Alan Calder on IT Governance, information security & ISO 27001

As I see it, those organisations that survived 2008 are only going to get through 2009 if they manage cash really carefully. Cash management is only useful if it takes into account the full range of possible risks faced by the organisation. Simply hanging onto cash, not paying creditors and avoiding all expense and investment, is not the same as managing cash - because, even in a recession, there are business opportunities and growth prospects and those organisations that manage their cash effectively are able to prepare themselves to handle the range of possibilities - both on the upside and the downside.

Effective risk management tends only to happen in well-governed organisations; where risk management has failed (such as in our banks, the Big Three auto manufacturers and so on) it doesn’t take long to spot that their governance framework must also have been ineffective - not least if the organisation has had to beg for a support package from central Government.

I think that governance and risk management are going to be key themes in 2009 for the world’s better organisations; for all the rest, those for whom governance is just about box-ticking, 2009 will bring much more  box-ticking, because regulatory authorities are not going to allow a repetition of 2008’s ‘perfect storm’, which means that compliance requirements are going to increase.

Of course, box-ticked governance will still be the poor relation of more constructive, fully engaged governance and risk management models that boards - under the guidance of an independent Chairman - deploy to manage the risks faced by the organisation in the difficult economic climate we all face this year.

I kind of hope that those organisations that eschew proper governance will go bust quickly, and get out of the way of the rest of us.

The Top Ten Predictions for Green IT in 2009 are based on Gartner’s view that the combination of economic meltdown and Obama’s commitment to eco-friendly policies will drive a signficant increase in Green IT activities and investment in 2009. Our recent Best Practice Report (Green IT: Reality, Benefits and Best Practices) focused on the economic benefits that corporations can derive from embracing Green IT - not just in terms of customer take up (and, frankly, I suspect that a ‘green label’ won’t attract much of a price premium in recessionary economies - watch organic farmers, for instance, reduce their organic output to match the reduced budgets of their customers) but, far more importantly, in terms of cost-reduction. Green IT in 2009 will be interesting to boards of directors because of the opportunity for significant reductions in power and utility costs.

Some evidence is emerging that that ISO/IEC 38500, the best practice standard for IT governance, is catching on. We’ve certainly seen steady demand for copies of the ISO38500 standard itself, as well for the ISO38500 Pocket Guide and, more importantly, the ISO38500 IT Governance Framework Toolkit.

Regarding Liken’s survey, Rowlands says, “We were impressed by the strength of support for ISO/IEC: 38500. Against the unfolding economic panorama, could it be that this is a more suitable measure of corporate IT governance and a catalyst for sound asset management?

“Cost savings and efficient usage seem now to be the primary drivers as organisations place a greater emphasis on controlling software and hardware usage rather than managing inventory and licensing.”

“ISO38500 is a catch-all IT governance standard and it’s much more attainable for a lot of businesses and it will give the directors of those businesses a sense that they are doing things the right way.”

In a nutshell, ISO38500 provides practical, straightforward guidance for directors as to how they should go about ensuring that their IT operations are doing the right things - and doing the right things, cost-effectively, is going to be a critical component for all organisations of surviving the tough economic conditions that we are currently experiencing.

To help Human Resources and Training Managers get the most from their budgets we have introduced our new IT Governance Training Passports. In a single purchase, these allow organisations to acquire any combination of IT training, tools and support services from the most comprehensive one-stop shop on the Web. Discounts are offered on all chosen items, whether used immediately or at a future date, making them ideal for public and private sector organisations needing to purchase training ahead of their annual budget deadlines.

Training Passports are offered in three grades: Bronze (£5,000 + VAT), Silver (£10,000 + VAT) and Gold (£15,000 + VAT). Through IT Governance’s Training Gateway, Training Passport holders can access the Web’s widest range of accredited, professional IT training, which is available across the UK, and receive discounts of up to 30 percent:

* On every classroom course, including Basel II, BCM & BS25999, CISA, Cisco, CISM, CISSP, EC Ethical Hacking, HDI, ISO20000, ISO27001, ITILv2, ITILv3, ITIL bridging, Microsoft, MoR, MSP, Prince2 and Sarbanes Oxley.
* On every distance or e-learning course.
* On every exam guide, subject manual or other training material.

All bookings are made through IT Governance’s friendly and efficient team of training consultants, who can advise on how to get the maximum benefit from a Training Passport. Furthermore, these consultants can advise of additional late-booking discounts that IT Governance is often able to negotiate with training suppliers.

