Alan Calder on IT Governance, information security & ISO 27001

CIO Magazine has some eyecatching research that underlines how critical it is for CIOs to report to the CEO rather than the CFO. The impact can clearly be seen in various ways, such as how much access the CIO has to other senior execs to how much time is spent on tactical rather than strategic IT issues.

Regulators, investors and customers are demanding that businesses become far more effective in how they utilise and control their IT investments. That is why IT governance will without doubt become one of the top boardroom issues of the next few years. However, until it becomes understood and accepted that the correct reporting line for the CIO is straight to the CEO any moves towards proper IT governance will be seriously hindered.

If UK companies are still struggling to get to grips with the Data Protection Act (1998), then just think how far they still have to go to get to grips with the rest of their data security requirements!

I have written before about the need to prevent viruses entering a corporate system via employees’ thumb drives, and that the profusion of portable storage devices makes this a priority for businesses. Now SC Magazine reports that a number of Apple’s Video iPods have been discovered to be carrying the Windows virus RavMonE.exe. I see that Apple is not ISO27001-certified. Perhaps, if it were, this wouldn’t have happened.

Information security is about three things – confidentiality, integrity and availability. IT security people who think that it’s only about the first two of these have lost touch with where the money to pay their salaries comes from. For information security to be effective it has to be fair and reasonable in the eyes of most employees or it will never work. Communication and getting buy-in is as critical as having the right policies in the first place.

So, good on the people at Privacy International for their campaign to shame those organisations that overstep the mark by introducing truly mindless and overbearing security. They are doing nobody any favours and deserve a good pelting.

IT Governance, as Jason Cole points out, is more than project management, more than regulatory compliance, more than CobiT or ITIL or ISO 27001.

It’s also somewhat more than his article suggests. There are three books that tackle this subject, a Weill and Ross book (How Top Performers Manage IT for Superior Results) from Harvard Business Press, a compact and concise guide for Directors (IT Governance: Guidelines for Directors) and IT Governance Today: a Practitioner’s Handbook.

Even more usefully, there is a new framework that pulls together all components of IT governance (the Calder-Moir IT Governance Framework) and the related IT Governance Framework - Toolkit that is designed to help organizations of all sizes make a start with tackling IT governance at their own pace and in their own way - and at a cost somewhat less than is likely to be extracted by a substantial consultancy provider.

With all these resources so easily available, there’s no need for anyone to wonder what IT governance actually is, or to work out how to get started with realising the real business benefits of implementing an IT governance framework.

This article, about the accelerating take up of ISO 27001 in the UAE, reflects our own experience with our own consultancy clients - for the 3 to 4 local organizations that have either achieved - or are on the threshold of - ISO 27001 certification, there are another eight who have a project under way, and twelve more who are considering it.

In other words, the nearly 3,000 organizations worldwide who are so far certified to the standard are just the tip of the iceberg. When people talk about ISO 27001 as the ‘new ISO 9000′, it is the inevitable steep upturn in certifications - and the consequent recognition that certification will become a basic cost of doing business - to which they refer.

Following the apparent derailment at Connecting for Health, let’s hope that another prestigious national project fares rather better with its systems delivery. The Olympic Delivery Authority is said to be close to selecting an information systems supplier, with Accenture amongst the contenders (better luck this time). I hope that the ODA will research the NHS experience as a case study in how not to do things, and ensure that proper IT governance processes are put in place and adhered to.

If Health Service IT systems run two years late, we give a weary shrug and sort of expect it. If the Olympic systems aren’t ready on time, it will be national humiliation on a global stage. IT governance is about managing that sort of risk.

Getting the best out of Information Technology is rightly spoken of as one of the most pressing responsibilities facing boards in the next five years. However, few organisations currently have the knowledge or skills to develop an appropriate IT governance response – instead, they often become unnecessarily reliant on (costly) outside advice.

Therefore, to help companies and their boards tackle this challenge, we have launched an IT Governance Framework Toolkit, which provides everything a business needs to create a best practice IT Governance regime. Companies will be able manage the entire process in-house and at less cost than a single day’s consultancy.

The Toolkit, which simplifies and accelerates the development of an IT Governance framework, has been created jointly by Steve Moir - a highly experienced IT governance consultant – and me, drawing upon my books ‘IT Governance: Guidelines for Directors’ and ‘IT Governance Today: a Practitioner’s Handbook’.

On a single CD-ROM, the Toolkit provides the full means to understand, organise, adopt and monitor IT Governance practice. Its 98 separate documents include templates, guidelines, checklists, questionnaires, slide presentations, assessments and planning tools, all of which have been specifically designed for the purpose. In addition, each Toolkit includes electronic copies of both of the above books, which offer plain-English guidance on all key aspects of the process.

The toolkit is priced at only £995.00/$1,810.90/€1,442.75, which includes a full online support service covering all aspects of the implementation process. To learn more or place an order click here.

Accenture has decided to walk away from its £2 billion contract to help modernise the National Health Service’s IT systems. A termination deal has been worked out in which it will pay only £63 million to its government client, Connecting for Health – a lot of money, but presumably better than it could have been.

But what a shocking indictment of the IT governance within this flagship project: one of the world’s top IT consultancies prefers to cut its losses despite such major cost to itself, while the project itself is already running two year late. I imagine that CSC, which is taking on Accenture’s role, will be looking for major assurances that the project goalposts will stay fixed henceforth.