Alan Calder on IT Governance, information security & ISO 27001

News in Information Age that is simultaneously encouraging and puzzling: according to the Economist Intelligence Unit (presumably, rather than the ‘Economics Intelligence Unit’ the article credits):

“…globalisation and increasing competition in markets worldwide is driving senior managers to demand a closer alignment of IT to business goals. The research indicates that 69% of senior IT and business executives expect the primary role of IT, traditionally cost efficiency, to be elevated to that of enabling revenue growth within three years.”

However, the report talks of a ‘fissure’ between CEOs and board directors, who are supposedly pushing for this transformation in the role of IT, and CIOs and IT managers who are apparently dragging their feet.

This strikes me as odd, given that shift is inevitable and surely a golden opportunity for the IT function to secure the long sought-after guaranteed place at the top table. The evolution in the role of the CIO is about to go into fast-forward – let’s hope enough people are ready for it.

CIO Magazine has some eyecatching research that underlines how critical it is for CIOs to report to the CEO rather than the CFO. The impact can clearly be seen in various ways, such as how much access the CIO has to other senior execs to how much time is spent on tactical rather than strategic IT issues.

Regulators, investors and customers are demanding that businesses become far more effective in how they utilise and control their IT investments. That is why IT governance will without doubt become one of the top boardroom issues of the next few years. However, until it becomes understood and accepted that the correct reporting line for the CIO is straight to the CEO any moves towards proper IT governance will be seriously hindered.

This promises to be an interesting event. Sherron Watkins, the celebrated Enron ‘whistle blower’, will be addressing an IT governance symposium in August in Orlando. Ms Watkins is obviously doing well on the lecture circuit, but it’s hard to begrudge that, and she seems an excellent person to talk on IT governance. Enron is the starkest illustration of how vital proper governance is to the running of an organisation and the potential dire consequences of taking this lightly. Let’s hope a few CEOs go along to hear her.

Coming on the heels of my most recent post about the security risk posed by USB storage devices, here’s a story to chill the bones. It seems that classified military information is leaking out of Afghanistan and offered for sale on those wonderful flash drives that we love so much.

I spend most of my time trying to get businesses, and particularly mid-size businesses, to grasp the security nettle and put in place a proper ISMS. The military hasn’t been much of a priority for me because, apart from anything else, you would sort of hope they understood these things better than many. I guess not.

For any organisation, a fundamental part of the solution has to be an appropriate system of usernames, rights and privileges. To the greatest extent possible, you need to confine access to sensitive information to those people who really need it. Properly mapping out access rights and keeping them up to date is critical. For example, if someone leaves an organisation or moves within it their username must be withdrawn or access rights amended immediately, not three months later. Similarly, if someone needs particular access rights to do a project, those should be curtailed again as soon as the project is finished.

That might not prove popular, but it is part of the ‘soft skills’ requirements of modern IT managers to be able to sell their policies as well as implement them. They need to be explain persuasively why security is good for the employee as well as the organisation. (However, this article indicates that there is still a long way to go before the IT function develops the necessary people management skills. Note to the CEO – investing in this area is not a ‘nice to have’ item, it is an urgent requirement if you expect your IT to remain secure.)

It is also essential to have in place clear user agreements and acceptable use policies, (a) to ensure that employees understand what is expected of them and (b) to provide a basis for taking legal action against them if they flout this. These measures should include explicit instructions not to remove data without authorization and various other measures to safeguard the integrity of the system.

I have written in considerably more detail about these issues in various books. However, in light of profusion of USB storage devices today, I am thinking of adding one more measure to my recommendations, based on an item I read somewhere recently. If you are still worried that best practice policies and procedures aren’t enough, seal up the USB ports on people’s machines with glue!

Following on from the last post below, here is the proof. The IT Governance Institute is gearing up to release its 2006 Global Status Report, which was supposed to be available for free downloading from late February – presumably out any day now. It gave a sneak preview to ZDNet Asia, which revealed some striking variations in boardroom awareness of IT issues. Unsurprisingly, India scores highly – it has been interesting to note that many of the recently announced ISO 27001 certifications have been from Indian businesses – but Japan is weird: only 26 percent of respondents from there reported that IT is discussed regularly (or more often) by the board, compared to 63 percent of respondents worldwide – but Japan has the highest number of successful ISO 27001 certifications in the world, and ISO 27001 certification requires some strategic board input.

Generally, the ITGI is encouraged by progress since its last global survey in 2003. However, there remains a lot to do before most directors should sleep too easily at night:

‘The study also found that CEOs are responsible for governance over IT in only 24 percent of the organizations surveyed. As in 2003, CEOs and business executives are still hesitant to discuss IT governance. Shareholders should worry about this, because boards and CEOs are ultimately responsible for IT risk management and oversight over all major assets–including IT. Instead, the study found that CIOs are responsible for IT governance in 33 percent of organizations, and nobody is responsible in 6 percent of organizations.’

The Financial Times reports that it was 20 years ago this month that the first computer virus was discovered. As a plain English overview of the IT security threat and how it has escalated this article is hard to beat. I recommend that every CIO and IT manager prints it off and gives a copy to his CEO.

In an article yesterday, a National Computing Centre survey revealed that 44 percent of IT decision-makers admitted they were not fully aware of IT standards and legal requirements, with 22 percent claiming complete ignorance of the issue! Once you include the significant portion of people who will have claimed full awareness even though they don’t have it, you create the alarming picture that about half the people who are responsible for IT are not fully aware of the laws and regulations they’re supposed to be complying with.

A similar survey of CEOs and Chairman, if it revealed that about half of them were not aware of their corporate governance obligations, would provoke outrage in the press and parliament. Considering the extent to which organizations are data-dependent these days, it’s about time that the board stepped up to its governance obligation where information security and IT governance is concerned – abdicating responsibility to the Head of IT is clearly not working as a strategy.

…so is it surprising that IT projects so often fail to deliver business benefits and that IT security is so often a business blocker rather than an enabler?

CBR (Nov 04) published survey results showing that 70% of IT directors (across 15 European countries) see poor communication channels as the “source of IT misalignment” – and apparently only 20% of them feel that their departments provide their organisations with any competitive advantage!

62% of CIOs believe that changes in business objectives are communicated so slowly that the IT department can’t respond properly – not that surprising, when you consider that “in almost one out of three cases, IT teams are divorced from the seat of business strategy and are not represented on the board.”

Information and ICT are just too important to the competiveness of businesses today for this to be a sensible approach – if CEO’s don’t get it, their boards should be thinking about replacing them, sooner rather than later.