Alan Calder on IT Governance, information security & ISO 27001

Following the launch of our end-to-end IT Governance Framework, here’s a news item that underlines why it is necessary. Mercury Interactive, which develops governance packages, has done research that shows that only 2 percent of businesses are rolling out IT governance across the organisation. OK – good statistic, and doubtless the budgetary constraints that Mercury complains of are factors here. However, I don’t agree that the answer is necessarily just to shovel more of the IT budget into the open pockets of ‘catch-all’ vendors.

The reality is the IT governance is too complex and multifaceted for one or even a couple of smart vendors to be able to solve, no matter how much cash you give them. Instead, companies should look to understand how the various best practice tools already out there can be made to work more in synch with each other and with corporate strategy. That is what our IT Governance Framework is there for – and it’s free.

IT governance is a broad topic involving multiple disciplines, including information technology, risk management, project management, strategy, intellectual property, business design and compliance. Pity the poor IT governance professional trying to draw together the various responsibilities and tools relating to each area. Up to this point no single tool has provided a full picture of IT governance. In fact, collectively, existing tools have often given a confusing impression that actually hinders the purpose of IT governance: to equip boards with information and levers for directing, evaluating and monitoring how well IT supports their core businesses.

To address this problem we have just launched a new IT Governance Framework. It isn’t yet another tool – there are more than enough of those. Instead, it sets out an end-to-end process for integrating the IT governance roles and tools that apply to an organisation’s boardroom, executive and IT department functions. To our knowledge this is the first framework of its type in the world and should significantly help IT governance practitioners communicate to their colleagues what has to be done. Being generous souls we are making this available free of charge.

The IT Governance Framework is based upon our popular management book ‘IT Governance Today – A Practitioner’s Handbook’. It provides the basis for the forthcoming IT Governance Toolkit, which will provide a comprehensive suite of policies, procedures and task sheets to enable organisations to implement a comprehensive IT governance system that genuinely aligns IT with corporate strategy. We plan to release this in Q2 2006 so watch this space.

Following on from the last post below, here is the proof. The IT Governance Institute is gearing up to release its 2006 Global Status Report, which was supposed to be available for free downloading from late February – presumably out any day now. It gave a sneak preview to ZDNet Asia, which revealed some striking variations in boardroom awareness of IT issues. Unsurprisingly, India scores highly – it has been interesting to note that many of the recently announced ISO 27001 certifications have been from Indian businesses – but Japan is weird: only 26 percent of respondents from there reported that IT is discussed regularly (or more often) by the board, compared to 63 percent of respondents worldwide – but Japan has the highest number of successful ISO 27001 certifications in the world, and ISO 27001 certification requires some strategic board input.

Generally, the ITGI is encouraged by progress since its last global survey in 2003. However, there remains a lot to do before most directors should sleep too easily at night:

‘The study also found that CEOs are responsible for governance over IT in only 24 percent of the organizations surveyed. As in 2003, CEOs and business executives are still hesitant to discuss IT governance. Shareholders should worry about this, because boards and CEOs are ultimately responsible for IT risk management and oversight over all major assets–including IT. Instead, the study found that CIOs are responsible for IT governance in 33 percent of organizations, and nobody is responsible in 6 percent of organizations.’

What is IT governance? What does it include or exclude? Who is responsible for it? These questions are frequently asked in the Blogosphere and elsewhere. Right now it’s the subject of some interesting discussion at Andrew Clifford’s IT Toolbox blog, which includes a good post by Andrew and some quality observations from others. However, the answers are less elusive than some debate suggests.

IT governance does have a formal definition: “IT governance is a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.” (IT Governance: Guidelines for Directors, p20.)

Because it deals with all aspects of governance of IT, it includes system governance. Andrew is absolutely correct in identifying that there are significant systems issues – and I would argue that these issues exist primarily because of an absence of IT governance, in the sense that the organizational governance framework has failed to consider what information and, therefore, what systems requirements the organization will have.

IT governance should be owned by the board. It’s not an IT management responsibility any more than financial governance is a financial functional responsibility. Governance is the board’s job. The board is quite capable of governing IT, if it would only put its mind to it. There are a number of respectable IT governance frameworks that reflect this fundamental principle, including CobiT, the Australian Standard AS 8015:2005 and the IT Governance framework identified in ‘IT Governance Today: a Practitioner’s Handbook’.

Just when you thought the IT security plate was sufficiently full, here’s the next big thing to digest: security convergence.

