Alan Calder on IT Governance, information security & ISO 27001

Apparently, Firefox has a bug.

It’s not the first. It won’t be the last.

Buncefield, as Grainne Gilmore makes clear in a Times article today, is a wake up call for all those businesses – large and small – that don’t already have fully thought-through and tested business continuity, disaster recovery and contingency plans.

Directors and top management are responsible for the survival of their businesses. Identifying and planning to deal with the full range of potential risks is a fundamental part of that responsibility.

It’s too late to start preparing when disaster strikes – today, when nothing looks as though it’s about to happen, is the best time to start. And our business continuity web page is the best place to make that start.

‘The goal of aligning the use of IT systems more effectively with the ambitions and desires of ‘the business’ is now firmly established as a major priority in many organisations.’ This opening paragraph of Tony Lock’s article today on IT Service Management goes on to say that an early desire to work out how IT budgets were being spent has evolved into ‘an attempt where possible to align IT resource usage with goals set by the business itself’.

‘Where possible?’

While I’m delighted that ‘IT alignment’ is increasingly on board agendas, we really do have a long way still to go – conceptually, as well as in practice. There is still a widely-held and deep-seated view, primarily amongst the IT community, that the IT organization is a seperate organization from ‘the business’ (what I call the ‘two empires model’) and that, for instance, IT resource usage goals should be primarily set by the IT people.

This, of course, is nonsense. Shareholders appoint directors to be responsible for the whole of the business, and they expect (by law and by custom) their appointed directors to act in the interests of all the shareholders and across all aspects of the business. The board is responsible for governing IT and all responsible boards will ensure that their IT functions are integrated into the business, and that IT resource usage goals and priorities are exclusively set by the business – the business, after all, is the reason why the support functions exist.

Boards, and IT leaders, need – as I argued in IT Governance: Guidelines for Directors – to engineer a significant shift in the governance of their enterprises so that IT starts delivering on business priorities. The level of IT investment, and the sheer cost of the long-term and ongoing IT failure to genuinely enable the business means that, sooner or later, business managers are going to cut down the IT organization.

For IT leaders, therefore, the long term choice is between integration into the business, as a key strategic contributor, and subordination to the business, as a basic utility. Integration is the best outcome for everyone; subordination, on the other hand, would be better for the shareholders than continuing the current, common, two empires model.

Information security is supposed to be a business enabler. Information security is supposed to be a business issue, not a technology one.

What this means is that, by ensuring the availability, confidentiality and integrity of information, organizations should be able to improve their effectiveness and enable themselves to use today’s electronic and communications media more competitively.

So far, so clear.

We all know that the electronic world is full of dishonest and nasty people, people whose idea of fun is creating and despatching worms, Trojans, viruses and assorted adware and spyware; we know that stealing data has become more than just a cottage industry; and we know that organizations must take steps to combat today’s mutating threats by implementing multi-layered vulnerability protection strategies.

In responding to the threats, many organizations have lost sight of the idea of ‘enablement’. Defences have been erected and are continuously ratcheted up in response to new threats, and as new technology becomes available.

But nobody bothers talking to the users, the people who are meant to be ‘enabled’ through the use of technology, the people at the business coalface, who are dealing every day with the changing competitive pressures and opportunities of commercial survival in the 21st Century. If they did, they would discover that users are becoming more and more inventive at finding ways of bypassing these controls – while it seems barmy to have go home, use your personal computer to surf the net to find the information that you want, download it to a USB stick, take your USB stick to work and then upload the information to your computer, this is what more and more people are doing – because it’s the only way left for them to get the information they need to actually do their jobs!

Of course, the organization is just as exposed to what may be residing on the site from which that determined employee downloaded the data – but they’re unlikely to have appropriate defences in place. Sooner or later, they’ll make the necessary investment to close off this loophole – and the workers will have to come up with a new way to get round the technology in order to get on with their jobs.

There is an alternative, far less expensive, far more business-focused, option: businesses could decide that business management – not the IT department – should determine what controls are appropriate – and the good news is that the number of organizations who take that approach is growing (just look at the growing number of BS7799 certified organizations) and, sooner or later, those that stick with the technology-age version of ostrich behaviour will go out of business.

It’s quite frustrating waiting for that to happen, though!

As the vital importance of IT governance to the Information Age becomes better understood, it’s not surprising that newspapers are starting to give it serious coverage. This excellent article from the Sydney Morning Herald illustrates that effective control of the IT function is absolutely mission critical. It talks about the financial nightmare that the Australian Customs Service’s new integrated cargo system has become as a result of poor oversight and executive control – or what is usually known as ‘governance’. Given that London has its own vast development programme underway to host the 2012 Olympics, this article should make sobering reading for the UK’s new Olympic Delivery Authority. Increasingly, IT governance will become a hot topic for our own national newspapers – let’s hope it will be in a positive light.