These discounts and the variety of options available allow HR and Training Managers to get the maximum value from their existing budgets. As purchasers receive just a single invoice for multiple courses and products, rather than needing internal expenditure approvals for each, this also saves significant administrative time and effort.

Although Training Passports enable courses to be purchased in advance, they offer flexibility, since delegates’ details need only be finalised at a later stage once the ideal course and location have been chosen. They also assure organisations of the most up-to-date training, as each Passport remains valid for all courses and products offered by IT Governance until it has been fully used.

The Realtime IT Compliance blog carried a significant post the other day - the first signs of US civil lawsuits against companies losing customer data.

In this case, it is a $54 million claim against Best Buy for losing a customer’s laptop, but watch this space for similar lawsuits for other forms of data loss and leakage - this is just the beginning.

Organisations taking a lax approach to data security are about to find out just how costly this can be for them. Such cases attract plenty of headlines, so sloppy businesses will have to start making much greater provisions for brand and reputational damage. We like to think that mature executive teams can be self-policing when it comes to looking after their customers, but too often takes a potentially ruinous fine to focus their minds on the issue.

The alternative is to protect your customers and your own interests by adopting a best practice Information Security Management System. ISO27001 is the answer but remains an alien concept to many directors - perhaps a few courtroom pay days are just what we need.

I read in ComputerWeekly that the House of Lords Science & Technology Committee is to re-open its inquiry into e-crime and the security of personal data, apparently due to the Government’s “vacuous, idle and irrelevant” response to its initial recommendations.

I am dismayed that, after what was a well considered report, so little has been done by this Government. It is at least a little heartening that their Lordships are not mincing their words about their disapproval. Perhaps this time we may see a little more action as a result? - I wonder. Time will tell, but one would think that the spate of data loss disasters, most notably the HMRC lost discs fiasco, would give the Government ample incentive to finally stop sitting on its hands.

As I wrote at the time of the Committee’s first report, ISO27001 needs to lie at the heart of the Government’s response to this challenge. It is high time that our our political leaders put their money where their mouths are and made the Standard compulsory across all departments.

I have written before about the uncertain leadership and consequent weak governance at the top of the NHS IT reform programme. Yesterday, we heard that director general Richard Granger has indeed finally left his role. But as to who takes over, we learn the following:

“There will be no direct replacement for Granger, but the DoH [Department of Health] will begin the process of filling two new positions over the next two weeks.”

What an extraordinary state of affairs, particularly given that Granger’s departure had been so well telegraphed. It beggars belief that in what is supposedly a cornerstone of the government’s reform programme, the issue of leadership comes as such an apparent afterthought.

We have seen a lot of media interest this week in the poll we recently did on the issue of IT governance, which underlined how few boards currently have their arms around this important responsibility. Some of the articles to appear so far include ComputerWeekly, CIO and IT Week. The media obviously understands the importance of this issue - now we just need board directors to catch on too.

Our key finding was that only 12 percent of businesses take IT governance seriously enough to exercise oversight via a properly constituted board committee. How on earth can this be, when even the most technophobic director will concede that IT is the engine powering most businesses today. If you have an audit committee to manage your financial governance, how can you fail to have an IT governance committee too?

Just as with an audit committee, an IT committee needs a mix of independent and executive directors, and must provide the focus for the board’s deliberations on technology. Especially when so few directors are technologically qualified, this is something that every mid to large size organisation should have. It is high time that investors and regulators start applying pressure for these measures to be adopted, because firms clearly aren’t doing it themselves.

For those who are ready to step up to the plate, our popular book ‘IT Governance: Guidelines for Directors’ is perhaps a good starting point.

Also from ComputerWeekly, Chief Information Officers need to take a leading role in setting up formal information classification schemes to stop them over-engineering them to comply with security regulations, according to a report from the Information Security Forum.

Well, yes – classifying information correctly is a corner stone of effective information security management. A simple scheme, that assumes that the bulk of information should be available to all employees with only specific types of information restricted on a need to know basis is the most practical approach available. It’s all discussed at length in my book, International IT Governance.

Confusion apparently surrounds the future of the job running the NHS’s £12.4bn flagship IT programme, and the timetable for the departure of director-general Richard Granger.

Wouldn’t it be nice if there were proper leadership of the NHS? But, as the NHS is increasingly run from 10 Downing Street, indecision and interference will get increasingly worse. And there’s every chance that the CfH programme will, without proper leadership, lose its way and we’ll see any improvements that have actually been achieved whither away.