It was late 1995 when Erik Guldentops, my then boss at SWIFT, relentlessly insisted that his auditor team “think about the concept ‘control objective’ and how they would define it in simple words.” Guldentops never feared giving those around him a good challenge. Little did I know that this first contact with COBIT, because that was what it ultimately would become, would be followed by many more.
From the beginning, structure, oversight and broad coverage were the key strengths of COBIT. These same strengths are what we have used to continue to build the later versions. COBIT collaborators have broadened the target audience beyond the IT audit community by providing guidance for boards and senior management, risk managers, financial managers dealing with IT, business managers, regulators, and more. As a part of the COBIT team, we have extended the guidance beyond the “controls” with management practices, performance management instruments, and more specific and detailed guidance. That being said, COBIT is still very much based on the original premises and ideas. Perhaps we could consider COBIT analogous to a well-known brand of German premium sports cars—the models change gradually over the years and gradually most components are changed or renewed, but you can always recognize the basic design and the brand. That is COBIT too.
My next experience with COBIT was when I worked for Eddy Schuermans—apparently I made it a habit of working for COBIT pioneers—who assigned me the tasking of teaching COBIT in Eastern Europe. Schuermans said, “You know COBIT, [so now] you go and teach it to the National Bank somewhere in Eastern Europe.” It is well known that teaching a subject is the best way to master it, so I carefully prepared a 3-day workshop just to find out that once I arrived onsite, every sentence I spoke needed to be translated by an interpreter who knew nearly nothing about COBIT, IT or anything related. Now, you may wonder why this is relevant. It is relevant because we have seen from the start of COBIT, and we still see today, a high level of interest and adoption of COBIT in the emerging and evolving economies. By learning to implement COBIT, these same emerging and evolving economies are sometimes more advanced in governing enterprise IT than many places in established and developed economies. This shows another great advantage of using COBIT.
There are plenty of articles describing the evolution of COBIT and all the details that have changed between versions, so I will only list the essentials that have impacted the evolution of COBIT. These essentials include the following evolutions:
- COBIT has moved from an auditor’s tool to a governance and management framework for the general public.
- COBIT has moved from providing high-level guidance on controls to delivering much more detailed guidance on many IT-related areas.
- COBIT has moved from a focus on control for safeguarding of assets to a broader and more appealing focus on ensuring information and technology generate value for the enterprise.
- COBIT has moved from providing guidance on how to control a “glass house with a mainframe inside” to the current IT paradigms—cloud, Agile, DevOps, cyber, etc.
All these evolutions were gradually introduced over time over the consecutive versions, never creating an earthquake. This allowed COBIT to maintain the structured nature of the framework and its underlying principles.
The success of COBIT is largely attributable to all the people—staff and volunteers—who have led the development over many years, and to all the individuals who contributed as reviewers or in the development workshops we organized for the bulk development efforts. Those meetings brought together dozens of experts who brought together valuable, quality, good-practice content.
It is impossible to name all COBIT contributors—most of them are listed in the books—but a few words of appreciation for 2 of the key drivers for COBIT who passed away last year and who we miss dearly must be shared. We must honor John Lainhart, who was one of the original members of the first COBIT team and who continued pushing COBIT forward through his efforts toward COBIT 2019 last year. We must also honor Robert E Stroud who also put an incredible amount of energy into COBIT and supported all of our group’s work in all the roles he later assumed at ISACA. Thank you, John and Rob.
Returning to the German premium sports car analogy, one thing about COBIT does not really compare with these cars—the price. COBIT is affordable, thanks to the generous investments ISACA has made for the benefit of the user community. It is one of the milestone products of ISACA, so let us keep it like that for many more years and let us keep growing COBIT and its user community.
To learn more about COBIT 2019 and ISACA’s 50th Anniversary, visit the COBIT 2019 page of the ISACA website and the ISACA 50 website.
Dirk Steuperaert, CISA, CRISC, CGEIT, is IT and risk governance consultant at IT In Balance, Belgium, and a coach and well-appreciated trainer in IT risk management, IT governance and all COBIT 2019-related matters. Steuperaert’s current mission is to use his experience as project leader and one of the key authors of all main COBIT 2019 publications to teach all those who can benefit from COBIT 2019 and to help them apply it in practice in a very pragmatic way.