Among the questions that I wanted to ask CIO’s for my CIO’s at Work book, one was fairly obvious: I wanted to know what gave them nightmares, what kept them awake at night. I could easily imagine every CIO giving me a list of ten or twenty; indeed, you could easily get the impression that CIO’s worry about everything.

They worry (understandably) about the alignment of their IT activities to the business strategy that they hear about from the CEO and the Board. They worry about whether the hardware and software they’ve invested in will be adequate for carrying out today’s job, scalable enough to accomplish next year’s job, and whether it will last long enough to avoid being classified as obsolete legacy junk within a year. They worry whether they’re hiring the right kind of people, and they worry about whether their IT shop is the kind of place where the “best and the brightest” would want to work. The list goes on and on …

But if there’s one thing at the top of every CIO’s “worry list,” you know what it’s going to be: security. I can’t recall a single CIO that I interviewed who had something else at the top of their list, though some were more confident than others that they were doing a good job in the security area. Most were proud of the efforts they were making, and proud of the securit-related skills of their IT professionals; and many shrugged, as if to say that security was like death and taxes: something that would never go away, and that you just had to cope with.

One theme was almost universal in the security-related comments I heard from CIOs; but there were two other themes that I think are almost as important, but which remained largely unspoken. The three items are as follows:

1. Attackers are becoming increasingly sophisticated, well-equipped, and well-financed. As the CIO of one prominent company said to me, “It’s humbling to realize that an entire country is doing its best to bring your systems down.” Others have the scars to show that attackers view them as “symbolic” of something their religion, their culture, or their government strongly dislikes or condemns; if you’re the CIO of Goldman Sachs, or the Federal Reserve, or the New York Stock Exchange, you’re likely to feel that you’re defending the epitome of Western capitalism. If you’re the CIO of the organization that runs the Scholastic Aptitude Tests (SAT’s), which I first took more than 50 years ago, you might well have nightmares about gazillions of geeky students trying to hack into your system. Electric utilities, airlines, auto companies, oil companies, and high-tech firms ranging from IBM to Microsoft to Apple, all have good reason to worry. I could argue that the only people who don’t have to worry are the folks running the mom-and-pop deli on my street corner … but even they have a web site, and a Twitter account, and a computerized cash register.

2. Security breaches are frequently causes by “insiders” — and today, just about every insider has access to the organization’s IT assets. Once upon a time, we could hide the corporate mainframe in a thick-walled subterranean room, and we could keep a (short) list of the people who had access to the hardware, the software, and the data. Now it’s just about everyone, including our customers, our partners, our sub-contractors, and our vendors in addition to our employees. There are obvious security threats associated with the desktops, laptops, and mobile devices that all of these folks have in the office, at home, and in their pockets — but it’s the human element I’m more concerned about here. Even when we only had a small number of IT people with access to our technology, we had to worry about sloppy behavior that disregarded or flouted security protocols; we had to worry about disgruntled employees, and we had to wonder whether any of our employees might become just a little too tempted by the prospects of fame, fortune, or access to secrets. Now we have to worry about everyone. The odds of one “rotten apple” in a group of a hundred may not be too bad; but when we’ve got 100,000 employees, it’s a different game altogether.

3. The “culture” of today’s worker is different than it was a generation or two ago. I have to be careful here, because I’m not a trained sociologist, and I don’t have any reputable studies to prove or disprove my point. I’m not trying to suggest that everyone is a crook, or that there are no standards of ethical behavior in today’s workplace; indeed, we may have a situation where the “mean,” or “average,” human behavior has remained about the same, but the “standard deviation” has increased substantially. Whatever it is, we now have a work environment where companies routinely outsource jobs and terminate employees by the thousands; what impact is that likely to have on employee loyalty? We have a popular culture where convicted felons — including executives, politicians, and movie stars — serve a minimal prison sentence and then get signed up as a celebrity talk-show host; what impact is that likely to have? And, at least in many of the “advanced” Western countries, we have a social culture where many young adults feel they are “entitled” to the benefits of large salaries and extravagant life-styles, even if those are not readily available through the normal patterns of hard work. The “Occupy Wall Street” protesters may not have articulated their message in quite this way, but if you’re one of the technology-equipped 99% working-class folks, and see your 1% boss making 100 times your own salary, one of your reactions may well be, “How come he/she makes so much, and I make so little? Maybe I can break a few rules, using the high-power computer gadgets they gave me, and scoop up a little of the corporate fortunes for myself.”

All in all, it’s enough to give anyone nightmares!