protiviti's 2013 it priorities survey

1 2013 IT Priorities Survey

FPO

2013 IT Priorities SurveyMobile Commerce, Social Media, Data Management and Business Continuity Dominate the Agendas of IT Departments


Introduction

A cursory glance at nearly any information technology (IT) article, survey or report confirms that enterprises have plunged into the era of big data. Immersed in bits and bytes in todays modern IT environment, companies of all sizes express a growing hunger for the experience, processes and tools necessary to harvest this data into actionable information that drives decision-making and helps carve out competitive advantage.

Satisfying this hunger falls, of course, to the IT function. Yet a more rigorous inspection of IT reveals a function awash in much more than data. The functions responsibilities, priorities and to-do lists continue to expand more broadly and more deeply every year (it almost appears as if ITs growing workload is governed by Moores Law). Compare the results of Protivitis inaugural IT survey from 2011 with the 2013 survey results, and it becomes apparent that the number of areas CIOs and IT professionals have ranked as priorities this year has increased significantly.

Protivitis 2013 IT Priorities Survey is designed to help IT professionals classify areas in need of attention so that they can better execute the functions strategic mandate. The surveys findings and our accompanying analysis should help CIOs and their teams as they assess their own priori-ties and key areas of focus for 2013.

To that end, the survey results reveal trends and areas of priority that IT functions are currently addressing and planning for in response to what is happening in the market. These issues include:

Mobile commerce Numerous facets of mobile commerce management have emerged as major IT function focal points, including mobile commerce security, mobile commerce policy and mobile commerce integration. IT organizations are proactively looking to put into place more control and regimen around the management of mobile commerce and related new technologies.

The management and classification of data Data classification and management has become an overarching priority for IT functions as organizational information systems con-tinue to generate more and more big data that must be managed in accordance with risk management, regulatory compliance management and performance management require-ments. The more the IT function understands what comprises sensitive (i.e., valuable and/or high-risk) data, the more effective and cost-efficient the organizations data management capabilities will become.

Social media IT departments are investing significant time and resources to support the integration of social media and the governance of these technologies and related activities, which include social media programs for employees, customers and other external stakeholders.

Business continuity In the wake of several catastrophic natural disasters, IT functions are more mindful than ever of the need to plan for and respond to potential business disruptions and outages resulting from hacking, and to evaluate the location of their backup facilities.

Risk management ISO 31000 defines risk as the effect of uncertainty on objectives. Given the uncertainty radiating from IT issues such as mobile devices, social media, cloud computing and new compliance requirements, among many others, its no surprise that ISO 31000, as well as risk management in general, marks an area of IT function concern.


IT infrastructure planning Planning activities specifically platform performance plan-ning, storage management and planning, and network performance planning represent key priorities for CIOs and their teams. These objectives point to an effort to make the IT func-tion more agile in response to the accelerating pace of change.

IT asset management Given the proliferation of smartphones, tablets and similar devices as well as the new applications and organizational data contained on these devices, IT func-tions have entered a brave new, highly mobile and increasingly risky world of asset manage-ment.

Nearly 200 respondents, including CIOs, chief technology officers, chief security officers, and IT vice presidents and directors, participated in the study. Respondents answered more than 100 questions in three general categories: Technical Knowledge, IT Process Capabilities and Organi-zational Capabilities. (The IT Process Capabilities category contains several subcategories.) The IT executives and professionals who participated in our survey represent virtually all industry sectors, including consumer products, distribution, energy, financial services, healthcare, hos-pitality, manufacturing, retail, technology and utilities. More than half of the participants work in publicly traded companies; the other respondents work in private, government and nonprofit organizations. (Please note that, upon request, Protiviti can provide customized reports based on the results of respondents from specific groups industry, company size, etc.)

We would like to express our gratitude to all of the IT executives and professionals who par-ticipated in our survey. We look forward to sharing these results and the trends they reveal, and observing over the next year what new priorities may emerge that will change the landscape yet again for CIOs and their IT organizations.

Protiviti February 2013


Technical Knowledge

Key Findings 2013

Aspects of social media and mobile commerce represent major challenges and top priorities for many IT executives and professionals.

Risk management (and ISO 31000, in particular) as well as specific compliance requirements, such as the European Union Data Directive, also rank as key priorities for IT departments.

CIOs and their staffs intend to strengthen cybersecurity capabilities, in particular, given the growing threat of breaches as well as the quickly increasing number of state and federal information security compliance requirements.

Overall Results, Technical Knowledge

Need to Improve Rank

Areas Evaluated by RespondentsCompetency(5-pt. scale)

1 Social media security 2.9

2 Mobile commerce security 2.8

3 Mobile commerce policy 2.8

4 Mobile commerce integration 2.8

5 Social media integration 2.9

Respondents were asked to assess, on a scale of one to five, their competency in 21 areas of tech-nical knowledge in IT, with one being the lowest level of competency and five being the highest. For each area, they were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry. (For the areas of technical knowledge under consideration, see page 4.) Figure 1 depicts a com-parison of Need to Improve versus Competency ratings in a Technical Knowledge landscape.

IT functions are scrambling to deliver information, products and services via a growing number of platforms and devices in a secure, compliant, effective and cost-efficient manner to employees, customers, clients and other stakeholders. IT executives and professionals are juggling an impos-ing number of priorities, including integration, policy and security activities related to mobile commerce, social media and the smart devices more and more professionals use.

While this push creates significant work, these demands hardly exist in isolation and must be addressed along with numerous other, slightly less pressing (for the moment) priorities, such as ISO 31000, various state data breach and privacy laws in the United States, the European Union Data Directive, and national cybersecurity directives, including guidance coming from the National Institute of Standards and Technologys (NISTs) Computer Security Division (CSD).There is significant pressure on organizations in the healthcare and financial services industries, in particular, to perform more risk management.


Additionally, cloud computing and virtualization enabling technologies that can greatly enhance ITs value to the business yet also pose risks that must be managed remain areas IT functions are targeting for improvement (as respondents to our 2011 survey also noted). Virtualizations promise of delivering more consistent service as well as improvements to data security and privacy, business continuity management capabilities and overall business agility (i.e., the ability to quickly and securely scale operations up or down) remain alluring. As such, IT executives and professionals appear intent on strengthening their virtualization capabilities.

