtaking them, businesses really need to focus their efforts in this area.

Projects or initiatives often fall on IT Managers because they’re seen as ‘tech’, but in order to achieve a successful digital transformation, the entire senior leadership needs to be engaged, establishing a clear reason for transformation and fostering a sense of urgency for making changes. The challenge for IT Managers lies in driving forward this behavioural change so digital transformation is seen as a much wider piece.

10. Hiring and retaining talent

The high demand for specific skills and a lack of suitable candidates results in fierce competition, which can make it difficult for mid-sized businesses to retain their technical talent. It’s not just a higher salary which can tempt IT pros away. Greater flexibility, upskilling opportunities, more manageable workloads and a chance to specialise – rather than the expectation to manage everything ‘IT’ – are all often cited reasons for a move.

While businesses should review their hiring and employee retention processes to identify areas for improvement, on the technical side they should also consider what skills they really need to have in-house. For example, cyber-security skills are essential, but can your business really offer the work, environment and – to be frank – the salary required to retain an expert with a niche skillset? Rather than engaging a specialist recruitment agency to find that talent, would it be more beneficial to consider other ways your business could gain access to those skills at the level you need.

Read Now: Co-sourced IT Support Guide: The Top 5 Benefits

11. Instilling trust

While recent events have moved IT into the heart of the business, IT Managers will need to work strategically to retain this position.

IT was hailed as a hero for helping mid-market businesses quickly make the full transition to remote working, keeping everyone running and productive. However, with people coming back into the office, IT risks becoming the villain by simply seeking to address some of the bad habits staff may have picked up during lockdown – i.e. restricting personal apps, preventing home-working until stronger security measures are in place, slow responses as the helpdesk becomes overloaded.

12. Increasing workloads

It’s positive that senior management is beginning to recognise the contribution of IT on a strategic as well as operational level, but this comes at a price for IT Managers. Not only are they typically responsible for day-to-day monitoring, maintenance and issue resolution, they also need to undertake improvement projects, create the IT strategy, investigate opportunities and generally help drive the business forward. It’s a vast set of responsibilities and often it may feel like there are not enough hours in the day to do it all.

13. Outsourcing

The combination of hiring challenges, skills gaps, trouble retaining talent and increasing workloads will lead many businesses to consider outsourcing or co-sourcing.

While this is usually necessary to meet the growing requirements of mid-market businesses, it often raises concerns around reliability, accountability and security. IT Managers can typically be responsible for assessing the suitability of third-party partners, vendors and suppliers so it’s vital they have a strict assessment process in place so they can feel confident in the engagement.

An IT Manager’s role is continually evolving and therefore becoming more challenging. As the scope of responsibilities and accountability becomes wider, new challenges for IT Managers will crop up alongside those which have held fast for some time.

A number of these challenges can be addressed by IT retaining a central position in the business and having a voice at the decision-making table. IT Managers cannot address these challenges solely by themselves, they need the support of the entire senior leadership team

Join the IT Leaders’ Community

Are you an IT pro looking to keep up to date with the latest technology news, get a first look at product releases and upgrades, and engage with like-minded peers?

Join the IT Leaders’ Forum for exclusive content, downloadable assets and exclusive invites to free events with top-tier tech partners.

Why successful companies have IT leadership on their board

Posted on February 3, 2020April 29, 2021 by QuoStar

Businesses whose boards have strong digital skills enjoy benefits including 17% greater profits, 34% higher return on assets and 38% faster revenue growth according to a report by MIT SMR.

Any of those advantages would put a company in a powerful place against their competitors, so how does this one difference deliver all three? And if it’s so impactful, why do so few businesses have IT on their board?

6 reasons why having IT on the board makes such a difference

1. IT and business alignment

Businesses without IT leadership on the board often have a siloed or even antagonistic view of IT. In these environments, IT is often labelled as a non-contributor to the business since they aren’t directly creating revenue. Even worse, an uninformed board rarely considers how the essential work of IT allows revenue-generating departments to succeed.

Resentment easily grows between departments in this scenario and causes in-fighting, loss of talent and a stressful work environment. This leads to long-lasting reputational damage, a reduction in business productivity and ultimately, lower revenue.

Once senior IT executives are present on the board though, they can clearly communicate IT’s value, potential and contributions. Improving alignment and collaboration whilst reducing friction across the business.

2. A lower technical debt

Digitally strong leadership is aware of the concept of technical debt and invest intelligently to eliminate it. Businesses without IT executives or their IT support provider on their board, are rarely even aware of technical debt and make flawed business decisions as a result.

Problems accelerate for non-savvy businesses if misconceptions such as IT being a ‘necessary evil’ or a business ‘cost’ get out of control and begin influencing the board’s decisions. This causes technical debt to accumulate even faster – narrowing cash flow, increasing job disengagement and lowering the business’ productivity ceiling.

