Alan Calder on IT Governance, information security & ISO 27001

ComputerWeekly reports some timely research on what it takes to succeed as a CIO, based on work by a visiting fellow at Cranfield School of Management. She has talked to CEOs who first climbed the IT ladder, and also to CEOs about what they look for in a CIO. Her ten findings all make excellent reading, and she is bang on target with her number one conclusion:

“CIOs should become business people

Learn about general management, demonstrate enthusiasm for business matters and acquire knowledge of your industry sector. CIOs should talk business language not technical jargon. Focus on driving revenues up rather than cutting costs. And, don’t forget you cannot network enough. My CEOs, when in the top IT job, typically spent over 50% of their time communicating with non-IT people both within and outside their organisations. “

Two items here nicely illustrate the fact that IT leaders need to understand the business, not the other way around. Michael Farnum gives some examples that demonstrate it takes maturity on the part of infosec and IT professionals to realise that the interests of the business legitimately come before those of the IT function. While I fully agree with this point, the question arises of how IT professionals can acquire the broader business experience to develop this point of view.

Some potential answers are implied in a report from the Society for Information Management Advanced Practices Council, which calls for measures to increase the leadership ability of the next generation of CIOs. Its proposals, including structured career development, job rotation and performance metrics, appear to be confined mainly to the IT function. However, the same approach would surely make an excellent basis for exposing IT pros to the other functions within the business. Why not rotate promising IT leaders around appropriate roles in sales, finance and manufacturing too? That would produce a quantum leap in the business knowledge of CIOs and make them far better able to act strategically for the business.

ComputerWeekly has flagged up a new report from (ISC)2 (the International Information Systems Security Certification Consortium) which contains various items of useful career information for security professionals, including job descriptions, likely salaries, career advice and listings of professionally recognised information security courses.

CW highlights the following fact: “More than 1.5 million people work in information security worldwide. The (ISC)2 expects that number to reach more than 2 million by 2010, an annual growth rate of 7.8%.”

As both the guide and the organisation give prominence to IT governance this should hopefully be a valuable tool in helping the next generation of CIOs prepare for the challenges of the boardroom.

News in Information Age that is simultaneously encouraging and puzzling: according to the Economist Intelligence Unit (presumably, rather than the ‘Economics Intelligence Unit’ the article credits):

“…globalisation and increasing competition in markets worldwide is driving senior managers to demand a closer alignment of IT to business goals. The research indicates that 69% of senior IT and business executives expect the primary role of IT, traditionally cost efficiency, to be elevated to that of enabling revenue growth within three years.”

However, the report talks of a ‘fissure’ between CEOs and board directors, who are supposedly pushing for this transformation in the role of IT, and CIOs and IT managers who are apparently dragging their feet.

This strikes me as odd, given that shift is inevitable and surely a golden opportunity for the IT function to secure the long sought-after guaranteed place at the top table. The evolution in the role of the CIO is about to go into fast-forward – let’s hope enough people are ready for it.

CIO Magazine has some eyecatching research that underlines how critical it is for CIOs to report to the CEO rather than the CFO. The impact can clearly be seen in various ways, such as how much access the CIO has to other senior execs to how much time is spent on tactical rather than strategic IT issues.

Regulators, investors and customers are demanding that businesses become far more effective in how they utilise and control their IT investments. That is why IT governance will without doubt become one of the top boardroom issues of the next few years. However, until it becomes understood and accepted that the correct reporting line for the CIO is straight to the CEO any moves towards proper IT governance will be seriously hindered.

This research from Harvard and Carnegie Mellon universities shows that that large companies have no clear stock price-related incentive to prevent privacy breaches. Despite clear evidence of vulnerabilities that could seriously harm their interests, investors fail to give major quoted companies more than a mild slap on the wrist if their IT security is shown to be so lacking that there is a major breach of one or more privacy laws. After an initial dip, share prices quickly return to normal.

CIOs shouldn’t take this as a green light to reduce the cost of investment in protecting consumer privacy. The fact is that few institutional investors yet really understand the potentially very high direct and indirect costs of these breaches and so can’t yet make informed investment decisions.

As they become more knowledgeable (particularly with regulators becoming more determined around privacy), so the share price impact of a serious breach will become more dramatic and more prolonged. That, plus the possibility of SEC investigations and class-action suits, should be enough to keep CIOs and boards focused on their responsibilities around protecting personal information.

Following on from the last post below, here is the proof. The IT Governance Institute is gearing up to release its 2006 Global Status Report, which was supposed to be available for free downloading from late February – presumably out any day now. It gave a sneak preview to ZDNet Asia, which revealed some striking variations in boardroom awareness of IT issues. Unsurprisingly, India scores highly – it has been interesting to note that many of the recently announced ISO 27001 certifications have been from Indian businesses – but Japan is weird: only 26 percent of respondents from there reported that IT is discussed regularly (or more often) by the board, compared to 63 percent of respondents worldwide – but Japan has the highest number of successful ISO 27001 certifications in the world, and ISO 27001 certification requires some strategic board input.

Generally, the ITGI is encouraged by progress since its last global survey in 2003. However, there remains a lot to do before most directors should sleep too easily at night:

‘The study also found that CEOs are responsible for governance over IT in only 24 percent of the organizations surveyed. As in 2003, CEOs and business executives are still hesitant to discuss IT governance. Shareholders should worry about this, because boards and CEOs are ultimately responsible for IT risk management and oversight over all major assets–including IT. Instead, the study found that CIOs are responsible for IT governance in 33 percent of organizations, and nobody is responsible in 6 percent of organizations.’

The Financial Times reports that it was 20 years ago this month that the first computer virus was discovered. As a plain English overview of the IT security threat and how it has escalated this article is hard to beat. I recommend that every CIO and IT manager prints it off and gives a copy to his CEO.

IDC has done some polling amongst IT managers and established that one of their top worries remains getting staff to play ball and follow IT security policy. As I have written before, the most thoroughly conceived corporate ISMS can be completely undone if an employee can introduce a virus from home just by plugging in a USB memory stick.

The answer is obviously internal communications and training, but many businesses are still falling woefully short in these areas. Such initiatives simply can no longer be seen as optional extras, as any company to have suffered a serious IT breach can confirm.

Infosecurity training needs to have three components:

* Users need to be competent to use their computers and understand the requirements of their user agreements and the acceptable use policy. E-learning is an ideal way to deliver this cost-effectively.
* They need to recognize and know how to deal with information security threats. We publish a book called the Internet Highway Code that is specifically designed to meet this need and ideal for issuing to all staff members. To underline importance of this issue, each employee should be required to sign a user agreement that includes reference to such guidance and confirms that they have read it.
* Users need to be kept aware of the changing risk environment so they can take adequate evading action. An effective solution is to formalize a user alert service, whether internally or externally sourced, to ensure that staff hear about the latest threats and know how to respond.

CIOs and their teams need to impress upon their boards that these are core requirements for the business and need funding and senior endorsement.

I have talked frequently about the fact that CIOs have to change their perspective from worrying about the IT system to worrying about the business. Well, here comes the revolution: Gartner has surveyed 1,400 CIOs and found that this shift is expected to be one of the big developments of 2006. The problem will be that, while CIOs will be under pressure to become far more engaged with customers, finance and overall business efficiency, they don’t necessarily know how to talk business. Their CEOs will have to help them – which might even mean that the CEOs learn more about IT!