Infosecurity 2008 - IT governance critical to addressing information risk

Information and its conduits provide the lifeblood of the modern business, writes Alan Calder of IT Governance ....

Information and its conduits provide the lifeblood of the modern business, writes Alan Calder of IT Governance. They provide the key to competitive advantage, improved productivity, cost reductions and general organisational effectiveness. As a result, information and IT deserve far more board-level attention than they enjoy currently, and most organisations urgently need to adopt IT governance measures to achieve proper oversight.

Crucial to competitiveness

Information technology is a critical enabler for virtually any enterprise, particularly in a knowledge-based economy, where barriers to entry are low and the speed of innovation is immense, businesses have to constantly invest in their technology and ensure its dependability. Organisations with ill-conceived or outdated systems are in deep strategic trouble or heading out of business.

Requirements of governance

This adds another level of complexity to the responsibilities of directors. The core principles of governance include setting strategic aims, providing strategic leadership, overseeing and monitoring management's performance, and reporting to shareholders on the stewardship of the business. As the Turnbull Report makes clear, it is vital that these principles apply to IT as much as finance. Ignorance is no excuse: the fact that only a minority of current directors have a firm grasp of technology is merely a challenge to be overcome, not an excuse for continued inaction.

Achieving compliance

Compliance is the watchword of the modern corporate age. As well as the revised Combined Code, UK plc boards frequently also have to comply with Sarbanes Oxley and other US legislation, as well as national laws and regulations on everything from copyright to data protection. Unhelpfully, statutes and regulations overlap, are sometimes contradictory, and almost always lack implementation guidance or adequate precision. To achieve compliance, directors are expected to be proactive in identifying risks and exercising governance, while a failure to do so threatens serious financial and reputational damage.

Managing information risk

Constantly evolving viruses, worms and Trojans render many corporate systems vulnerable. Spam, phishing, organised crime and espionage are further threats at large every day. However, what surprises many is that most information security threats come from within the organisation itself. Whether it is fraud, intellectual property theft or straightforward incompetence, incidents increase in number each year, as does their average direct value.

However, if not aligned with the business, technology-driven defences can create problems in themselves. They can act as barriers to customer-responsive service, and their total cost of ownership often exceeds the total potential cost of the threat that they control. Strategic information risk is seldom prioritised according to strategic business needs, and there is virtually never meaningful, quantitative board level data about the effectiveness or return on investment of the solutions deployed.

IT governance

The endless stories of security breaches and wasteful technology investments prove how seldom IT governance is employed. If businesses are to protect themselves and their customers, while also keeping the regulators at bay, there truly is no alternative. The sooner that more directors become converts to the cause, the easier we will all be able to rest.

>> Infosec Europe 2008

>> Computer Weekly Infosec Europe showguide and preview

Read more on IT risk management