Figure 1: Technical Knowledge Perceptual Map

NEED TO IMPROVELOWER HIGHER

DEG

REE

OF

TEC

HN

OLO

GY

US

ELO

WER

HIG

HER

2

4

5 1

3

7

89

15

10

11

14

12

1317

19

2120

18

16

6

Number Areas Evaluated by Respondents Number Areas Evaluated by Respondents

1 Social media security 12 European Union Data Directive

2 Mobile commerce security 13 ISO/IEC 27001/2

3 Mobile commerce policy 14 CISA

4 Mobile commerce integration 15 COBIT

5 Social media integration 16 Virtualization

6 ISO 31000 17 CISSP

7 Smart device integration 18 HITRUST CSF

8 Social media policy 19 PCI-DSS

9 Cloud computing 20 FISMA

10Data breach and privacy laws (various U.S. states)

21 GSEC

11 NIST (cybersecurity)


Key Questions to Consider:

Can mobile commerce solutions be integrated effectively, efficiently and securely with your overall IT infrastructure and existing management tools?

Does your IT function maintain and update clear mobile commerce and social media policies that clearly convey the acceptable use and security requirements of these capabilities to employees who engage in mobile commerce and/or social media activities? How are these policies monitored and audited?

Is the overall state of your companys social media security sufficient? How can social media capabilities be integrated more extensively into appropriate business processes to deliver value?

How can smartphones, tablets and similar devices be integrated into the normal flow of business in a more effective and secure manner?

How robust are your information security measures? Are these measures applied differently depending on the sensitivity or importance of the data being processed and stored?

Is your organization in compliance with all relevant industry standards for security and privacy as well as applicable laws and regulations?

Does your organization have efficient systems and processes for monitoring the quality of com-pliance as well as processes for monitoring ongoing regulatory issues and anticipating new rules and regulations?

Two-Year Comparison Overall Results, Technical Knowledge*

2013 2011

Social media security Virtualization

Mobile commerce security Social media integration

Mobile commerce policy Cloud computing

Mobile commerce integration Social media security

Social media integration Mobile commerce security

* Certain competencies and skill areas in this category were not included in both years of the survey.

Notable Trend

Mobile commerce issues policies, security, integration have emerged clearly as top priorities. Interestingly, challenges related to areas such as virtualization and cloud comput-ing appear to have receded somewhat, perhaps suggesting a higher level of confidence within IT departments in managing these areas and the relationships with vendors potentially pro-viding these capabilities. However, virtualization, cloud computing and related technologies remain significant areas of focus, especially in understanding how they can be leveraged.


RESPONSES FROM IT EXECUTIVES1

IT executives appear to place greater emphasis on cybersecurity. By rating NISTs cybersecurity developments among their top priorities, CIOs and other IT executives express a desire to ensure that their functions keep abreast of leading cybersecurity practices, guidance and requirements.

IT Executive Results, Technical Knowledge


Areas Evaluated by RespondentsCompetency (5-pt. scale)

1 Mobile commerce security 3.0

2 Mobile commerce integration 2.9

3 (tie)NIST (cybersecurity) 2.8

Mobile commerce policy 3.1

5 ISO 31000 2.4

Two-Year Comparison IT Executive Results, Technical Knowledge*

2013 2011

Mobile commerce security Social media integration

Mobile commerce integration Social media security

NIST (cybersecurity) Data breach and privacy laws (various U.S. states)

Mobile commerce policy Agile development

ISO 31000 COBIT

Cloud computing


1 Includes responses from survey respondents with the following titles: chief information officer, chief information security officer, chief technology officer, chief privacy officer, chief security officer, IT vice president/director and IT audit vice president/director.

Notable Trend

Mobile commerce issues also have risen to the top of the priority list for IT executives, whereas in 2011 they did not crack the top five.


IT Process Capabilities: Managing Security and Privacy

Key Findings 2013

Managing and classifying big data remains a major challenge for IT departments.

IT functions are looking to improve several other security and privacy areas, including monitoring security events, incident response, and managing user identities and access, as well as compliance requirements and the management of third-party vendors.

Overall Results, Managing Security and Privacy



1Managing and classifying

enterprise data3.2

2 Incident response 3.3

3 Monitoring security events 3.2

4 Managing third-party vendors 3.4

5 (tie)

Managing user identities and access 3.4

Implementing security/privacy solutions and strategies

3.3

Respondents were asked to assess, on a scale of one to five, their competency in 13 areas of process capabilities relating to managing security and privacy, with one being the lowest level of competency and five being the highest. They were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry. (For the areas of managing security and privacy under consideration, see page 9.) Figure 2 depicts a comparison of Need to Improve versus Competency ratings in a Managing Security and Privacy landscape.

There are two elements of managing data security and privacy. First, the data should be classified. Second, the data should be protected according to its classification. The most sensitive data in the organization warrants the strongest protection. Less sensitive data requires less protection (and therefore requires fewer resources to manage). Survey respondents identified this area, managing and classifying enterprise data, as their top priority in this category.

They are wise for doing so; after all, companies in virtually every industry have invested large sums of money in an effort to get to know their customers and their customers activities in order to personalize service to them. This knowledge requires companies to capture a wealth of data on a daily basis, and some of this big data is considered personally identifiable information. Organizations must understand how to classify, manage and secure that data, not only for the sake of their cus-tomers and clients, but also to remain in compliance with numerous privacy laws and regulations.


Concerns over data classification and management also are driven by current and emerging laws and regulations. At least 46 of the 50 states in the United States currently have data privacy laws. In addition, many industries, including healthcare and financial services, have their own data privacy regulations. This explains why survey respondents also identified specific compliance requirements, such as the Gramm-Leach-Bliley Act (GLBA), California Security Breach Information Act and Health Insurance Portability and Accountability Act (HIPAA), as top priorities. Although each data security/privacy regulation features unique aspects and requirements, one of the consistent provisions that can be found in most, if not all, of them is that any person or organization hold-ing private data and information is accountable if that information is breached.

Incident response and security event management also are key areas of concern for IT executives and professionals. These challenges go hand-in-hand with data classification and management clearly, the management and protection of data, confidential and otherwise, is critical for companies today, and IT functions are at the forefront of ensuring proper security.

One more priority area, managing third-party vendors, bears mentioning. The importance as well as the complexity of this capability continues to increase as a) companies outsource and offshore more IT capabilities and functions; b) the nature of outsourcing relationships evolves (e.g., the use of hybrid models that blend aspects of shared services and traditional outsourcing); and c) new financial reporting, risk management (including business continuity management) and regulatory compliance requirements create additional relationship management needs and challenges.


