CISOs and CIOs confront growing data protection challenges in the era of AI and cloud  

CISOs and CIOs confront growing data protection challenges in the era of AI and cloud  

Keepit has released a study based on in-depth interviews and a survey conducted by Foundry, which both reveal critical gaps in Disaster Recovery strategies and highlight the pressing need for enhanced data security measures. 

In an evolving technological landscape, enterprise IT leaders are grappling with unprecedented challenges in data protection and governance, driven by the rapid adoption of cloud applications and Generative AI. 

The CISOs and CIOs interviewed by Keepit for the study, The great balancing act: Cybersecurity leaders tackle rising pressures, spoke to the necessity of rising to the challenge by adopting a mindset of continuous improvement. They are building collaborative best practices, partnering to bring in needed expertise and investing in data-centric solutions optimised for security and simplicity. 

Data protection struggles amid cloud and AI expansion

Enterprise Disaster Recovery strategies, traditionally designed for on-premises IT infrastructure, are lagging behind the surge in cloud application usage and the integration of AI technologies. Foundry’s survey: Can data protection keep pace with the shifting landscape?, underscores this trend.

The respondents of the survey represent IT decision-makers from companies with over 1,000 global employees. While 70% of respondents report that their financial applications are covered by data protection strategies, a significant portion of other key systems and custom applications remain vulnerable.

Survey highlights

  • Financial systems: 70% are covered by data protection strategies
  • E-commerce and HR management systems: 50% are covered
  • CRM and ERP systems: 48% and 42% respectively
  • Critical transaction-based systems, custom applications and collaboration and productivity tools: Are lagging behind with only between a third and a quarter of systems covered

“Anything related to finance is important, most people will agree. And it’s an obvious place to start when you map your critical systems and data. The survey shows that financial systems are by far the most incorporated in data protection strategies, and when you look at verticals, financial institutions are also a little more mature than others,” said Kim Larsen, CISO at Keepit.

Strategic gaps and vulnerabilities

The survey reveals that only half of the organisations have incorporated cloud-stored SaaS data into their Disaster Recovery plans. Another 40% plan to address this gap soon. A decision-maker participating in a recent Keepit CISO roundtable remarked: “We solved many of these challenges 10 to 15 years ago, but with the move to cloud, it’s like we’re starting from scratch again.”

The current state of data protection is also seen as a significant barrier to expanding the use of Generative AI technologies.

Strategic gaps:

  • Critical SaaS data applications: 50% of respondents have included cloud-stored data for critical SaaS applications in their Disaster Recovery plans, and 40% plan to do so
  • AI data protection: Nearly all organisations prioritise AI data protection, with 52% already implementing tools for chatbots and AI platforms and 43% considering them

“Good data protection is essentially ‘data classification plus good recovery capabilities’: If you understand your data, and can recover uncorrupted versions of it fast, you have a solid foundation to ensure business continuity, compliance and recovery. But this is easier said than done: The complexity of implementing new initiatives, such as governance over data used by large language models (LLMs), and the need to balance conflicting IT demands, pose additional challenges for any industry,” added Larsen.

Compliance and future-proofing

Compliance is a top concern for 73% of survey respondents heading into 2024, with data governance (53%) and enterprise backup and recovery (45%) also ranking high. Regulatory scrutiny is increasing globally, with mandates from agencies like the SEC in the US and the upcoming Digital Operational Resiliency Act (DORA) in the EU.

Compliance challenges:

  • Regulatory mandates: New cybersecurity resilience requirements
  • Cybersecurity risks: Continued threats, notably ransomware

“Cyber strategy must be perfectly aligned with the business to effectively support it. The more global an organisation becomes, the more difficult this is – to align access and comply with regulations. This is backed up in our study, where CISOs emphasised the need for a unified risk management strategy that aligns with regional regulatory requirements,” said Larsen. 

Organisational maturity and risk management

Keepit’s interviews with over 30 CISOs and CIOs reveal the importance of organisational maturity in handling data security. The variability in CISOs’ backgrounds and responsibilities was cited as a reason for the slow implementation of data-focused innovations.

Key findings:

  • Cloud flexibility: 80% of organisations adopt a ‘cloud smart’ approach, introducing new security and compliance challenges
  • Regulatory and expertise challenges: The rise of GenAI and the need for specialised knowledge in AI and cybersecurity

“One thing stands out: organisations have very different levels of maturity. A lot of the governance activities are so obvious, you would think everyone is doing them,” added Larsen. “But they aren’t. Classic difficulties include managing multiple security vendors, leading to gaps in protection. Another is circumstances – one CISO told us how he had experienced five major cyber events in the previous year, prompting a complete overhaul of their cyber response plan.”

Strategies for success

CISOs and CIOs are adopting continuous improvement mindsets, building collaborative best practices and investing in data-centric solutions. Establishing effective data governance frameworks and engaging the board of directors are seen as crucial steps forward.

Strategic recommendations:

  • Align with business objectives: Frame cybersecurity in the context of business goals
  • Translate technical concepts: Communicate in terms stakeholders understand
  • Demonstrate ROI: Highlight cost savings, risk reductions, and business benefits
  • Board engagement: Seek feedback and support from the board for cybersecurity initiatives

“The conclusion is that data protection remains a cornerstone of organisational resilience in the face of growing technological advancements. As CISOs and CIOs navigate these challenges, their ability to enable and protect data-driven innovation will define their success. Robust data security and backup strategies are essential for balancing innovation and protection, ensuring that organisations can thrive in the digital age. Effective communication of cyber-risks to stakeholders and demonstrating the ROI of cybersecurity initiatives are critical,” said Larsen.

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive