The rapid pace of technology innovation and adoption has transitioned tech decisions outside of the IT department’s domain, according to a Tuesday report from Deloitte. Technology decisions are no longer the sole responsibility of the CIO, the report noted: Today, 87% of executive leaders are either leading technology changes, or taking an active involvement.

The report surveyed 500 executives in the mid-market and private segments. It found that greater C-suite involvement in tech has led to greater spending: 57% of executives reported spending more on technology this year than last year. These companies also reported using the savings from the December 2017 passage of US tax reform legislation to invest in emerging technologies (42%) and hire new talent to expand digital capabilities (37%).

Despite these investments, one-third of executives reported having little to no formal IT governance processes in place, the report found–a major problem, as all new tech ventures come with opportunities and risks that must be evaluated.

SEE: Security awareness and training policy (Tech Pro Research)

Companies cite a lack of resources (26%), cost (21%), and a lack of C-suite understanding of the importance of IT governance (19%) as the top factors preventing them from creating such policies, according to the report. This will become a larger issue, as privacy and ethical concerns will only increase with the rate of technological change, it noted.

“Technological disruption brings with it both risks and opportunities, none of which can be properly addressed without rigorous IT governance practices,” Doug Beaudoin, principal of Deloitte Consulting LLP and a Deloitte Private consulting leader, said in a press release. “Given technology’s proliferation across business operations, it is crucial for the C-suite and boards to have an active role in IT as it relates to overall governance.”

Company leaders are concerned about gaps in IT management oversight and governance that may create new vulnerabilities, the report found. Some 52% of those surveyed ranked cybersecurity risk and governance as top issues of relevance for the board and C-suite. And 50% ranked IT governance processes and principles among the top three areas of concern for their business.

Here are six factors organizations should address in a governance policy to mitigate IT-related risks, according to the report:

1. Provide perspective on changes in IT governance and spell out responsibilities for cost control, risk management, etc.

2. Handle employee-introduced risk, as this concern has consistently grown over past three years.

3. Manage relationships with partners and vendors reacting to the threat environment.

4. Create a resiliency plan that includes the technical elements of incident response such as logs to document and analyze the response to each attack, and provide proactive communications to stakeholders in the event of an attack.

5. Enhance IT governance processes by setting up plans for cross-functional coordination well in advance of a potential threat.

6. Consider a zero-trust model which creates safeguards by requiring authentication and validation for access at every stage of a business process rather than assigning access to entire systems based on a perceived degree of trust.

The big takeaways for tech leaders:

  • 87% of executive leaders are either leading technology changes, or taking an active involvement. — Deloitte, 2018
  • One-third of executives reported having little to no formal IT governance processes in place. — Deloitte, 2018