Editor’s note: This article draws on insights from a CIO Dive live conversation between CIO Dive Editor Roberto Torres and City of Santa Monica’s Feroz Merchhiya. You can watch the session on-demand.
High-profile incidents, escalating threats and cascading impacts have raised the C-suite's awareness of the perils of poor security and resiliency practices.
“Fortunately — or unfortunately — discussions around security and technology investment are becoming relatively easier,” Feroz Merchhiya, CIO at the City of Santa Monica, said during a CIO Dive live event Wednesday.
Nearly 9 in 10 IT decision-makers expect their security budgets to increase in the next year. Of those, 14% expect a budget bump of at least 15%, according to an ETR survey published in May. Cyber is also a top priority for enterprise upskilling efforts and a fixture of generative AI plans.
Merchhiya joined the City of Santa Monica in July and previously held a dual CIO-CISO title at the City of Glendale in Arizona. During his four-year stint, Merchhiya said a monthslong stretch of events illustrated the value of and need for investment in security best practices.
In 2023, the city hosted Super Bowl LVII, the debut of Taylor Swift’s Eras Tour and Beyoncé's Renaissance Tour. The influx of fans and tourists created a target-rich environment, and leaders were already on high alert because of cyberattacks around the country targeting local utility services, Merchhiya said.
Most CIOs don’t have to search far for the real-life implications of lackluster security. Though the C-suite is far more informed about risk, tech leaders still have to show — and maximize — the value of cyber investments.
“The overall requirement of operational resiliency and having that technology to support that resiliency doesn't change whether you're in public or private sector,” Merchhiya said.
3 lessons: take stock, find gaps, show value
Even with heightened awareness and focus on cyber, leaders are still accountable for making the most out of their resources.
“You have to be mindful of every dollar you spend, and in my mind, there’s no secret sauce to figuring out how to maximize the value,” Merchhiya said. But it starts with being realistic about what the business needs.
“Look at your assets that you have available, see what they deliver for you,” Merchhiya said. “Because as a technologist, we do get attracted and enamored by new and emerging technology.”
There’s a time and place for introducing emerging tech, but that shouldn’t be the automatic next move. Cross-referencing tools to use cases will help uncover gaps and app sprawl. The process will also assist in determining whether a new tool or technology is necessary.
“There are a lot of things that can be handled by simple, basic cybersecurity hygiene,” Merchhiya said.
While C-suite leaders craft goals, tech leaders are tasked with knowing how to get organizations tech stack to that next level. Sometimes it requires an internal culture shift that CIOs can shepherd.
Engaging the C-suite can take different forms, from highlighting market changes or challenges as they arise to building relationships. Organizations that have a legacy mindset, which Merchhiya characterized as a reluctance to change, will require more coaxing if policies or practices should be updated.
“Education goes a long way when you go back in during budget conversations and ask for investment, because they understand the context,” Merchhiya said.
Tying investments back to an ROI analysis will also present a stronger argument for more resources. Tech leaders should work to clearly understand and explain how tools or capabilities prevented breaches, mitigated risks or expedited recovery.
“Each organization will have those opportunities in the context of their operating environment, and they have to do that,” Merchhiya said. “But it’s a concerted effort to have to spend time in presenting that benefit … so that your business partners can understand what your investment is delivering.”