Digital transformation has accelerated, but funding the associated culture change doesn’t seem to be much of a priority for IT leaders. That discovery came out of Red Hat’s Global Tech Outlook 2021 research, a July-September 2020 survey of 1,470 IT professionals, mostly from companies with more than $100 million in annual revenue, representing a mix of Red Hat customers and a broader industry panel.
Do the other non-IT funding priorities seem more logical?
For the most part, yes. In fact, even though culture change was seen as a very low priority, technical skills training, people and process skills training, and IT/developer hiring and retention were all seen as top non-IT funding priorities, edged out only by funding for a digital transformation strategy itself. Even if the important-but-harder-to-neatly-pigeonhole culture change isn’t much of a budget priority, other people-related budget items are. So, perhaps there’s a concern that IT leaders are overly focused on the tangible and specific, but they do seem to be prioritizing people overall.
The IT funding priorities generally make sense too. Notably, IT security tops the list, with 45 percent saying that it was their top priority. Perhaps that’s not really surprising – at least until you consider that security has historically often been underfunded and under-prioritized but there’s quite a bit of evidence here and elsewhere that a shift may be underway.
Let’s consider some other security-related data.
Improved security (32 percent) was edged out by improved efficiencies (37 percent) when it came to the outcomes the IT leaders expected from their funding priorities. Perhaps there’s a reasonable belief that some of the security spend will effectively go to keeping things from getting worse as the threat landscape gets ever more dangerous.
They also recognize security and compliance as a top barrier to being successful in their digital transformations (although it’s barely edged out by integration issues).
[ Get exercises and approaches that make disparate teams stronger. Read the digital transformation ebook: Transformation Takes Practice. ]
A closer look at IT leaders' security concerns
Security is a broad term. Other questions probed at the details.
For example, when we asked why many organizations were running at least some applications on-premises, data privacy and data security (each at 39 percent) topped the list of reasons.
It’s probably worth observing that running on-premises isn’t necessarily more secure – the large public cloud providers have a great deal of expertise and make large investments in securing their datacenters and the software that runs in them. Nonetheless, many IT leaders prefer the at least perceived degree of control over and visibility into running particularly critical workloads internally.
[ Learn more about hybrid cloud strategy. Get the free eBooks, Hybrid Cloud Strategy for Dummies and Multi-Cloud Portability for Dummies. ]
Among those who prioritize funding of security over other purposes, network security came out on top (42 percent), closely followed by both cloud security and data protection/privacy/sovereignty. 30 percent of respondents also identified “threat detection and response” as a leading priority.
Security was also a highlight of the results from Red Hat’s 2021 The State of Enterprise Open Source report, which identified security as a top benefit of enterprise open source, along with closely related attributes such as “higher quality software” and the “ability to safely leverage open source technologies.” This survey was based on interviews with 1,250 IT leaders worldwide.
Furthermore, 87 percent saw enterprise open source as “more secure” or “as secure” as proprietary software and 84 percent indicated that enterprise open source “is a key part of my organization’s security strategy.”
Takeaways about security funding and IT priorities
What does all this data tell us? I draw a few overarching considerations.
Security funding is more of a priority than it used to be, but at least some of that funding is going into just not falling behind. That said, an increased awareness of issues such as software supply chain security – understanding the provenance of and vulnerabilities associated with dependencies such as libraries – represents a significant step towards mitigating them.
While not as high a technology funding priority as security on its own, operations automation is still about middle of the pack – and higher up, in fact, than application development. This is significant because automation, starting as early in the development pipeline as possible – “shifted left,” as it’s often described – is an essential part of developing secure software. This applies to not just automating security tools like scanners, but automating configurations and tests so that lack of consistency doesn’t lead to security holes.
Finally, we’ve seen a sea change in how IT leaders regard enterprise open source with respect to security. Go back not that many years and many fretted about open source security because attackers could see the source code. They reasoned that you don’t publish the detailed specs of your alarm system, even if you think it’s pretty solid.
But the analogy doesn’t really carry over to software, given that so many successful attacks are the result of blind probing for weaknesses. Even if many eyes on the code isn’t always a clear benefit either (and sometimes there really aren’t that many eyes), it’s now clear that many leaders view enterprise open source as at least as secure as its proprietary counterparts.
[ How can automation free up more staff time for innovation? Get the free eBook: Managing IT with Automation. ]