Figure 2: Managing Security and Privacy Perceptual Map


LEVE

L O

F C

OM

PETE

NC

YLO

WER

HIG

HER

2

4

5

13

7

8

9

10

11

12

13

6


1 Managing and classifying enterprise data 8Managing technical infrastructure configuration

2 Incident response 9 Managing contractors

3 Monitoring security events 10California Security Breach Information Act (SB 1386)

4 Managing third-party vendors 11 Managing application users

5 Managing user identities and access 12U.S. Health Insurance Portability and Accountability Act (HIPAA)

6Implementing security/privacy solutions and strategies

13 Managing IT users

7 U.S. Gramm-Leach-Bliley Act (GLBA)


Key Questions to Consider

What is your IT functions and your management teams understanding (e.g., excellent, good or limited) of what comprises sensitive organizational data and information?

Is there a formal effort under way to define and classify the data the organization generates as part of its day-to-day operations? Is the organization clear about what information is sensitive or requires special attention especially data that is regulated by privacy laws?

Has specific responsibility or stewardship been assigned for the organizations most sensitive data types?

Is the management of data conducted over its full lifecycle, from acquisition through retention (identifying the duration of retention) through disposal/destruction?

Does your organization have a written information security policy (WISP) in place? Is it being implemented/executed?

To what extent does the IT function, as well as the risk management and compliance areas of the business, monitor and anticipate regulatory changes related to information security and privacy?

Are third-party vendors and contractors managed via a process that ensures they are in compli-ance with the organizations policies related to data security and privacy, as well as remaining in current compliance with all relevant laws and regulations?

How are new vendors evaluated regarding their risk profile with required security standards?

Two-Year Comparison Overall Results, Managing Security and Privacy*

2013 2011

Managing and classifying enterprise data Managing and classifying enterprise data

Incident response California Security Breach Information Act (SB 1386)

Monitoring security events U.S. Gramm-Leach-Bliley Act (GLBA)

Managing third-party vendors Managing user identities and access

Managing user identities and access Managing third-party vendors

Implementing security/privacy solutions and strategies Incident response

Monitoring security events

Implementing security/privacy solutions and strategies


Notable Trends

In the two years of this study, managing and classifying enterprise data has stood out as a top priority for IT organizations.

Specific laws identified among the top priorities in the previous study rank lower in the 2013 results a possible indicator of less uncertainty regarding these requirements.


RESPONSES FROM IT EXECUTIVES

The responses for this category generally mirror those from the overall group with one exception: IT executives rank specific compliance requirements, including the GLBA and the California Security Breach Information Act, as more important Need to Improve areas compared to all survey respondents.

IT Executive Results, Managing Security and Privacy



1Managing and classifying

enterprise data3.4

2 Incident response 3.7

3 U.S. Gramm-Leach-Bliley Act (GLBA) 2.8

4 Monitoring security events 3.6

5California Security Breach Information

Act (SB 1386)2.5

Two-Year Comparison IT Executive Results, Managing Security and Privacy*

2013 2011

Managing and classifying enterprise data Managing and classifying enterprise data

Incident response Managing user identities and access

U.S. Gramm-Leach-Bliley Act (GLBA) Managing third-party vendors

Monitoring security events Implementing security/privacy solutions and strategies

California Security Breach Information Act (SB 1386) Incident response


Notable Trends

For IT executives, managing and classifying enterprise data is a consistent top priority.

Interestingly, unlike the overall findings, specific privacy-related laws and regulations have increased as priorities for 2013 compared to the 2011 results.


IT Process Capabilities: Defining IT Strategy and Organization

Key Findings 2013

The IT functions top priorities in this category reflect a commitment to enhancing the clarity and precision with which IT performance is measured, monitored and reported to the business.

IT professionals want to strengthen the customer service they provide to their internal customers (as laid out in service-level agreements).

The integration and alignment of IT planning with business strategy remains an ongoing priority.

IT Process Capabilities, Defining IT Strategy and Organization



1Defining metrics and measurements

for monitoring IT performance3.1

2Reporting IT activities and

performance3.2

3Negotiating, managing and

monitoring information quality3.2


monitoring customer service-level agreements (SLAs)

3.2

5Developing and maintaining

enterprise information architecture3.1

Respondents were asked to assess, on a scale of one to five, their competency in 16 areas of process capabilities relating to defining IT strategy and organization, with one being the lowest level of competency and five being the highest. For each area, they were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry. (For the areas of IT strategy and organization under consideration, see page 13). Figure 3 depicts a comparison of Need to Improve versus Competency ratings in a Defining IT Strategy and Organization landscape.

It wasnt long ago that many IT functions funneled significant effort to aligning IT planning with overall business strategy. Today, that alignment appears to have matured, and survey respondents indicate that they are applying more attention, resources and time and much more precision to executing the IT plan while managing performance in a highly transparent way.

The top priority areas in this survey category defining metrics and measurements for monitoring IT performance; reporting IT activities and performance; negotiating, managing and monitoring customer SLAs, among others reflect less of an emphasis on designing and place much more importance on measuring, analyzing, and reporting ITs actual performance.


Do these results indicate that IT strategy generally has achieved a more evolved and sophisticated state? Possibly. The findings suggest it is more certain that IT is demonstrating a commitment to transparency and a measurement mindset to help it convey its value to the business more clearly and on a more real-time basis.

Figure 3: Defining IT Strategy and Organization Perceptual Map


LEVE

L O

F C

OM

PETE

NC

YLO

WER

HIG

HER

24

5

1

3

7

8

9

15 10

1114

12

13

16

6


1Defining metrics and measurements for monitoring IT performance

9 IT risk analysis and reporting

2 Reporting IT activities and performance 10 Long-term and short-term planning

3Negotiating, managing and monitoring information quality

11Developing and maintaining end-user support policies and standards

4Negotiating, managing and monitoring customer SLAs

12 Defining IT roles and responsibilities

5Developing and maintaining enterprise information architecture

13Defining organizational placement of the IT function

6Integration/alignment of IT planning and business strategy

14Developing and maintaining operations management policies and standards

7 Monitoring IT costs and benefits 15Monitoring and achieving legal/regulatory compliance

8 Managing and monitoring policy exceptions 16Developing and maintaining security and privacy standards



Is your IT department collaborating effectively with the business to manage shifting priorities in an agile manner?

