Alan Calder on IT Governance, information security & ISO 27001

I find that I wrote this, a couple of years ago, in IT Governance - Guidelines for Directors: “Basel 2 seeks to achieve its goal of strengthening the international financial system through three pillars. Pillar 1 aims to align a bank’s minimum capital requirements more closely to its actual risk of economic loss, aiming to establish an explicit capital charge for a ‘bank’s exposures to the risk of losses caused by failures in systems, processes, or staff or that are caused by external events,’^[1] Those banks whose approaches to measuring, managing and controlling their operational risk exposures are appropriate to the risk area will have lower capital requirements. While Pillar 2 allows for supervisory review of banks’ risk management processes, Pillar 3 explicitly sets out to enhance transparency in banks’ public reporting in order to ‘leverage the ability of market discipline to motivate prudent management’.”

So, what on earth was the point of Basel II?

It rather looks to me as though:

• Pillar 1 was a bust, or we wouldn’t have had Northern Rock, RBS, HBOS, Citi, etc;
• Pillar 2 – well, the supervisory reviews of banks’ risk management processes clearly haven’t been that hot, or someone might have spotted that lending someone 125% of the value of the already inflated value of their property on repayment terms that in some cases exceeded their monthly gross earnings wasn’t exactly a demonstration of effective risk management – or that the creation of opaque, deliberately over-complex CDOs and other instruments wasn’t an attempt at clarity (to say nothing of the cynical appointment to the regulatory authority’s board of someone responsible for firing one of the few risk managers who actually appears to have been doing their job in drawing attention to the bank’s failure to manage risk effectively) – and, as for
• Pillar 3 – well, I guess ‘Sir’ Fred Goodwin’s £650k annual pension (after early retirement!) is a good example of market discipline motivating prudent management, isn’t it? And I bet that no-one would even consider removing the knighthoods that this collection of pretend bankers were awarded, will they?

So, maybe BASEL II was really just an excuse for a lot of central bankers to get together for dinner on a regular basis?

[1] BIS Press Release, 26 June 2004

As I see it, those organisations that survived 2008 are only going to get through 2009 if they manage cash really carefully. Cash management is only useful if it takes into account the full range of possible risks faced by the organisation. Simply hanging onto cash, not paying creditors and avoiding all expense and investment, is not the same as managing cash - because, even in a recession, there are business opportunities and growth prospects and those organisations that manage their cash effectively are able to prepare themselves to handle the range of possibilities - both on the upside and the downside.

Effective risk management tends only to happen in well-governed organisations; where risk management has failed (such as in our banks, the Big Three auto manufacturers and so on) it doesn’t take long to spot that their governance framework must also have been ineffective - not least if the organisation has had to beg for a support package from central Government.

I think that governance and risk management are going to be key themes in 2009 for the world’s better organisations; for all the rest, those for whom governance is just about box-ticking, 2009 will bring much more  box-ticking, because regulatory authorities are not going to allow a repetition of 2008’s ‘perfect storm’, which means that compliance requirements are going to increase.

Of course, box-ticked governance will still be the poor relation of more constructive, fully engaged governance and risk management models that boards - under the guidance of an independent Chairman - deploy to manage the risks faced by the organisation in the difficult economic climate we all face this year.

I kind of hope that those organisations that eschew proper governance will go bust quickly, and get out of the way of the rest of us.

The essential difference between the US and the UK models of corporate governance is that, in the UK, there is a clear understanding of how board rooms work combined with a flexible, principles-based approach while, in the US, corporate governance is essentially an expensive compliance activity that gives CEOs a level of autonomy that allows them, sooner or later to wreck their companies - and the economy.

The usual situation, in a US-listed company, is that the CEO is also the Chairman of the Board; in the UK, this is highly unusual and, whenever it happens, there is a furore amongst investors and in the press.

The usual practice, in the UK, is that the board is chaired by an independent director, who is usually non-executive and who is genuinely independent - and it is recognised that, once a Chairman has been in situ for too long, he (or she) ceases to be independent. The CEO - however mighty, however well-rewarded - reports to the Chairman and, when the CEO fails in his role, the Chairman is responsible for ensuring that appropriate action is taken to ‘drop the pilot.’  The UK board is made up of a majority of independent directors and, in larger companies, there will usually be a recognised ’senior director’ whose role it is to ensure that the Chairman doesn’t ‘go native’ and who would be expected to lead the board’s annual review of the Chairman’s performance.

