When my book on IT Governance was first published two and a half years ago, it stood on its own. IT Governance Ltd and www.itgovernance.co.uk were equally unique. There has, since then, been a proliferation of articles, companies and websites professing to be about IT Governance. When you scratch the surface of most of them, you find they are selling a specific product or service that may (or may not) have a governance role; they are not providing services to help organisations develop, implement or improve their IT governance postures. I might have been partly to blame, I guess, as my book was largely about achieving BS 7799; at the time, I thought (and still do) that information security was the most pressing IT governance issue. However, the agenda is changing and I will be extending coverage of the broader IT Governance issues in the third edition (an up-to-the-minute combined hard copy/online version), due out next year.
Using the concept of “IT Governance” to peddle software or other “solutions” does our clients no favours: legal compliance software is no more an IT Governance solution than an anti-virus package is an information security management system. When a client purchases something that deals with one part only of a whole spectrum of issues – but believes that it is the entire solution – they are blinded to other threats and vulnerabilities – some of which may have the potential to do more damage than the one they have just patched. Vendor transparency is, I believe, essential for providers of governance solutions; we must be able to say clearly: “We do this, and this – but not that or that – although we will refer you to others who can fill the gaps…” That way, we can each build long lasting client relationships – not least because we will have helped ensure that our clients are around for the long term!