To what extent are CIOs and the IT leadership team collaborating with the business to proac-tively identify potential business opportunities and threats that require IT support?

Are the expectations of C-suite and business-unit executives with regard to IT consistent with how technology is funded and managed?

Does IT have visibility into strategic events planned in the near or long term, such as mergers or acquisitions, initial public offerings, divestitures or business expansions?

What metrics are used to measure the quality of work being performed by IT?

How effective and timely are the quantifiable metrics and/or key performance indicators IT shares with the business regarding ITs ongoing performance?

Is there a process in place to monitor the effectiveness of IT performance measurement/manage-ment activities?

How are customer SLAs monitored, managed and continuously improved?

Two-Year Comparison Overall Results, Defining IT Strategy and Organization*

2013 2011

Defining metrics and measurements for monitoring IT performance

Communication of strategy and governance

Reporting IT activities and performanceDefining metrics and measurements for monitoring

IT performance

Negotiating, managing and monitoring information quality Monitoring and achieving legal/regulatory compliance

Negotiating, managing and monitoring customer SLAsDeveloping and maintaining enterprise

information architecture

Developing and maintaining enterprise information architecture

Performing and maintaining the IT risk assessment


Notable Trends

While defining metrics and measurements for monitoring IT performance has ranked as a top priority area in both studies, there are more performance management-related areas that rank as priorities in the 2013 findings.

Of note, legal and regulatory compliance, which was among the top priorities for IT functions in 2011, falls near the bottom of the 2013 priority list in this category.



The results from IT executives generally mirror the studys overall response in this category.

IT Executive Results, Defining IT Strategy and Organization



1Reporting IT activities and

performance3.5

2Defining metrics and measurements

for monitoring IT performance3.4


monitoring information quality3.5

4Negotiating, managing and monitoring customer SLAs

3.6

5 (tie)


3.4

Managing and monitoring policy exceptions

3.5

Two-Year Comparison IT Executive Results, Defining IT Strategy and Organization*

2013 2011

Reporting IT activities and performanceDefining metrics and measurements for monitoring

IT performance

Defining metrics and measurements for monitoring IT performance

Communication of strategy and governance

Negotiating, managing and monitoring information quality Performing and maintaining the IT risk assessment

Negotiating, managing and monitoring customer SLAsDeveloping and maintaining enterprise

information architecture


Negotiating, managing and monitoring customer SLAs

Managing and monitoring policy exceptions Negotiating, managing and monitoring information quality


Notable Trend

Areas related to performance management topped by reporting IT activities and perfor-mance have risen as key priorities for IT executives since the last survey.


IT Process Capabilities: Managing IT Infrastructure

Key Finding 2013

Planning related to platform and network performance, along with storage management and planning, stand out as top concerns.

Overall Results, Managing IT Infrastructure



1 Platform performance planning 2.8

2 Storage management and planning 2.8

3 Network performance planning 2.8

4Managing and maintaining job

processing3.2

5 IT infrastructure change management 3.3

Respondents were asked to assess, on a scale of one to five, their competency in nine areas of process capabilities relating to managing IT infrastructure, with one being the lowest level of competency and five being the highest. They were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry. (For the areas of managing IT infrastructure under consideration, see page 17.) Figure 4 depicts a comparison of Need to Improve versus Competency ratings in a Managing IT Infrastructure landscape.

Data management qualifies as an overarching need among most companies as they collect, store and transmit vast and rapidly growing amounts of data. Executive teams and boards of directors want assurance that sensitive information not only is secure, but also is stored in a cost-efficient and effective manner, thus maximizing the organizations investment in the data and storage capabili-ties. In addition, these capabilities must be compliant with e-discovery and records management requirements. In response, IT executives and professionals indicate their functions are addressing a number of issues associated with platform performance and storage management, including what information can be collected and maintained, how the information should be stored, how and where information can be transmitted, and what required actions should be initiated in the event of a security breach and/or a break in continuity.

It is noteworthy that each of the three top priorities respondents identified involve planning activities. These rankings suggest IT functions are striving to become more agile. While it remains absolutely necessary today to achieve effective platform performance, storage management and network performance, this achievement alone is not sufficient. IT functions also appear intent on strength-ening these planning capabilities so that they are flexible and agile enough to support rapidly changing business needs in the future.


Figure 4: Managing IT Infrastructure Perceptual Map


LEVE

L O

F C

OM

PETE

NC

YLO

WER

HIG

HER

2

4

5

1

3

7

89

6


1 Platform performance planning 6 Database change management

2 Storage management and planning 7Managing and administering backup and recovery

3 Network performance planning 8 Operating system change management

4 Managing and maintaining job processing 9 Managing data center environmental controls

5 IT infrastructure change management



How is your IT function working to ensure that platform performance, storage management and network performance capabilities are agile enough to support quickly and effectively sudden business shifts in response to new threats and new opportunities?

To what extent does this work extend to vendors responsible for handling and storing corporate data?

Do current storage management capabilities support and align with the ways in which the IT function classifies, manages and protects organizational data?

Has your organization conducted a risk assessment that identifies the nature of information col-lected, where it is stored, and how and where it is transmitted?

Has your company established data protection policies that are monitored and enforced throughout the organization?

How is the IT department addressing the businesss expectations of increasingly faster and increasingly reliable network performance?

Two-Year Comparison Overall Results, Managing IT Infrastructure*

2013 2011

Platform performance planning Storage management and planning

Storage management and planning Network performance planning

Network performance planning Database change management

Managing and maintaining job processing Platform performance planning

IT infrastructure change management IT infrastructure change management

Operating system change management


Notable Trend

Results are relatively consistent between the two surveys, though managing and maintain-ing job processing rose to the top five list of priorities in this years study.



The results from IT executives generally mirror the studys overall response in this category, with one exception: CIOs and other senior IT leaders rank database change management as a slightly higher improvement need compared to all respondents.

IT Executive Results, Managing IT Infrastructure



1 Platform performance planning 3.3

2 Storage management and planning 3.4

3 Network performance planning 3.4

4 Database change management 3.7

5Managing and maintaining job

processing3.8

Two-Year Comparison IT Executive Results, Managing IT Infrastructure*

2013 2011

Platform performance planning IT infrastructure change management

Storage management and planning Database change management

Network performance planning Managing and administering backup and recovery

Database change management Network performance planning

Managing and maintaining job processing Managing and maintaining job processing

Managing data center environmental controls

Operating system change management

Storage management and planning


Notable Trend

Platform performance planning is elevated to the top of the priority list for IT executives in 2013 (this area ranked ninth in the previous survey), while IT infrastructure change management dropped out of the top five priorities.


