Alan Calder on IT Governance, information security & ISO 27001

Computerworld says that security specialists will be in hot demand in 2006 – no, really?! Hardly surprising, given the relentless pace at which internet threats are developing. What’s interesting is how supply and demand are currently working – salaries offered to security specialists are lower than of late because of the large number of people who have gained certifications in the past couple of years. Inevitably, these highs and lows will smooth out over time, but in the short term it means that interviews for security posts are going to get tougher as more people vie for each post. That’s hard luck for candidates but good news for the IT governance cause (assuming that firms are sifting for the right qualities) – the better the quality of mid level recruit now, the deeper the bench of talent when it comes to selecting the next generation of CIOs who can genuinely champion IT governance in the boardroom.

Recent research from Burson-Marsteller makes it clear that, in the developed world, still only a tiny minority of companies (less than 10%) have their CIO on the board while, in the developing world, companies are about ten times more likely to have done this.

That sounds like ‘sayonara’ to companies in the developed world – if we can’t get our heads around the simple notion that we have to harness IT (the letters, remember, stand for ‘information technology’) to help us compete in the information economy, then we’d better start learning some foreign languages and get our homes on the market while they still have some value in them…

Today’s ‘Accounting Web’ newsletter contains this report from its editor:

“Steve Lamey has a big job on his hands as the CIO for the new HM Revenue & Customs organisation. He inherits a ramshackle electronic communications operation and faces issues surrounding the change in IT supplier from EDS to Capgemini.

HMRC is currently depending on systems which are not delivering business improvements for the department, nor improved customer interaction and satisfaction. Rather than being called to account for the current state of affairs, two senior civil servants responsible for e-business have been promoted.”

Anyone who thinks I’ve been unfair on the public sector in my new book, IT Governance: Guidelines for Directors, should take a look at the many stories just like this one..

Boardrooms are full of people who understand numbers, and businesses are run by numbers. The questions that independent directors are really interested in asking the executives are usually: “how are the numbers looking?” The executives have a series of questions they ask senior people inside their organization. things like: “What’s our sales conversion rate looking like?” and “Are we on track to hit that cost-reduction target?” or “Why has the component failure rate crept up over 1.3%?” And, because all these measurements are important, people have answers; they also know that things that are not measured aren’t as important.

So, how do we get information security to matter in the board room? We try and frighten the directors, is usually how. Now, there’s nothing wrong with fear as a motivator (and we all know that there’s a lot to fear, whether it’s external threats or compliance requirements) but if information security is ever to have long term importance in the board room, it’s got to be something that has a set of meaningful numbers attached to it. And that’s hard, because not only is there no standard methodology, there aren’t even any commonly accepted methods of costing even the most common incidents, threats or solutions.

And this is not surprising. In an environment where fear is the driver, then most organizations will seize on any data they can use to support their pitch; for instance, the claim that spam is currently 80% of all e-mail and is growing at 20% per year is a pretty useless statistic – what will our e-mail system look like in three years time? And what does it matter if you have a properly configured spam filter? What is the real cost of filtering out spam? And does it matter more or less than the 100,000 viruses in the wild? What is the real cost of leaked information and what is the real incidence of this type of espionage? How many intrusions of what sort were blocked last week with what sort of benefit to the business? What metrics should be used to assess the deployment of an information security solution? Does anyone know the answers?

Until the information security industry can produce coherent, meaningful answers to these questions, CIOs, CSOs and CTOs will struggle to communicate meaningfully with their colleagues and businesses will struggle to really get to grips with the issues.

35% of Global 2000 companies now have a Chief Compliance Officer – and not all of these companies are in the financial sector. The weight of compliance legislation (particularly Sarbanes Oxley, Corporate Governance codes around the world, Privacy regulations, etc) the workload faced by the audit committee and by the CFO are, between them, encouraging a number of major organisations to appoint a Chief Compliance Officer. The question is: is this role really going to make a difference, or is it simply going to create more confusion inside organisations?

The issue is that, today, compliance fundamentally depends on technology and has significant financial involvement – from reporting through to costs. Already, on balance, CEOs and CIOs are failing to communicate. The CCO will have to communicate with the CEO, the CIO, the CFO, the audit committee and the IT governance committee (if there is one) – and will need substantial legal expertise to boot. If the CCO can effectively co-ordinate all these business functions, then there is a possibility that compliance will actually be improved – if not, the CCO will simply add to bureaucracy and inefficiency, without any significant improvement in the information security posture of the organisation.

…so is it surprising that IT projects so often fail to deliver business benefits and that IT security is so often a business blocker rather than an enabler?

CBR (Nov 04) published survey results showing that 70% of IT directors (across 15 European countries) see poor communication channels as the “source of IT misalignment” – and apparently only 20% of them feel that their departments provide their organisations with any competitive advantage!

62% of CIOs believe that changes in business objectives are communicated so slowly that the IT department can’t respond properly – not that surprising, when you consider that “in almost one out of three cases, IT teams are divorced from the seat of business strategy and are not represented on the board.”

Information and ICT are just too important to the competiveness of businesses today for this to be a sensible approach – if CEO’s don’t get it, their boards should be thinking about replacing them, sooner rather than later.