Make sure IT's risk factor is built into governance

As IT's stake in corporate governance grows, it's time to wise up to the risks involved, writes Julia Vowler

As IT's stake in corporate governance grows, it's time to wise up to the risks involved, writes Julia Vowler

The Slammer virus attack two weeks ago has rammed home the lesson that the bottom line of the top-down management process of governance is risk.

But risk is a broad spectrum, and IT directors should be looking way beyond security issues alone. Indeed, they need to think right up to the ultimate risk a public company can face - investors losing confidence and market valuation suffering.

This is no exaggeration. One major UK company is completely refreshing all aspects of its corporate governance, including IT, specifically to help counter a recent downgrading by ratings agency Standard & Poor's.

Investors need to know they are putting their money into competently run companies where risks are understood and minimised, including those in IT.

This risk could be something bad happening - such as a virus attack bringing down e-mail systems - or something good not happening - such as being late to market because a supporting IT system was implemented late.

There is no doubt that IT's stake in corporate governance overall is growing. Fall-out from the US Sarbanes-Oxley Act, which is designed to boost investor confidence in external audits, could see IT directors having to rethink their entire consultancy portfolio in order to avoid any risk of conflict of interests with audit consultants.

But its governance role is increasing in another sense, too. This organic growth occurs as businesses become both increasingly dependent on IT and increasingly global, perhaps, dangerously, without realising the true level of risk such growth brings.

"We are all taking huge risks," warns one IT director, "and the risks are getting bigger as more and more IT becomes interconnected and globally deployed.

"Yet business managers are not responsible for ensuring that IT can support their vision - there are an awful lot of 'string-and-sellotape' projects. The board needs to say 'No business projects without an integrated IT project'," the IT director says.

"The trouble is, business has to move so fast - to reach new markets and so on - that if anyone in IT says 'what about method?' [to ensure a robust system] they are seen as negative."

Worse, both IT and business could simply treat governance as a mandatory trot through the motions. Security consultant Clifford May recalls being asked to draw up a shelf-full of security policies - "because our auditors say we need them" he was told - which stayed firmly on the shelf thereafter.

"Doing IT governance is not a project; it's a change in practice," says IT governance expert Gary Hardy.

It seems businesses need to grasp that ITgovernance is not a one-off exercise to produce shelfware, but rather that it changes the way IT is evaluated, measured, justified, prioritised and delivered - forever.

Do's and don'ts: one firm's experience from an IT governance programme

  • Keep IT with corporate governance. It needs to be part of the overall best practice of doing business, and recognised as such by business managers 
  • Governance should not be dictated from head office. Divisions and regions have different requirements and operate under different pressures, and must be allowed for 
  • Involve divisions in deciding what governance must cover and constitute - get direct and immediate buy-in from internal auditors via brainstorming 
  • Get an initial governance manual published fast, and allow time for feedback and review to refine the first version 
  • Publish on the corporate intranet for least cost, maximum speed and greatest availability 
  • Allow enough time to gather in all the input required from all the stakeholders 
  • Don't assume that you will need expensive consultancy to hold your hand throughout the exercise, but do use consultancy to start you off and to provide a framework that you can then work against.

How to set up IT governance in security

Security may only be one aspect of total IT governance, but it's the one that gets the most attention - every new viral attack or hacker penetration concentrates the corporate mind wonderfully on the subject.  Yet, for all that, warns security expert Clifford May, fewer than a quarter of UK companies have adequate IT security, even though it isn't rocket science. What, then are the precepts for sound IT security?  Every security policy needs to cover four key areas: 

  • Information assets - you, your people, paper and applications 
  • Confidentiality - industrial espionage is extremely common and easy  n Integrity - how do you know if your data has been changed? 
  • Availability - this is the biggest threat, and includes denial of service, staff sabotage and so on. Business continuity plans are often amazingly inadequate 
  • Don't spend money protecting things you don't need to - "the simpler the better", says May. But remember that "there is no point having strong security somewhere and weak security elsewhere" 
  • Security policies are often drafted by lawyers in legalese, so people don't read them. However, you do need a written policy. "One organisation I consulted had no security policy, said it didn't fit in with their culture - that's an expensive luxury!" says May.

    Gary Hardy and Clifford May were speaking at last month's IT Governance for IT Leaders conference

Read more on IT risk management