US CEOs talk of themselves serving ‘at the pleasure of the board’; of course, this doesn’t really mean much as it is usually the CEO who chairs the board which, itself, is usually made up of ‘outside’ directors with whom the CEO has personal relationships. CEOs of US American companies are therefore usually in place for far too long and, because there is no genuinely independent control over their compensation packages, are hugely overpaid. (I’m never that impressed by a CEO offering to take a $1 salary for a year - it would be so much more impressive if he also volunteered to return 50% or more of the previous year’s multi-million dollar over-compensation to the company.)

While the UK corporate governance model doesn’t always protect UK shareholders from incompetence or stupidity on the part of their boards, it does at least help UK companies avoid a situation where their CEOs turn up in Parliament with a begging bowl, having flown there on parallel private jet flights. One would have thought that any Chairman worth his or her salt would immediately have sacked a CEO who is so far removed from reality that, when asked the direct question on camera about whether they would immediately dispose of the private jet and return home by commercial airline, he couldn’t even come up with a plausible response.

And, while the world has clearly been living beyond its means for far too long, it’s also clear that the US cult of the CEO ego is right at the heart of the huge, ill-considered, crazy bets that their companies have taken - and as a result of which we all now face a long, hard few years.

The US now needs a corporate governance code that resembles the UK’s Combined Code; in the UK, in the meantime, we need to get on with improving our own performance. We also need institutional shareholders tough and determined enough to insist on board changes when their boards are destroying the investments for which they have a fiduciary responsibility.

It is hard to get away from media stories about accidental losses of personal or confidential data - Government laptops stolen from a car, secret council files found in a skip, and so on. The latest strand to this story is the revelation last night on the excellent Donal MacIntyre programme (BBC Radio 5 Live on Sunday 13 April) that a council childcare worker recently lost confidential information about a child under his protection after popping into a bar for a drink. Download the programme podcast here.

Recently I’ve come across a different but equally worrying trend – the deliberate bypassing of formal security procedures by employees in companies with established security regimes. Our research found that a staggering 68 percent of employees admitted to breaching security controls in order to do their jobs. Are these people, mad, bad or worse? Actually, the chances are that they are basically conscientious employees just trying to get their work done under trying circumstances. The greater culprit here is likely to be well intentioned but misguided managers, who are putting place unduly frustrating policies that strike the wrong balance between the security and availability of information.

Clearly, this points to a serious disconnect between the people who specify and police internal security systems, and the employees at the coalface who interface with them in their daily lives. If we are ever to make meaningful progress in the battle against identity theft and online fraud, there is a vital battle to be fought for the hearts and minds of staff.

Tomorrow we will publish a timely new insight into the state of data breaches worldwide and what organisations need to do about them. Data Breaches: Trends, Costs and Best Practices assesses the true state of today’s data breach environment; recognises the real, damaging trends that affect organisations and individuals; and identifies current and emerging best practices in controlling the risks and costs arising from inadequate data security. The report is aimed at executives, information security managers, risk managers, auditors, compliance managers, stakeholders and data controllers worldwide, i.e. it is for precisely the people who may be putting in place the policies that their employees are currently working around. If you or your organisation would benefit from reading this – and there are clearly many – you can find out more and purchase a copy here.

The Realtime IT Compliance blog carried a significant post the other day - the first signs of US civil lawsuits against companies losing customer data.

In this case, it is a $54 million claim against Best Buy for losing a customer’s laptop, but watch this space for similar lawsuits for other forms of data loss and leakage - this is just the beginning.

Organisations taking a lax approach to data security are about to find out just how costly this can be for them. Such cases attract plenty of headlines, so sloppy businesses will have to start making much greater provisions for brand and reputational damage. We like to think that mature executive teams can be self-policing when it comes to looking after their customers, but too often takes a potentially ruinous fine to focus their minds on the issue.

The alternative is to protect your customers and your own interests by adopting a best practice Information Security Management System. ISO27001 is the answer but remains an alien concept to many directors - perhaps a few courtroom pay days are just what we need.

We have seen a lot of media interest this week in the poll we recently did on the issue of IT governance, which underlined how few boards currently have their arms around this important responsibility. Some of the articles to appear so far include ComputerWeekly, CIO and IT Week. The media obviously understands the importance of this issue - now we just need board directors to catch on too.

