Information and its conduits provide the lifeblood of the modern
business, writes Alan Calder ofIT
Governance. They provide the key to competitive advantage,
improved productivity, cost reductions and general organisational
effectiveness. As a result, information and IT deserve far more
board-level attention than they enjoy currently, and most
organisations urgently need to adopt IT governance measures to
achieve proper oversight.
Crucial to competitiveness
Information technology is a critical enabler for virtually any
enterprise, particularly in a knowledge-based economy, where
barriers to entry are low and the speed of innovation is immense,
businesses have to constantly invest in their technology and ensure
its dependability. Organisations with ill-conceived or outdated
systems are in deep strategic trouble or heading out of
business.
Requirements of governance
This adds another level of complexity to the responsibilities of
directors. The core principles of governance include setting
strategic aims, providing strategic leadership, overseeing and
monitoring management's performance, and reporting to shareholders
on the stewardship of the business. As the
Turnbull Report makes
clear, it is vital that these principles apply to IT as much as
finance. Ignorance is no excuse: the fact that only a minority of
current directors have a firm grasp of technology is merely a
challenge to be overcome, not an excuse for continued inaction.
Achieving compliance
Compliance is the watchword of the modern corporate age. As well
as the revised
Combined
Code, UK plc boards frequently also have to comply with
Sarbanes Oxley and other US legislation, as well as national
laws and regulations on everything from copyright to data
protection. Unhelpfully, statutes and regulations overlap, are
sometimes contradictory, and almost always lack implementation
guidance or adequate precision. To achieve compliance, directors
are expected to be proactive in identifying risks and exercising
governance, while a failure to do so threatens serious financial
and reputational damage.
Managing information risk
Constantly evolving viruses, worms and Trojans render many
corporate systems vulnerable. Spam, phishing, organised crime and
espionage are further threats at large every day. However, what
surprises many is that most information security threats come from
within the organisation itself. Whether it is fraud, intellectual
property theft or straightforward incompetence, incidents increase
in number each year, as does their average direct value.
However, if not aligned with the business, technology-driven
defences can create problems in themselves. They can act as
barriers to customer-responsive service, and their total cost of
ownership often exceeds the total potential cost of the threat that
they control. Strategic information risk is seldom prioritised
according to strategic business needs, and there is virtually never
meaningful, quantitative board level data about the effectiveness
or return on investment of the solutions deployed.
IT governance
The endless stories of security breaches and wasteful technology
investments prove how seldom IT governance is employed. If
businesses are to protect themselves and their customers, while
also keeping the regulators at bay, there truly is no alternative.
The sooner that more directors become converts to the cause, the
easier we will all be able to rest.
>>
Infosec Europe 2008
>>
Computer Weekly Infosec Europe showguide and preview