As IT's stake in corporate governance grows, it's time to wise
up to the risks involved, writes Julia Vowler
The Slammer virus attack two weeks ago has rammed home the lesson
that the bottom line of the top-down management process of
governance is risk.
But risk is a broad spectrum, and IT directors should be looking
way beyond security issues alone. Indeed, they need to think right
up to the ultimate risk a public company can face - investors
losing confidence and market valuation suffering.
This is no exaggeration. One major UK company is completely
refreshing all aspects of its corporate governance, including IT,
specifically to help counter a recent downgrading by ratings agency
Standard & Poor's.
Investors need to know they are putting their money into
competently run companies where risks are understood and minimised,
including those in IT.
This risk could be something bad happening - such as a virus attack
bringing down e-mail systems - or something good not happening -
such as being late to market because a supporting IT system was
implemented late.
There is no doubt that IT's stake in corporate governance overall
is growing. Fall-out from the US Sarbanes-Oxley Act, which is
designed to boost investor confidence in external audits, could see
IT directors having to rethink their entire consultancy portfolio
in order to avoid any risk of conflict of interests with audit
consultants.
But its governance role is increasing in another sense, too. This
organic growth occurs as businesses become both increasingly
dependent on IT and increasingly global, perhaps, dangerously,
without realising the true level of risk such growth brings.
"We are all taking huge risks," warns one IT director, "and the
risks are getting bigger as more and more IT becomes interconnected
and globally deployed.
"Yet business managers are not responsible for ensuring that IT can
support their vision - there are an awful lot of
'string-and-sellotape' projects. The board needs to say 'No
business projects without an integrated IT project'," the IT
director says.
"The trouble is, business has to move so fast - to reach new
markets and so on - that if anyone in IT says 'what about method?'
[to ensure a robust system] they are seen as negative."
Worse, both IT and business could simply treat governance as a
mandatory trot through the motions. Security consultant Clifford
May recalls being asked to draw up a shelf-full of security
policies - "because our auditors say we need them" he was told -
which stayed firmly on the shelf thereafter.
"Doing IT governance is not a project; it's a change in practice,"
says IT governance expert Gary Hardy.
It seems businesses need to grasp that ITgovernance is not a
one-off exercise to produce shelfware, but rather that it changes
the way IT is evaluated, measured, justified, prioritised and
delivered - forever.
Do's and don'ts: one firm's experience from an IT
governance programme
- Keep IT with corporate governance. It needs to be part of the
overall best practice of doing business, and recognised as such by
business managers
- Governance should not be dictated from head office. Divisions
and regions have different requirements and operate under different
pressures, and must be allowed for
- Involve divisions in deciding what governance must cover and
constitute - get direct and immediate buy-in from internal auditors
via brainstorming
- Get an initial governance manual published fast, and allow time
for feedback and review to refine the first version
- Publish on the corporate intranet for least cost, maximum speed
and greatest availability
- Allow enough time to gather in all the input required from all
the stakeholders
- Don't assume that you will need expensive consultancy to hold
your hand throughout the exercise, but do use consultancy to start
you off and to provide a framework that you can then work
against.
How to set up IT governance in security
Security may only be one aspect of total IT governance, but it's
the one that gets the most attention - every new viral attack or
hacker penetration concentrates the corporate mind wonderfully on
the subject. Yet, for all that, warns security expert Clifford
May, fewer than a quarter of UK companies have adequate IT
security, even though it isn't rocket science. What, then are the
precepts for sound IT security? Every security policy needs to
cover four key areas:
- Information assets - you, your people, paper and
applications
- Confidentiality - industrial espionage is extremely common and
easy n Integrity - how do you know if your data has been
changed?
- Availability - this is the biggest threat, and includes denial
of service, staff sabotage and so on. Business continuity plans are
often amazingly inadequate
- Don't spend money protecting things you don't need to - "the
simpler the better", says May. But remember that "there is no point
having strong security somewhere and weak security elsewhere"
- Security policies are often drafted by lawyers in legalese, so
people don't read them. However, you do need a written policy. "One
organisation I consulted had no security policy, said it didn't fit
in with their culture - that's an expensive luxury!" says
May.
Gary Hardy and Clifford May
were speaking at last month's IT Governance for IT Leaders
conference