Did I read, somewhere in the recent Symantec threat analysis report, that Firefox was reported as having had more reported vulnerabilities in the first six months of this year than did Internet Explorer?
Why am I not surprised?
Anyone contrasting the different levels of preparedness of city and state authorities to deal with hurricanes Katrina and Rita can’t have failed to notice that, for instance, Galveston in Texas was somewhat better prepared to handle the imminent disaster than was New Orleans. Sure, the experience of Katrina in New Orleans galvanised everyone from the White House down, but there’s no way that Galveston’s level of continuity and disaster recovery planning could have been put in place in the interval between Katrina’s strike and Rita’s emergence.
This is a good context within which to ask the question: “Is business recovery planning a key governance responsibility?”
Governance is, in a sense, about the preservation and stewardship of an organization. Boards of directors are supposed to be uninvolved in the day-to-day struggle to turn an honest penny and, therefore, to be in the ideal position to take a strategic view of the risks faced by the organization. And continuity risks – which range from ‘Acts of Nature’ through terrorist attacks to IT system failure – have to fall within the range of issues to be considered. Most continuity risks are characterised by a combination of relative unlikelihood and possibly catastrophic impact.
In my book, that makes business continuity planning (here is a collection of resources) a key board responsibility. The sad truth is that very few boards address it properly and that, consequently, most organizations that experience a continuity-threatening event don’t survive – they might struggle on for a year or so but they ultimately fail. Continuity planning is key to the long term survival of all organizations – both big and small.
Galveston treated it as a critical governance responsibility and made appropriate contingency plans far in advance – so should you.
Final settlement of the WorldCon case, which involved eleven outside directors contributing rather more than they received as compensation for their stewardship of the company and guardianship of the interests of their shareholders, was announced today. The directors’ settlement, announced back in March involved them paying, between them, a total of $20.25 million from their own pockets – and this is in addition to the amounts paid out to the creditors and shareholders under the board’s Directors’ and Officers’ insurance policy.
What does this mean for corporate governance generally, and for IT governance specifically? Well, it clearly establishes the outside directors of a company as a legitimate, attractive target for aggrieved creditors and shareholders when a company goes bankrupt. Given the increasing extent to which organizations are dependent on IT – and the extent to which a significant IT failure can now impact the long term competitiveness and viability of any organization – it’s not going to be long before the expectation of transparency around general corporate governance extends to IT governance.
Sure, SOX has already transformed the early awareness of the need for proper IT governance, that was created by the Turnbull report in the UK, into a far more significant board issue. Let’s hope it doesn’t take a significant IT failure, leading to a corporate collapse, before boards really get to grips with their responsibilities. Reality suggests otherwise, though.
It’s been a long summer, and blogging has had to take a back seat to managing the fast growth of our business, IT Governance Ltd. Sales of books and tools through www.itgovernance.co.uk has continued to increase substantially month on month. We’ve expanded our product range, adding a TSO (The Stationery Office) distributorship as well as books from van Haren. As a result of these two agreements, we now have an outstanding collection of ITIL, BS15000 and related titles available through the website. We also now offer, amongst our project governance titles, the new Prince2 books and supporting tools. An inexpensive Pocket Guide to IT Governance, dealing with CobiT principles is the first, we hope, of a number of CobiT titles.
Excitingly, we are also now able to offer electronic versions of the two information security standards and we are in the final stages of negotiations to add several significant information security management products to the site as well.
This all means that we’re having to get additional office space as well as recruiting more back office people to support our websales and marketing activity, as well as to drive forward our publishing business.
We continue to observe information security stupidity and are increasingly fascinated that this form of stupidity seems to become more succesful the larger the company. It seems to turn Darwin on his head, that the least useful approaches are the ones that appear to win out – when business slows down, it’ll be worth thinking about.