Our key finding was that only 12 percent of businesses take IT governance seriously enough to exercise oversight via a properly constituted board committee. How on earth can this be, when even the most technophobic director will concede that IT is the engine powering most businesses today. If you have an audit committee to manage your financial governance, how can you fail to have an IT governance committee too?

Just as with an audit committee, an IT committee needs a mix of independent and executive directors, and must provide the focus for the board’s deliberations on technology. Especially when so few directors are technologically qualified, this is something that every mid to large size organisation should have. It is high time that investors and regulators start applying pressure for these measures to be adopted, because firms clearly aren’t doing it themselves.

For those who are ready to step up to the plate, our popular book ‘IT Governance: Guidelines for Directors’ is perhaps a good starting point.

Part of our business is advising companies that wish to become ISO27001 certificated and we are delighted that two clients recently passed their independent audits with flying colours. Gemserv is an independent consultancy in the energy sector while Easynet is a network management and hosting company owned by BSkyB. In each case we worked with them to scope and set the critical path for their compliance project, provide the necessary training for their in-house project team and then act as on-call coach throughout their risk assessment, risk treatment and pre-audit phases.

From working with various firms we have identified the several factors that determine how quickly they will succeed in achieving ISO27001 compliance. To any organisation about to embark on this process we make the following strong recommendations:

1. Get senior management buy-in from the outset - if you don’t, you won’t get the money, time and resources you need and will find it harder to get other colleagues to play their part.
2. Establish a project board, including a senior sponsor and a well qualified project manager, and a motivated project team to run the process day-to-day.
3. Choose and use a good project management methodology - the compliance process reaches right through the organisation and has many interlocking parts; if you don’t keep a tight grip it can quickly slip out of your control.
4. Communicate and train at every level - not only does your project team need to be given the skills and knowledge for their task, but all your other colleagues need to understand what is being delivered and why. If not, your work may quickly unravel.
5. Lastly, recognize that there is no end point to the project - becoming certificated is just the start; you have to make the information security management system an ongoing part of your business and broadcast this message consistently from the start.

ZDNet reports that new research from IDC is predicting a sixfold increase in the amount of digital information created over the next four years, which could have serious implications for compliance and IT departments.

The report, entitled ‘The Expanding Digital Universe’, says that much of the data created through new tools and applications will be subject to compliance rules such as Sarbanes-Oxley, Basel II and other legislation. IDC warns that companies will have to improve their IT infrastructure to make sure that their compliance strategies can cope with this rising tide of data.

What is just as important, I would argue, is to have in place the compliance processes that can satisfy this web of regulatory demands. An ISMS built according to ISO 27001 provides just the tool to achieve this, which explains why certification is being pursued by more and more companies.

The British Standards Institute has found a significant improvement in companies’ business continuity planning in the past 12 months. However, of the 100 FTSE-250 firms interviewed, “Only 45% … had comprehensive plans in place for a supply chain failure, and 21% of companies said they required all suppliers to have business continuity plans in place.”

Nobody should kid themselves that this can remain the case: any company is potentially vulnerable to a continuity failure if a supplier lets them down. For that reason, expect to see suppliers increasingly called upon to prove that they have measures in place to ensure their dependability. This will be one of the main drivers for the growth of ISO 27001 certification in the next five years. Companies that have it will prosper; companies that don’t will get left behind.

IT Governance, as Jason Cole points out, is more than project management, more than regulatory compliance, more than CobiT or ITIL or ISO 27001.

It’s also somewhat more than his article suggests. There are three books that tackle this subject, a Weill and Ross book (How Top Performers Manage IT for Superior Results) from Harvard Business Press, a compact and concise guide for Directors (IT Governance: Guidelines for Directors) and IT Governance Today: a Practitioner’s Handbook.

Even more usefully, there is a new framework that pulls together all components of IT governance (the Calder-Moir IT Governance Framework) and the related IT Governance Framework - Toolkit that is designed to help organizations of all sizes make a start with tackling IT governance at their own pace and in their own way - and at a cost somewhat less than is likely to be extracted by a substantial consultancy provider.

With all these resources so easily available, there’s no need for anyone to wonder what IT governance actually is, or to work out how to get started with realising the real business benefits of implementing an IT governance framework.