IT Process Capabilities: Managing IT Assets

Key Findings 2013

Monitoring and accounting for IT assets has grown more complex due to smart-device proliferation, bring your own device policies, growing workforce mobility and the IT functions reliance on external partners.

Survey respondents ranked monitoring IT assets, accounting for IT assets and monitoring external SLAs as their top priorities.

Overall Results, Managing IT Assets



1 Monitoring IT assets 3.1

2 Accounting for IT asset management 3.1

3 Monitoring external SLAs 3.2

4Monitoring and reviewing contracts/

billings3.3

5Managing hardware maintenance

agreements3.1

Respondents were asked to assess, on a scale of one to five, their competency in 14 areas of process capabilities relating to managing IT assets, with one being the lowest level of competency and five being the highest. They were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry. (For the areas of managing IT assets under consideration, see page 21.) Figure 5 depicts a comparison of Need to Improve versus Competency ratings in a Managing IT Assets landscape.

The findings suggest IT functions are searching for ways to address a brave new world of asset management. No longer tethered to desks or on-site servers, more and smaller IT assets zip around the world in the briefcases, backpacks and pockets of increasingly mobile employees. The days of assigning bulky desktops are long gone; today, employees access organizational data and applications through tablets, smartphones, netbooks and other mobile devices. Moreover, employ-ees are accessing enterprise networks through their own devices thanks to a growing number of organizations with bring your own device (BYOD) policies.

Given the growing complexity of IT asset management, it is understandable to see monitoring IT assets, accounting for IT asset management and managing IT asset retirement (as a result of employees leaving the company and/or the companys adoption of next-generation devices) as top priorities in the results.


IT professionals and IT executives, in particular, also indicated they want to improve asset manage-ment activities dependent on external relationships, as noted in higher-ranked Need to Improve areas such as monitoring external SLAs, monitoring and reviewing contracts/billings, and manag-ing software licensing and compliance.

Given the growing reliance on cloud computing and external vendor support as well as the prolif-eration of smart devices among an increasingly mobile workforce, it is clear that the challenge of achieving effective IT asset management is intensifying.

Figure 5: Managing IT Assets Perceptual Map


1 Monitoring IT assets 8 Managing software licensing and compliance

2 Accounting for IT asset management 9 Managing contract analysis and renewal

3 Monitoring external SLAs 10Determining outsourcing strategy and approach

4 Monitoring and reviewing contracts/billings 11Managing audit process (SAS 70, SSAE 16, others)

5 Managing hardware maintenance agreements 12 Software deployment

6Managing IT asset retirement employee/contractor termination

13 Negotiating and establishing agreements

7Managing IT asset retirement IT asset refresh

14 Hardware deployment


LEVE

L O

F C

OM

PETE

NC

YLO

WER

HIG

HER

2

4

5 1

3

7

8

9

10

11

14

12

13

6



What processes does the IT organization have in place to monitor IT assets in a risk-savvy manner?

What is the IT functions role in accounting for IT asset management and how can it collaborate with the finance and accounting function to strengthen the accuracy and efficiency of this activity?

Are there defined standards for entering into an SLA, and is there an audit process in place to monitor external parties operating under an SLA?

How effective is the IT function in monitoring external SLAs, contracts, and billing and soft-ware licenses?

What are the greatest risks to IT asset management in your organization, and how are these risks managed?

Does the companys and the IT functions outsourcing strategy align with and support IT asset management needs?

Two-Year Comparison Overall Results, Managing IT Assets*

2013 2011

Monitoring IT assets Monitoring external SLAs

Accounting for IT asset management Determining outsourcing strategy and approach

Monitoring external SLAs Accounting for IT asset management

Monitoring and reviewing contracts/billingsManaging IT asset retirement employee/

contractor termination

Managing hardware maintenance agreements Managing IT asset retirement IT asset refresh


Notable Trend

Monitoring IT assets ranks as the top priority this year, compared to sixth (not shown) in 2011 not a surprise considering the proliferation of new devices (smartphones, tablets, etc.) being used today by company employees.



CIOs and other IT executives rank the importance of improving two externally focused areas determining outsourcing strategy and approach, and managing software licensing and compliance higher than the overall survey group. This suggests IT executives are a) interested in ensuring that an outsourcing strategy limits IT asset management risks as much as possible, and b) concerned about the magnitude of risk related to software licensing issues.

IT Executive Results, Managing IT Assets

Need to Improve Rank Areas Evaluated by RespondentsCompetency (5-pt. scale)

1 Monitoring IT assets 3.5

2Monitoring and reviewing contracts/

billings3.7

3 Accounting for IT asset management 3.4

4 (tie)

Monitoring external SLAs 3.5

Determining outsourcing strategy and approach

3.6

Managing software licensing and compliance

3.6

Two-Year Comparison IT Executive Results, Managing IT Assets*

2013 2011

Monitoring IT assets Monitoring external SLAs

Monitoring and reviewing contracts/billings Accounting for IT asset management

Accounting for IT asset management Determining outsourcing strategy and approach

Monitoring external SLAsManaging IT asset retirement

employee/contractor termination

Determining outsourcing strategy and approach Negotiating and establishing agreements

Managing software licensing and compliance


Notable Trend

Similar to the overall results, monitoring IT assets has jumped to the top of the priority list for IT executives.


IT Process Capabilities: Ensuring Continuity

Key Finding 2013

Three top-of-mind priorities in this category are developing and maintaining business resumption plans, developing and maintaining IT disaster and recovery plans, and developing and maintaining crisis management plans.

Overall Results, Ensuring Continuity



1Developing and maintaining business

resumption plans3.1

2 (tie)

Developing and maintaining IT disaster and recovery plans

3.2

Developing and maintaining crisis management plans

3.2

4Developing and maintaining risk

assessment/business impact analysis3.4

5 (tie)

Ensuring executive management support and sponsorship

3.4

Ensuring business alignment 3.4

Respondents were asked to assess, on a scale of one to five, their competency in seven areas of process capabilities relating to ensuring continuity, with one being the lowest level of competency and five being the highest. They were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry. (For the areas of ensuring continuity under consideration, see page 25.) Figure 6 depicts a comparison of Need to Improve versus Competency ratings in an Ensuring Continuity landscape.

