In the wake of this year's accounting and financial reporting scandals at Enron, Xerox and WorldCom, governance is in danger of becoming one of the most overused words in the business lexicon. Allegations about how much or how little the directors knew of what was really going on will be debated for a long time to come. But governance is all about accountability and responsibility. It is about the increasing necessity for directors and senior management to be accountable for corporate actions carried out in their name.
In the case of financial issues, for instance, board members may seek to hide behind the cloak of financial and accounting ignorance, citing their reliance on finance professionals and auditors. No one would disagree that individual directors cannot be expected to have expertise in all business disciplines that are relevant to the successful management and growth of today's businesses. They may not know the answers to all the questions but they must at least know the relevant questions to ask. If they are unable to make sense of the answers they must seek counsel from those who do.
Information risk management is one area where directors have a blind spot. Information is the lifeblood of most businesses. Any threat to the security, integrity or the availability of that information poses a very real threat to the business, and can result in significant losses, both of cash and of reputation. The threats and vulnerabilities themselves are not new, although the potential impact of failures is now significantly greater because of the absolute dependence by most businesses on the 24x7 availability of systems and reliable, up-to-date information.
There is no shortage of statistics that prove the existence of the problem. Similarly there is no shortage of anecdotal evidence of business losses and embarrassment caused by security failures. Yet, as one recent statistic reveals, most companies spend less on security than they do on coffee. What, then, does it take to make boards take notice? How can they be encouraged to take their information security governance responsibilities seriously? Perhaps it might take a catastrophic failure of information security on the same scale as the Enron financial debacle to work the same trick with security governance?
Is such a failure possible? Could an incident relating to poor or absent security really lead to the demise of a company? Given today's total reliance on information and technology maybe it could. Main board directors should be reluctant to gamble the company's future on anything less than a robust approach to information security. Although not a business-threatening issue, the recent problems with the launch of the Nectar loyalty card and the difficulties of accessing the member registration Web site indirectly caused embarrassment to the sponsoring companies.
Some directors may argue that the security problem has been outsourced along with the IT provision. Such outsourcing does not reduce the responsibility for governance. The day-to-day management of security may indeed be outsourced but the responsibility for its proper operation remains with the board. This implies the need for a formal assurance function to assist the board with its security governance responsibilities. This may be provided through a properly staffed and skilled internal audit function, perhaps reporting through the audit committee. Similarly the reporting lines of the chief security officer need to be constructed to ensure proper accountability to the business as well as to IT management.
The board's responsibility for security will go well beyond the signature of the chief executive on the company's information security policy. This responsibility needs to be active and informed. The board must seek regular assurances on systems and information security. They may need some education and ongoing help.
The advice issued by the IT Governance Institute in its Information Security Governance - Guidance for Boards of Directors and Executive Management recently will be a place to start. This useful booklet is obtainable as a free download from the institute's Web site, and it provides focused guidance, including the sort of questions to which directors should be seeking answers:
- What are our top three critical information assets and how are they protected?
- What would be the consequences of a significant security incident in terms of lost revenues, customers or investor confidence?
- When was the last security risk assessment and what were the findings?
- How many security incidents did we suffer last year and what was the cost?
- What crisis management plans do we have to deal with a significant issue?
The growing dependence on information systems, together with the risks, benefits and opportunities, have made IT governance and security, a critical success factor for all businesses. Boards must now rise to this challenge, ensure that they are properly and regularly informed, and be prepared to take the appropriate actions to safeguard their companies' futures.
Paul Williams is an independent consultant, trainer and writer specialising in governance, project risk and due diligence. He has served as president of the IT Governance Institute and chairman of the IT faculty of the Institute of Chartered Accountants in England and Wales.