Given the rising tide of internet crime and international terrorist activity, companies are beginning to think about how to bring together the separate strands of IT security and physical security’. I’ve written before about the importance of taking a holistic approach to information security (including in my books about implementing information security management systems) and a very thorough article here at CSO Online reflects the experience of several major US organisations.

Of course, not every company has the scale or nature to require a Chief Security Officer on the board. However, it IS the interests of every company to have a coherent approach to ensuring overall security and business continuity. Becoming ISO 27001-compliant is the starting point for any business serious about managing IT security risks, but there are undoubtedly lessons in this article for SMBs as well as multinationals.

Expect to hear a lot more about this topic in 2006.

Computerworld says that security specialists will be in hot demand in 2006 – no, really?! Hardly surprising, given the relentless pace at which internet threats are developing. What’s interesting is how supply and demand are currently working – salaries offered to security specialists are lower than of late because of the large number of people who have gained certifications in the past couple of years. Inevitably, these highs and lows will smooth out over time, but in the short term it means that interviews for security posts are going to get tougher as more people vie for each post. That’s hard luck for candidates but good news for the IT governance cause (assuming that firms are sifting for the right qualities) – the better the quality of mid level recruit now, the deeper the bench of talent when it comes to selecting the next generation of CIOs who can genuinely champion IT governance in the boardroom.

‘The goal of aligning the use of IT systems more effectively with the ambitions and desires of ‘the business’ is now firmly established as a major priority in many organisations.’ This opening paragraph of Tony Lock’s article today on IT Service Management goes on to say that an early desire to work out how IT budgets were being spent has evolved into ‘an attempt where possible to align IT resource usage with goals set by the business itself’.

‘Where possible?’

While I’m delighted that ‘IT alignment’ is increasingly on board agendas, we really do have a long way still to go – conceptually, as well as in practice. There is still a widely-held and deep-seated view, primarily amongst the IT community, that the IT organization is a seperate organization from ‘the business’ (what I call the ‘two empires model’) and that, for instance, IT resource usage goals should be primarily set by the IT people.

This, of course, is nonsense. Shareholders appoint directors to be responsible for the whole of the business, and they expect (by law and by custom) their appointed directors to act in the interests of all the shareholders and across all aspects of the business. The board is responsible for governing IT and all responsible boards will ensure that their IT functions are integrated into the business, and that IT resource usage goals and priorities are exclusively set by the business – the business, after all, is the reason why the support functions exist.

Boards, and IT leaders, need – as I argued in IT Governance: Guidelines for Directors – to engineer a significant shift in the governance of their enterprises so that IT starts delivering on business priorities. The level of IT investment, and the sheer cost of the long-term and ongoing IT failure to genuinely enable the business means that, sooner or later, business managers are going to cut down the IT organization.

For IT leaders, therefore, the long term choice is between integration into the business, as a key strategic contributor, and subordination to the business, as a basic utility. Integration is the best outcome for everyone; subordination, on the other hand, would be better for the shareholders than continuing the current, common, two empires model.

As the vital importance of IT governance to the Information Age becomes better understood, it’s not surprising that newspapers are starting to give it serious coverage. This excellent article from the Sydney Morning Herald illustrates that effective control of the IT function is absolutely mission critical. It talks about the financial nightmare that the Australian Customs Service’s new integrated cargo system has become as a result of poor oversight and executive control – or what is usually known as ‘governance’. Given that London has its own vast development programme underway to host the 2012 Olympics, this article should make sobering reading for the UK’s new Olympic Delivery Authority. Increasingly, IT governance will become a hot topic for our own national newspapers – let’s hope it will be in a positive light.

The recently launched ‘Aligning Cobit, ITIL and ISO 17799 for Business Benefit‘ is a welcome step toward making IT governance more usable for most organizations. There has long been confusion over which of these three frameworks is really an IT governance framework; for an equal length of time, the answer has been that each is a component of such a framework, as I proposed in IT Governance Today: a Practitioner’s Handbook earlier this year.

While I’m delighed at this progress, there is (as I’ve already argued) further still to go in integrating and simplifying IT governance frameworks, and I will be taking this further in the 2nd edition of the Practitioner’s Handbook when it is published early next year.

Spotted an interesting article at SC Magazine talking about concerns over the security of VoIP. If ever a story pointed, unwittingly, at the fact that good information security is a business-enabler, this is it! Technology helps businesses perform better, more efficiently, and more profitably.

New technology also creates opportunities for new attacks. Effective information security – a key leg of IT governance – enables this new technology to mostly bring benefits, rather than problems.

It would be useful if rather more executives focused on the critical role that information security and IT governance can play in helping their businesses advance to success.