Editor’s note: This article draws on insights from a CIO Dive live conversation between Editor Roberto Torres and City of Santa Monica’s Feroz Merchhiya. You can watch the session on-demand.
High-profile incidents, escalating threats, and cascading impacts have heightened the C-suite’s awareness of the dangers of poor security and resiliency practices.
“Fortunately — or unfortunately — discussions around security and technology investment are becoming relatively easier,” Feroz Merchhiya, CIO at the City of Santa Monica, said during a CIO Dive live event Wednesday.
Nearly 9 in 10 IT decision-makers expect their security budgets to increase in the next year. Of those, 14% expect a budget bump of at least 15%, according to an ETR survey published in May. Cybersecurity is also a top priority for enterprise upskilling efforts and a fixture of generative AI plans.
Merchhiya joined the City of Santa Monica in July and previously held a dual CIO-CISO title at the City of Glendale in Arizona. During his four-year stint, Merchhiya said a monthslong stretch of events illustrated the value of and need for investment in security best practices.
In 2023, the city hosted Super Bowl LVII, the debut of Taylor Swift’s Eras Tour, and Beyoncé’s Renaissance Tour, creating a target-rich environment due to the influx of fans and tourists. Leaders were already on high alert because of cyber-attacks targeting local utility services.
Most CIOs don’t have to look far for the real-life implications of lackluster security. Although the C-suite is more informed about risks, tech leaders still need to demonstrate and maximize the value of cybersecurity investments.
“The overall requirement of operational resiliency and having the technology to support that resiliency doesn’t change whether you’re in the public or private sector,” Merchhiya said.
3 lessons: take stock, find gaps, show value
Even with heightened awareness and focus on cybersecurity, leaders are still accountable for making the most out of their resources.
“You have to be mindful of every dollar you spend, and in my mind, there’s no secret sauce to figuring out how to maximize the value,” Merchhiya said. It starts with being realistic about what the business needs.
“Look at your available assets, see what they deliver for you,” Merchhiya said. “Because as a technologist, we do get attracted and enamored by new and emerging technology.”
There’s a time and place for introducing emerging tech, but that shouldn’t be the automatic next move. Cross-referencing tools to use cases will help uncover gaps and app sprawl. The process will also assist in determining whether a new tool or technology is necessary.
“There are a lot of things that can be handled by simple, basic cybersecurity hygiene,” Merchhiya said.
While C-suite leaders craft goals, tech leaders are tasked with knowing how to get organizations tech stack to that next level. Sometimes it requires an internal culture shift that CIOs can shepherd.
Engaging the C-suite can take different forms, from highlighting market changes or challenges as they arise to building relationships. Organizations with a legacy mindset, characterized by a reluctance to change, will require more coaxing if policies or practices should be updated.
“Education goes a long way when you go back during budget conversations and ask for investment because they understand the context,” Merchhiya said.
Tying investments back to an ROI analysis will also present a stronger argument for more resources. Tech leaders should work to clearly understand and explain how tools or capabilities prevented breaches, mitigated risks, or expedited recovery.
“Each organization will have those opportunities in the context of their operating environment, and they have to do that,” Merchhiya said. “But it’s a concerted effort to spend time presenting that benefit so that your business partners can understand what your investment is delivering.”