Data breaches have reached an all-time high forcing Boards ramp up investment in data security and privacy. GDPR compliance is also biting as companies rush to adjust despite the rule change that was years in the making.

The figures are contained in the latest 2018 Harvey Nash/KPMG CIO Survey.

The study, which is reportedly the largest IT leadership survey in the world, analysed the responses of organisations with a combined annual cyber security spend of up to US$46bn.

It found that almost a quarter (23 per cent) more respondents than in 2017 are prioritising improvements in cybersecurity as cybercrime threats reach an all-time high.

No wonder. The study found that only one fifth (22 per cent) of CIOs agreed they are well-prepared for a cyber attack. Those threats are also more sophisticated than in the past. Organised cybercrime was identified by 77 per cent of IT leaders as the area of most concern, up from 71 per cent last year. 

“The seeming inevitability of a cyber attack crosses all borders and has now crossed firmly over the threshold for board-level discussions,” said Akhilesh Tuteja, Global Cyber  Security Services Co-Leader, KPMG International. “Protecting the business from a cyber attack has jumped further up the boardroom agenda than any other item and IT leaders are being encouraged to make their defenses the best that they can be.” 

Meanwhile, managing operational risk and compliance has also become a significantly increased priority (up 12 per cent) and now represents the fastest growing IT priorities of company boards.

We asked Bridget Gray, managing director of executive recruiter Harvey Nash Australia, about the extent to which she believes boards now understand the risk of poor data governance practices as it relates to customer experiences and not just compliance.

Many of the prevailing views remain… unreconstructed.

According to Gray, “My observation is that many Boards still equate data governance with privacy compliance. Only a few would consider data practices a potential for competitive advantage.”

Bridget Gray, Harvey Nash Australia managing director.

This less than nuanced view of the importance of data and privacy is also reflected in the local view of GDPR, which at best might be said to be still evolving.

Gray told Which-50, “GDPR is likely to be known by an Australian Board, and most members of the board would have a general, high-level idea of what it’s about. However, very few Boards would understand what this means today for Australian companies (especially those operating in Europe) and what it is likely to mean for Australia, when the new open banking/consumer data rights regulations come into force.”

“And once again,” she said, “Most boards and senior executives would consider this a matter of compliance. Very few would turn the raised awareness of consumers into a competitive advantage.”

The survey says companies recognise an effective digital strategy is critical to successful data security, but many companies report they are still struggling. Nearly 80 per cent said that their digital strategy is only moderately effective, or worse.

To what extent then are boards treating digital as an issue they need to understand themselves as opposed to relegating it to “technology project status”

Gray again, “Most Boards would now recognise that their digital agenda is more than an IT project. Many have declared ambitious digital programs, but few deliver to expectations.”


In recent years the Harvey Nash/KPMG has revealed two trends that might now start to come into conflict. The first is the emergence of the chief digital officer as an executive function. And the second is the re-emergence of CIOs into the digital debate – IT was sideline for much of the first wave of digital transformation with business leaders using software as a service to bypass both IT and capital expenditure hurdles.

So what are the relative merits and complexities of each?

According to Gray, when a dedicated Chief Digital Officer joins an organisation, the clarity of their mandate is critical. “This is not only to clarify the commitment to the digital agenda, but also to avoid the CDO being potentially perceived as a potential threat to their peers. We are continuing to see the appointment and promotion of digital leaders, however, the only way a digital agenda can be truly successful, is if the CEO personally sponsors the effort and transformation agenda.”

Meanwhile, when it comes to technology leadership she says, “If the CIO leads the digital agenda, it requires the CIO to have a fundamental rethink of his/her role and the way they are positioning themselves at an executive level and their interaction with the board.”

Take the example of Ballance Agri-Nutrients, a New Zealand coop that specialises in providing farmers with a full range of science-backed nutrient products. It has very recently changed both the title and reporting line of its CIO David Scullin. He is now the companies chief digital officer reporting to the CEO. He previously reported to the CFO.

David Scullen, chief digital officer, Ballance Agri-Nutrients

The evolution of his role “reflects the strategic priorities of digital in the company,” he told Which-50.

“We are undergoing a sea-change in the world today where digital technologies and digital innovation are becoming so important. Digital is approaching exponential growth levels and it’s becoming critical to the delivery of the company business strategy,” Scullen said.

Trust me

According to the authors of the report,  data trust and privacy threats continue to hold the attention of CIO, However, and somewhat remarkably, despite years of advanced warning on GDPR, almost 40 per cent of those surveyed in April this year said they would not be GDPR compliant in time to meet the deadline (which passed on May 25).

The report suggests trust is the new battleground for IT as organisations struggle to manage the revenue-driving potential of utilising customer data with the need for privacy and security. “Those businesses managing this balance most effectively (customer-centric organisations) are 38 per cent more likely to report greater profitability than their competitors. However, the drive towards protecting data has caused a huge demand for ‘security and resilience’ skills, which experienced the biggest jump in skills shortages, increasing 25 per cent year-on-year,” say the authors.

A move towards digital platforms and solutions is proving a huge challenge for CIOs. While organisations recognise an effective digital strategy is critical to successful data security, many report they still struggle – with 78 per cent stating that their digital strategy is only moderately effective, or worse. More than a third of companies (35 per cent) can’t hire and develop the people they need with digital skills. And almost one in ten (9 per cent) think that there is no clear digital vision or strategy at all.

To help with digital success, chief digital officers (CDOs) are proving their worth. Organisations with a CDO, either in a dedicated or acting role, are over twice as likely to have a clear and pervasive digital strategy than those without one (44 per cent versus 21 per cent). The report also shows that the most influential and successful organisations are fanatical about delivering value both to and from their customers – ‘Customer centric’ organisations are 38 per cent more likely to report greater profitability than their competitors.

Big data and analytics remain the most in-demand IT skills at half the organisations surveyed. According to the study, two thirds (65 per cent) say skills shortages are preventing them from keeping up with the pace of change. 


The industry appears to be significantly divided on the extent to which diversity matters to business success. There are more of IT executives  (24 per cent) who say inclusion and diversity have no bearing on achieving business and technology objectives than there are women working on IT teams (22 per cent). Forty-seven (47 per cent) report it has some influence and 30 percent say inclusion and diversity impacts business and technology objectives to a great extent.

Previous post

Why Macquarie Bank’s digital team only plans three months ahead

Next post

CASE STUDY: Accent Group turned its stores into distribution centres to drive growth

Join the digital transformation discussion and sign up for the Which-50 Irregular Insights newsletter.