This article was originally published on the ISACA Now blog on 22 April 2020. To access this article and other useful, relevant ISACA® news and content, visit the ISACA Now blog daily.
A network patch management tool to be procured is often seen mainly as an expense by the finance department and, therefore, queried subjectively or even rejected. This can, arguably, be interpreted as a counterintuitive posture to a strategic procurement under the risk treatment plan that should be mitigated, and can be considered one of the most significant risk scenarios facing the organization. The loss to the organization can be substantial if this negative posture gains currency and prevails.
In this context, the lack of proper IT governance may yield 2 differing quotes, respectively:
“We need to purchase a tool that scans our network for threats and quickly identifies vulnerabilities, and propose mitigation steps.”
Or:
“We want to allow your IT department to do what it thinks is needed, based on the guidance of your board of directors (BoD), where we as a company are moving toward, and how the IT department can enable this journey.”
Which statement do you think gets the C-suite executives to sit down and listen?
Well, the research seems to suggest that, on most occasions, the latter gets executives’ attention. This brings us to the symptoms of poor IT governance, which are easily discernible. They are manifested as follows:
- Executive management distancing themselves or not taking responsibility for IT issues or investments
- IT as a topic being absent from the BoD agenda
- IT professionals complaining about why approvals for critical IT asset purchases are not given
- High IT staff turnover and significant gaps in IT training budgets or competency requirements
- IT personnel not being sure about the business objectives or what the business wants to achieve—to put succinctly, “void of understanding of business strategy.” This symptom is most notable.
Therefore, an integral element of the value of good IT governance is the absence of these symptoms.
The overarching principle that encapsulates the value of IT governance most simplistically is alignment: the ability to align the IT objectives with strategic business goals. Once this is achieved, it is easier for the C-suite to understand and appreciate the process accordingly. The value in IT governance is not well understood because it is often complicated with varying and imprecise definitions, difficulties encountered in implementation and miscommunication during the process.
I will define IT governance as the overarching directive borne out of leadership to steer the critical alignment between IT assets and business strategy. The formula below summarizes this:
Leadership * (Framework + Directive + Value Optimization) = IT Governance
The important question is, how did we evolve to this formula? Accordingly, COBIT® 2019 outlines 40 processes—35 processes for management and 5 processes for governance. The 5 governance processes labeled Evaluate, Direct and Monitor (EDM) EDM01–EDM05 are shown in figure 1.
Figure 1—IT Governance Formula Derived From COBIT 2019
Certified in the Governance of Enterprise IT® (CGEIT®), ideally, covers all 5 of these governance topics as described in the CGEIT Review Manual 7th Edition. However, what is noteworthy is that the CGEIT community is composed of mostly IT professionals. Therefore, although the content is invaluable, we need a mechanism to get it into the board room where we have executive managers, board members, lawyers, accountants and C-suite executives. Accordingly, I have added leadership as an area of focus for us, as IT professionals, to use our leadership skills and create condensed versions of IT governance and management topics, and target them to the BoD and C-suite executives as a short learning exercises.
The reason I highlighted leadership is that leadership produces a profound effect on IT governance. In this context, regardless of your role and title in a company, getting your executives to see the value of IT governance requires you to speak their language. Richard L. Routh, in The Power of Role provides an excellent breakdown of C-suite roles and their focus and expectations. He asserts that if you understand the role, you will have more influence and more significant political clout in the corporate world. This also applies to explaining or proposing IT governance.1
Governments, like businesses, are seldom devoid of bureaucratic and governance mechanisms, all of which came from various periods of misallocation or were enforced by external pressure to ensure transparency and accountability. However, information and communications technology (ICT) is hardly considered in the same light of requiring rigorous mechanisms for governance and management. This is true solely for 1 reason; we have not yet experienced a local or worldwide catastrophe that requires a buck in the trend and for the accounting arm of businesses, governments and international standards to unilaterally enforce IT governance. Yet this is not to say that some entities have not begun to accept international guidelines and rules and have not seen tremendous benefits from IT governance. We all know that the shift to the International Financial Reporting Standards (IFRS) and the US Sarbanes-Oxley Act of 2002 was triggered by scandals at Enron and other corporations. Why wait for major incidents to trigger the adoption of good practices? IT governance is a necessity. Our job as IT professionals is to explain this to the right people, at the right time and in the right way.
Sunil Sheen, CRISC, CGEIT, AWS Solutions Architect, PMP
Has more than 15 years of experience as an IT professional or specialist and has worked throughout the CARICOM and the wider Caribbean region. He is currently the contract manager for the CARCIP Broadband Project in St. Vincent and the Grenadines, with responsibility for the implementation of a Government-Wide Area Network within St. Vincent and the Grenadines. His role includes financial compliance, service level management and contract administration. Throughout his career, he has worked for a cross section of industries including oil and gas, local and central governments, and securities and exchange commissions encompassing various technical roles such as solutions architect, systems developer and database administrator. He also proffers professional services as an IT management consultant for indigenous commercial banks, credit unions and social security services with a focus on IT risk management and the alignment of IT with the business strategy to maximize performance, profitability and productivity. In his current role as a consultant, his portfolio incorporates the formulation of IT governance, risk management, business continuity, and information security policies and procedures. Over the last 3 years, he started giving active consideration and focal attention to the COBIT framework, and now considers it his “Swiss Army Knife” for enterprise governance of information and technology (EGIT) and has seen greater success in this domain. Sheen can be reached at linkedin.com/in/sunil-sheen-14741134.
Endnotes
1 Routh, R. L.; The Power of Role, Lulu.com, USA, 2007