In recent months, as Hurricane Sandy and numerous high-profile information security breaches have demonstrated, business continuity in the face of expanding disruption threats has become a growing executive and board-level concern. The growing use of social media and mobile commerce, along with increased privacy legislation, are driving these concerns, as well. Additionally, organizations are revisiting the location of backup facilities and potentially placing them in different geographies where natural disaster risk is lessened. It is clear that the growing reliance on technology systems and applications requires IT to play a central role in corporate business continuity management (BCM) and disaster recovery efforts.2

2 For more information, read Protivitis Guide to Business Continuity Management, available at www.protiviti.com.


The top priorities identified by respondents developing and maintaining business resumption plans, developing and maintaining IT disaster and recovery plans, and developing and maintain-ing crisis management plans suggest more companies and their IT functions are integrating IT disaster recovery capabilities with crisis management activities and business resumption plans to strengthen the organizations overall BCM capability.

Figure 6: Ensuring Continuity Perceptual Map


LEVE

L O

F C

OM

PETE

NC

YLO

WER

HIG

HER

2

4

5

1

3

7

6


1Developing and maintaining business resumption plans

5Ensuring executive management support and sponsorship

2Developing and maintaining IT disaster and recovery plans

6 Ensuring business alignment

3Developing and maintaining crisis management plans

7Designing and maintaining business continuity strategies

4Developing and maintaining risk assessment/business impact analysis



Has your company developed a crisis management and communications plan or strategy? Are there processes in place to update and audit these plans regularly?

To what degree are BCM and disaster recovery capabilities and activities supported at the execu-tive management and board level?

Does your company have a formal overarching BCM strategy and continuity plan in place (and do these contain IT considerations among the key priorities)?

Has your company undertaken a pandemic risk management assessment?

How frequently does your organization test the plans that are in place? How are the results of these tests reviewed, analyzed and acted upon?

How often is the information reviewed in all BCM-related plans and what is the process used to maintain, review and update them?

Two-Year Comparison Overall Results, Ensuring Continuity*

2013 2011

Developing and maintaining business resumption plansDeveloping and maintaining risk assessment/

business impact analysis

Developing and maintaining IT disaster and recovery plans Developing and maintaining crisis management plans

Developing and maintaining crisis management plans Designing and maintaining business continuity strategies

Developing and maintaining risk assessment/ business impact analysis

Ensuring business alignment

Ensuring executive management support and sponsorship Developing and maintaining business resumption plans

Ensuring business alignment


Notable Trend

Year-over-year results are relatively consistent, though business resumption plans moved to the top of the priority list in the 2013 results.



IT executives identified the same top three Need to Improve areas within the Ensuring Continu-ity category that all survey respondents selected. Of note, half of the IT executive-level respondents cited the top two areas (developing and maintaining business resumption plans, and developing and maintaining IT disaster and recovery plans) as areas for improvement.

IT Executive Results, Ensuring Continuity



1Developing and maintaining business

resumption plans3.3

2Developing and maintaining IT

disaster and recovery plans3.5

3Developing and maintaining crisis

management plans3.5

4Ensuring executive management

support and sponsorship3.7

5(tie)

Ensuring business alignment 3.7

Designing and maintaining business continuity strategies

3.6

Developing and maintaining risk assessment/business impact analysis

3.6

Two-Year Comparison IT Executive Results, Ensuring Continuity*

2013 2011

Developing and maintaining business resumption plans Developing and maintaining crisis management plans

Developing and maintaining IT disaster and recovery plans Ensuring business alignment

Developing and maintaining crisis management plans Designing and maintaining business continuity strategies

Ensuring executive management support and sponsorship Developing and maintaining business resumption plans

Ensuring business alignmentDeveloping and maintaining risk assessment/business

impact analysis

Designing and maintaining business continuity strategies

Developing and maintaining risk assessment/ business impact analysis


Notable Trend

Year-over-year results are relatively consistent, but developing and maintaining business resumption plans moved to the top of the priority list for IT executives in the 2013 results.


Organizational Capabilities

Key Finding 2013

Six Sigma, dealing with confrontation, coaching/mentoring, leadership (in outside organizations) and negotiation are top priorities for IT executives and professionals as they look to enhance performance and operational efficiencies as well as collaboration with other organizational functions.

Overall Results, Organizational Capabilities



1 Six Sigma 2.7

2 Dealing with confrontation 3.4

3 (tie)

Coaching/mentoring 3.6

Leadership (in outside organizations, groups, etc.)

3.4

5 Negotiation 3.4

Respondents were asked to assess, on a scale of one to five, their competency in 12 areas of organi-zational capabilities, with one being the lowest level of competency and five being the highest. They were then asked to indicate whether they believe their level of knowledge is adequate or requires improvement, taking into account the circumstances of their organization and industry. (For the organizational capabilities under consideration, see page 29.) Figure 7 depicts a comparison of Need to Improve versus Competency ratings in an Organizational Capabilities landscape.

The IT challenges identified throughout this survey indicate that workloads of IT executives and professionals have become crowded with improvement priorities. These priorities are less a matter of or (Should we focus on improving social media security or mobile commerce integration?) than they are a matter of and (How can we improve social media security and mobile commerce integration and smart device integration and data classification and BCM and ?). To address their expanding responsibilities and improvement efforts, IT professionals and executives are applying a combination of process-improvement methodology and interpersonal skills.

The relatively low competency rating for Six Sigma (the highest ranking Need to Improve area) compared to other areas in this survey category indicates that IT leaders and professionals also see ample room for improvement with regard to making IT functions and processes more efficient and productive, particularly as IT organizations continue to deal with slimmed-down staff levels after the financial challenges of the past few years.


Also, survey respondents point to dealing with confrontation, coaching/mentoring, leadership (in outside organizations) and negotiation as top Need to Improve areas that can help them partner more effectively with other parties inside and outside the IT department.

The need for greater efficiency and productivity both within IT and the larger business (where IT plays a key enabling role) is unlikely to subside any time soon. IT professionals appear to recognize that improvements in interpersonal skills, such as leadership and negotiation, will help them address cultural issues that require attention while managing change.