If IT has a voice on the board, they can address these misconceptions and release the stranglehold on investment and advancement they cause. This reduces technical debt, improves day to day operations (and thus profits) and re-opens the gates to innovation by strategically investing when appropriate opportunities arise.

Book a free online review and discover how QuoStar’s CIO on Demand service can benefit your business

3. IT is held accountable at a high level

It might sound crude, but if someone’s job or ego isn’t at risk, genuine change and progress don’t happen. Having board members who are accountable for IT multiplies the impetus for delivering on IT’s full value and encourages greater performance. This ultimately accelerates project delivery and the achievement of companywide and departmental KPIs.

Having a CIO, or a CIO-level representative from your support provider present on your board means the knowledge and accountability to deliver real change is in place. But realistically, the entire board, not just one person, should be accountable for IT’s performance since IT underpins the whole business and is where competitive advantage lies.

4. IT and business strategies support one another

In businesses without IT representation on the board, the strategic direction of IT rarely fits with the overall business strategy and maybe even works in a competing direction.

A simple example of misalignment would be if the business wanted to increase customer engagement and service, but IT had an ongoing implementation of a business management solution like ERP or Practice Management with a poor CRM system built-in.

If IT had representation on the board, they could have seen the misalignment and raised it prior to purchase. Even if the software was already bought, they could have reviewed an additional CRM product that integrates with the other line of business applications and makes up for the existing solution’s shortfalls. While there would be additional costs, the CIO would clearly define ROI in advance, with support from marketing.

IT leadership on the board can also lead to other projects which deliver on the business strategy. This would create overarching benefits, from back-office automation in any sector through to shop floor management systems in manufacturing, and perhaps AI or general process improvements in legal firms.

However, more commonly than misaligned strategies, businesses without IT on their board rarely have a real IT strategy at all. Usually just having a budget and a refresh cycle documented; putting them far behind the pack.

5. A more pressing attitude to risk management

A board without IT leadership can place a disproportionate amount of focus on extraneous risks whilst critical IT risks go unaddressed. Even if IT has a solution to hand, the board may still deny funding since they don’t understand its importance.

Consequently, increased downtime, business disruption and lost money should be expected as the underlying infrastructure becomes neglected. Downtime alone costs the average business about £4,300 per minute – a painful sum for a non-savvy board’s inaction.

But downtime is not the only risk a board without an IT presence will fail to address. Cyber-security, reputational damage, data loss and other critical issues will go neglected without the correct emphasis from IT.

When IT has its place on the board, the correct emphasis is placed on IT risks since there’s an inherent understanding of their importance. Pressing issues can be correctly raised, evaluated and solved by top-down management, reducing downtime, disruption and the associated costs.

6. Broadened horizons

If you look at a CIO’s job description, you’ll see requirements like:

Create business value through technology.
Strategic planning of business growth objectives.
Ensure tech systems and procedures lead to outcomes in line with business goals.
Oversee the development of customer service platforms.
Manage IT and development team personnel.
Approve vendor negotiations and IT architecture.
Information risk management.
Establish IT policies, strategies, and standards.
Develop and approve technology futures and budgets.

Beneath the IT-specific language, these are all essential skills for a board member to have. Without IT leadership present at board level, these are skills you’re missing out on.

But specific skills aren’t the only thing boards with no IT representation miss out on. Thanks to their unique mindset, a proven business executive with a vast knowledge of Information Technology and its application can challenge assumptions and find opportunities in overlooked areas.

Why do so few businesses have IT leadership on their board?

Based on all these factors, you may assume every business has IT leadership at board level. However, you’d be wrong.

For a start, most IT support providers lack a mature enough offering to include true board-level assistance. This makes it nearly impossible for businesses who outsource their IT to have IT present on their board. (IT support providers with this level of ability do exist, but they’re rare.)

Many businesses also still ‘tolerate’ IT, rather than seeing its value-enhancing potential.

However, the most common reason IT doesn’t have board-level representation is that many businesses simply don’t have the budget to hire an IT specialist with board-worthy skills and experience.

You may realise the illogic in this excuse. While the salary may be large, it would likely be a fraction of the potential increase in revenue a savvy board can drive, let alone the potential at the bottom line. However, short-term costs are often a driver for many businesses, so they cannot see the value they’re missing out on.

But there’s a reason that excuse makes even less sense and it’s that, if you’re smart, getting the skills doesn’t cost a lot either.

Taking advantage of an outsourced service like a CIO on-demand service gives you access to exactly the same calibre of seasoned IT executive, without the costs, risks and hassle of hiring and leading an internal big hitter.