Alan Calder on IT Governance, information security & ISO 27001

The essential difference between the US and the UK models of corporate governance is that, in the UK, there is a clear understanding of how board rooms work combined with a flexible, principles-based approach while, in the US, corporate governance is essentially an expensive compliance activity that gives CEOs a level of autonomy that allows them, sooner or later to wreck their companies - and the economy.

The usual situation, in a US-listed company, is that the CEO is also the Chairman of the Board; in the UK, this is highly unusual and, whenever it happens, there is a furore amongst investors and in the press.

The usual practice, in the UK, is that the board is chaired by an independent director, who is usually non-executive and who is genuinely independent - and it is recognised that, once a Chairman has been in situ for too long, he (or she) ceases to be independent. The CEO - however mighty, however well-rewarded - reports to the Chairman and, when the CEO fails in his role, the Chairman is responsible for ensuring that appropriate action is taken to ‘drop the pilot.’  The UK board is made up of a majority of independent directors and, in larger companies, there will usually be a recognised ’senior director’ whose role it is to ensure that the Chairman doesn’t ‘go native’ and who would be expected to lead the board’s annual review of the Chairman’s performance.

US CEOs talk of themselves serving ‘at the pleasure of the board’; of course, this doesn’t really mean much as it is usually the CEO who chairs the board which, itself, is usually made up of ‘outside’ directors with whom the CEO has personal relationships. CEOs of US American companies are therefore usually in place for far too long and, because there is no genuinely independent control over their compensation packages, are hugely overpaid. (I’m never that impressed by a CEO offering to take a $1 salary for a year - it would be so much more impressive if he also volunteered to return 50% or more of the previous year’s multi-million dollar over-compensation to the company.)

While the UK corporate governance model doesn’t always protect UK shareholders from incompetence or stupidity on the part of their boards, it does at least help UK companies avoid a situation where their CEOs turn up in Parliament with a begging bowl, having flown there on parallel private jet flights. One would have thought that any Chairman worth his or her salt would immediately have sacked a CEO who is so far removed from reality that, when asked the direct question on camera about whether they would immediately dispose of the private jet and return home by commercial airline, he couldn’t even come up with a plausible response.

And, while the world has clearly been living beyond its means for far too long, it’s also clear that the US cult of the CEO ego is right at the heart of the huge, ill-considered, crazy bets that their companies have taken - and as a result of which we all now face a long, hard few years.

The US now needs a corporate governance code that resembles the UK’s Combined Code; in the UK, in the meantime, we need to get on with improving our own performance. We also need institutional shareholders tough and determined enough to insist on board changes when their boards are destroying the investments for which they have a fiduciary responsibility.

To help Human Resources and Training Managers get the most from their budgets we have introduced our new IT Governance Training Passports. In a single purchase, these allow organisations to acquire any combination of IT training, tools and support services from the most comprehensive one-stop shop on the Web. Discounts are offered on all chosen items, whether used immediately or at a future date, making them ideal for public and private sector organisations needing to purchase training ahead of their annual budget deadlines.

Training Passports are offered in three grades: Bronze (£5,000 + VAT), Silver (£10,000 + VAT) and Gold (£15,000 + VAT). Through IT Governance’s Training Gateway, Training Passport holders can access the Web’s widest range of accredited, professional IT training, which is available across the UK, and receive discounts of up to 30 percent:

* On every classroom course, including Basel II, BCM & BS25999, CISA, Cisco, CISM, CISSP, EC Ethical Hacking, HDI, ISO20000, ISO27001, ITILv2, ITILv3, ITIL bridging, Microsoft, MoR, MSP, Prince2 and Sarbanes Oxley.
* On every distance or e-learning course.
* On every exam guide, subject manual or other training material.

All bookings are made through IT Governance’s friendly and efficient team of training consultants, who can advise on how to get the maximum benefit from a Training Passport. Furthermore, these consultants can advise of additional late-booking discounts that IT Governance is often able to negotiate with training suppliers.

These discounts and the variety of options available allow HR and Training Managers to get the maximum value from their existing budgets. As purchasers receive just a single invoice for multiple courses and products, rather than needing internal expenditure approvals for each, this also saves significant administrative time and effort.

Although Training Passports enable courses to be purchased in advance, they offer flexibility, since delegates’ details need only be finalised at a later stage once the ideal course and location have been chosen. They also assure organisations of the most up-to-date training, as each Passport remains valid for all courses and products offered by IT Governance until it has been fully used.

ZDNet reports that new research from IDC is predicting a sixfold increase in the amount of digital information created over the next four years, which could have serious implications for compliance and IT departments.