Figure 7: Organizational Capabilities Perceptual Map


LEVE

L O

F C

OM

PETE

NC

YLO

WER

HIG

HER

245

1

3

7

8

91011

126


1 Six Sigma 7 Developing outside contacts/networking

2 Dealing with confrontation 8 Leveraging outside expertise

3 Coaching/mentoring 9Working effectively with C-level/senior executives

4Leadership (in outside organizations, groups, etc.)

10Working effectively with business-unit executives

5 Negotiation 11 Working effectively with outside parties

6 Leadership (within your organization) 12 Working effectively with regulators



Can a better understanding and improvement in capability around Six Sigma concepts help the IT function add more value and improve its effectiveness?

How are efficiency gains being tracked and reported?

Are there formal training and development processes in place to help IT professionals improve their ability to deal with confrontation and enhance negotiation skills and related attributes?

What sort of leadership training and development opportunities are available to rising IT professionals?

What is the quality of the coaching/mentoring offerings to which IT managers have access?

To what extent are IT professionals encouraged and supported in efforts to demonstrate leader-ship in external industry and business groups?

Two-Year Comparison Overall Results, Organizational Capabilities*

2013 2011

Six Sigma Six Sigma

Dealing with confrontation Dealing with confrontation

Coaching/mentoring Working effectively with C-level executives

Leadership (in outside organizations, groups, etc.) Developing rapport with senior executives

Negotiation Leadership (within your organization)


Notable Trend

Several new entries in the top priorities for 2013 suggest a stronger focus on coaching and mentoring other employees, as well as demonstrating leadership outside the company in professional groups.



While IT executives also identify Six Sigma as the top Need to Improve organizational capability, they differ from overall survey respondents in two respects. First, IT executives view leading inter-nally as well as leadership in outside organizations as higher improvement priorities than the overall survey group. Second, IT executives rank developing outside contacts/networking higher compared to the overall response. All respondents, however, place nearly identical importance on improving the coaching/mentoring opportunities available to IT professionals, suggesting that executives and professionals throughout the IT functional hierarchy see value in this type of development approach.

IT Executive Results, Organizational Capabilities



1 Six Sigma 3.0

2Leadership (in outside organizations,

groups, etc.)3.5

3 Leadership (within your organization) 3.8

4 Negotiation 3.8

5 (tie)

Coaching/mentoring 3.8

Developing outside contacts/networking

3.7

Two-Year Comparison IT Executive Results, Organizational Capabilities*

2013 2011

Six Sigma Change management

Leadership (in outside organizations, groups, etc.) Coaching/mentoring

Leadership (within your organization) Developing outside contacts/networking

Negotiation Developing rapport with senior executives

Coaching/mentoring Developing rapport with business-unit executives

Developing outside contacts/networking


Notable Trend

Six Sigma, which ranked sixth on the list of priorities in the 2011 results, jumped to the top of the list in the 2013 study, suggesting IT leaders are focusing sharply on gaining greater efficiencies and productivity in their operations.


Survey Demographics

Close to 200 IT executives and professionals participated in the survey, which was conducted online in the third and fourth quarters of 2012. All demographic information was provided voluntarily and not all participants provided data for every demographic question.

Position

Chief Information Officer 4%

IT VP/Director 15%

IT Manager 21%

Chief Financial Officer 2%

Chief Security Officer 1%

Chief Information Security Officer 3%

Chief Privacy Officer 1%

Chief Technology Officer 2%

IT Audit VP/Director 7%

IT Audit Manager 28%

Other 16%

Industry

Financial Services 18%

Manufacturing 12%

Healthcare 11%

Insurance 7%

Government/Education/Not-for-profit 5%

Consumer Products 4%

Energy 4%

Retail 4%

Technology 4%

Telecommunications 4%

Utilities 4%

Distribution 3%

Hospitality 3%

Media 3%

Professional Services 3%

Communications 2%

Life Sciences/Biotechnology 2%

Services 2%

Real Estate 1%

Other 4%


Size of Organization (by Gross Annual Revenue)

$20 billion+ 16%

$10 billion - $19.99 billion 11%



$500 million - $999.99 million 10%

$100 million - $499.99 million 11%

Less than $100 million 8%

Type of Organization

Public 57%

Private 29%

Government 2%

Not-for-profit 10%

Other 2%

Organization Headquarters

North America 78%

Asia-Pacific 8%

Europe 7%

Middle East 6%

Other 1%


About Protiviti

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.

About Our IT Consulting Services

Technological advances and disruptions continue at a breakneck pace. Economic challenges, changing expectations, and a host of other factors translate to varying business conditions and ever-shifting and conflicting priorities saving costs, improving agility, managing risk, providing faster service. In this environment, you need a trusted adviser one with not only relevant insights, but also a combination of strategic vision, proven expertise and practical experience to help implement needed improvements.

Protivitis IT Consulting practice helps executives align investments in IT with the strategic priorities of the business. Our professionals partner with CIOs and business leaders to strategize, plan, design and implement enterprise business technology solutions that optimize the value of IT investments while mitigating key risks.


Kurt Underwood Global Leader IT Consulting +1.503.889.7771 [email protected]

Protiviti IT Consulting Practice

Managing the Business of IT

Solution Segments Service Offerings Contact

Strategy and Alignment We maximize the value of IT by helping you develop an IT strategic plan that is fully aligned with the strategic goals of the business.

IT Strategic Planning IT Architecture Design and

Implementation Enterprise Data Architecture Social Media Strategy

Michael [email protected]

IT Operations Improvement We help you improve and implement processes and systems to resolve causes of failure, drive higher performance, achieve consistency and compliance, and increase business resilience.

Asset Lifecycle Management Business Continuity Manage-

ment and Disaster Recovery IT Service and Change

Management Data Quality Management IT Process Assessment

and Design

Michael [email protected]

IT Governance and Risk Management We help companies define the requirements of their IT organizations, determine the associated delivery cost, and understand the alignment of these requirements with business needs. We help you design an IT department that will be able to measure its performance continuously and demonstrate its effectiveness to the wider organization.

IT Governance IT Risk Management IT Compliance IT Benchmarking IT Due Diligence Data Governance/Structures Spreadsheet Risk

Management

Jonathan [email protected]

IT Portfolio and Program Management We help you ensure your portfolio of IT projects, applications and infrastructure is providing cost-effective benefits to the organization, and we enable your organization to successfully and efficiently execute complex programs and projects while mitigating your risks.

IT Program and Project Management Office

Application Portfolio Optimization

Tom [email protected]


Managing IT Security and Privacy


Security Program and Strategy Management We assist you in defining security policies that align with your business goals and making them operational with a robust architecture, relevant deployment procedures and meaningful controls. Further, we make the program sustainable through creative, high-impact awareness and training solutions.

Security Policy and Program Security Strategy

and Architecture Incident Response Awareness and Training Social Media Design and

Implementation Security Operations Cen-

ter and Implementation Services

Cal Slemp+1.203.905.2926 [email protected]

Identity and Access Management We have extensive experience in a broad variety of identity environments, from highly trusted and proofed systems to those allowing unsubstantiated credentials. We help you define a strategy, establish policies, certify environments (and tools), federate partners, select products, and deploy the system.

Access Management Policy and Standards

IAM Design and Implementation


Data Security and Privacy Management We provide a full spectrum of assessment, transformation and management services to help organizations identify and address privacy exposures before they become problems. We help companies identify the information they need to treat as private. We create the processes and metrics needed to meet both business and regulatory requirements.

Data Governance Data Classification Data Security Encryption and Storage

Strategy and Implementation Privacy Management and

Implementation PCI Planning, Readiness

and Compliance HITRUST Planning,

Readiness and Compliance Other Security and Privacy

compliance Vendor Management/

Due Diligence


Vulnerability and Penetration Testing We use the latest tools and techniques to simulate the various approaches that might be used for unauthorized access to your enterprise. Our objective is to help you proactively protect your people and your information assets by leveraging our knowledge of constantly changing exploits.

Infrastructure Assessment Application Assessment Network Assessment Database Assessment



Managing Applications and Data


ERP Solutions We assist you with selecting ERP and GRC applications, improving application security and the control environment, and managing the risks associated with complex software implementations. Our relationships with Oracle, SAP and other solution providers give us additional perspective on the nuances of these technologies. We help you avoid costs associated with project delays, mitigate the risks of costly re-implementations, and reduce the total cost of ongoing compliance activities.

Application Security and Segregation of Duties

Application/Configurable Controls Design and Enhancement

ERP Project Management ERP Selection GRC Implementation Implementation Risk

Management Design and Implementation

Support SAP Assessments

(proprietary tools for detailed and efficient controls, integrity and security reviews for SAP ERP systems)

Carol [email protected]

eDiscovery and Records Management We help organizations institute a systematic and disciplined approach to evaluate and improve their e-discovery capabilities. We provide a full spectrum of services for both event-driven and process-driven environments around the world.

eDiscovery Computer Forensics Records and Information

Management

Frank [email protected]

Risk Technologies Our Risk Technology Solutions team is dedicated to the design, development, delivery and support of our GRC software solution, the Protiviti Governance Portal, as well as various risk, controls and security assessment tools. We integrate extensive real-world experience with leading-edge technology, giving you comprehensive, efficient and sustainable solutions.

Protiviti Governance Portal Assessment Tools

Scott [email protected]



Software Services We help our clients limit project risk while maximizing the value of software development and implementation, whether for specific stages in the process or the end-to-end solution.

Custom Software Development

QA Testing Strategic Assessment and

Advisory Services Sharepoint Business

Consulting and On-Call Support

Scott [email protected]

Business Intelligence We help improve strategic decision-making and operational and financial reporting through the use of available and new data resources. We blend business acumen with IT skills to deliver uniquely efficient solutions across an organizations functional areas and initiatives. We help our clients to establish the strategic and operational information needed to make informed decisions and determine the KPIs that drive business outcomes. We help business units focus on the analysis and integrity of information rather than the mechanical steps needed to produce various reports.

Data Warehouse Enterprise Reporting

Infrastructure Master Data Management Functional Data Marts

Matt [email protected]


Other Thought Leadership From Protiviti

Visit www.protiviti.com to obtain copies of these and other thought leadership materials from Protiviti.

The Global Privacy and Information Security Landscape: Frequently Asked Questions

Spreadsheet Risk Management: Frequently Asked Questions

HIPAA Security - Prepare Now or Wait and See?

Key Questions Regarding Integrated GRC

Powerful Insights (Protivitis podcast series)

Social Media Use in Companies Managing the Risks Effectively

The Importance of Strong IT Governance During a Financial Crisis

Understanding SAP Security Architecture and Redesign

Regulatory Intelligence: Leveraging Technology to Maintain Compliance Efficiently and Effectively

Controls Intelligence: An Examination of How Robust Controls Analytics Can Improve Business Processes and Streamline Compliance

IT Points of View:

Social Media and Internet Policy and Procedure Failure Whats Next?

Managing Privileged Access to Systems and Data

Implementing GRC Software

IT Strategic Alignment Benchmarking

Making the Business Case for Automated Controls

Managing Spreadsheet Risk

Skyrocketing Costs and the Impact of E-Discovery

Social Networking and the New Human Security Perimeter

Taking the Initiative The Role of IT Governance

Virtualization Maximizing Benefits While Maintaining Control

Embedding Sound Risk Management Practices into an Organization

IT Change Effective Portfolio Management During Times of Cost Reduction

Managing Risk as Part of ERP Implementations

Payment Card Industry Data Security Standard (PCI DSS)

Application Portfolio Management: Rapid Analysis for Cost-Saving Opportunities

2012 IT Audit Benchmarking Survey

ASIA-PACIFIC

AUSTRALIA

BrisbaneCanberraMelbournePerthSydney

CHINA

BeijingHong KongShanghaiShenzhen

INDIA

BangaloreMumbaiNew Delhi

INDONESIA

Jakarta**

JAPAN

Osaka Tokyo

SINGAPORE

Singapore

SOUTH KOREA

Seoul

* Protiviti Member Firm ** Protiviti Alliance Member

THE AMERICAS

UNITED STATES

AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. Woodbridge

ARGENTINA

Buenos Aires*

BRAZIL

Rio de Janeiro* So Paulo*

CANADA

Kitchener-WaterlooToronto

CHILE

Santiago*

MEXICO

Mexico City* Monterrey*

PERU

Lima*

VENEZUELA

Caracas*

2013 Protiviti Inc. An Equal Opportunity Employer. PRO-0213-101044Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

EUROPE

FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

MIDDLE EAST

BAHRAIN

Manama*

KUWAIT

Kuwait City*

OMAN

Muscat*

UNITED ARAB EMIRATES

Abu Dhabi* Dubai*