The report, entitled ‘The Expanding Digital Universe’, says that much of the data created through new tools and applications will be subject to compliance rules such as Sarbanes-Oxley, Basel II and other legislation. IDC warns that companies will have to improve their IT infrastructure to make sure that their compliance strategies can cope with this rising tide of data.

What is just as important, I would argue, is to have in place the compliance processes that can satisfy this web of regulatory demands. An ISMS built according to ISO 27001 provides just the tool to achieve this, which explains why certification is being pursued by more and more companies.

ISO 27001 is of course an ideal solution to businesses that need to ensure they comply with Sarbanes Oxley IT control requirements. I’ll be doing a webinar on 25 January in collaboration with Compliance Online to discuss precisely how the standard draws together CobiT, ITIL and ISO 17799 to create the necessary multi-layered solution. Topics to be covered will include:

* Current and future governance and compliance requirements
* The role of enterprise risk management
* Linkages and similarities between state, national and international regulations
* Why the traditional approach to regulatory compliance no longer works
* Business risks arising from legal contradictions, overlaps and loopholes
* Scale and impact on corporate brand, market position and share value of regulatory failure
* Key governance requirements of directors
* Role of best practice frameworks Linkage between compliance requirements and best practice frameworks
* Background and history of CobiT, ITIL and ISO 17799 - similarities and differences
* Importance of the CobiT/ITIL/ISO17799 joint framework
* Benefits of deploying this best practice framework
* Critical success factors in deploying this framework

For more information or to make a booking, click here.

Recent months have seen a series of widely publicized personal data thefts from companies that ought to have known better - and, in parallel, a series of US legislative proposals for bills that would have the characteristics of both California’s SB1386 and the Sarbanes Oxley Act. Of course, those organizations who lost data - and those who, but for the grace of [insert], go there - don’t think that more legislation of this sort is called for.

The choice, though, is quite easy: improve security voluntarily, so that people feel their privacy is properly protected, or be forced to do so - the outcome is not in doubt, just the pain and expense of getting there has still to be determined.

My expectation is that, just as with financial corporate governance, organizations will have to be forced to take proper steps to really protect personal data. A pity, because the total cost of that route is invariably greater than if it is tackled voluntarily.

According to Compliance Week, 582 companies have - under Sarbanes Oxley’s section 404 - so far disclosed material weaknesses or significant deficiencies in internal controls in respect of last year.

Wow!

Considering the amount of time that all companies have had - and the number who have not had to make disclosures - this is a disturbing number. Remember, these are meant to be serious internal control weaknesses, so its unlikely that anyone is making disclosures just to cover their backs - Moody’s is one ratings agency that talks of re-considering a company’s rating if there are disclosures. In fact, a Moody’s analyst pointed out that the disclosures called into question the management’s competence to run their business.

Apart from all the inevitable questions there must be about what the directors are actually paid for, and how come they aren’t all fired, there is a more fundamental question: if it took Sarbanes Oxley to flush out all these internal control weaknesses, what would be happening without it?

There is, apparently, a growing complaint movement from boards and directors about the requirements of Sarbanes - but it seems to me that Sarbanes didn’t come a moment too soon.

35% of Global 2000 companies now have a Chief Compliance Officer - and not all of these companies are in the financial sector. The weight of compliance legislation (particularly Sarbanes Oxley, Corporate Governance codes around the world, Privacy regulations, etc) the workload faced by the audit committee and by the CFO are, between them, encouraging a number of major organisations to appoint a Chief Compliance Officer. The question is: is this role really going to make a difference, or is it simply going to create more confusion inside organisations?

The issue is that, today, compliance fundamentally depends on technology and has significant financial involvement - from reporting through to costs. Already, on balance, CEOs and CIOs are failing to communicate. The CCO will have to communicate with the CEO, the CIO, the CFO, the audit committee and the IT governance committee (if there is one) - and will need substantial legal expertise to boot. If the CCO can effectively co-ordinate all these business functions, then there is a possibility that compliance will actually be improved - if not, the CCO will simply add to bureaucracy and inefficiency, without any significant improvement in the information security posture of the organisation.

The rapidly changing world of corporate governance (driven particularly by the UK’s Combined Code and the US Sarbanes Oxley Act) make it essential for listed companies to implement IT governance structures - common sense would argue that, if a substantial part of your shareholder value is tied up in intangible assets and if your business model in any way depends on your investment in IT, you would see IT governance as a ’sine qua non’ - I recently did a presentation on all this in Oxford, UK. I would welcome views on how corporate governance, IT and information security are currently interacting.