As Sue Hildreth wrote in Computerworld last year, "The reasons for implementing IT governance are as varied as the category is broad". Some organizations adopt new IT governance procedures because they need to comply with regulations like Sarbanes-Oxley in the US or, here in Australia, the Spam Act and Privacy Act. Others are trying to wring every extra bit of efficiency they can out of their enterprises and need to ensure that IT supports the most critical needs of the business. For yet others, IT governance means identifying what is best practice for their company and kick-starting it into action.
For Howard Nicholson, vice-president of the Information Systems Audit and Control Association (ISACA), IT governance is also about these things, but he insists they all mean next to nothing unless your efforts are focused on delivering real value to the business.
"IT governance is not about technology per se, it's about the achievement of organizational success," Nicholson says. "You often hear executive management complaining about expensive, disconnected, multi-platform systems, but what needs to be asked is: how did they get there in the first place? It all comes down to IT investment decisions, and the processes and responsibilities governing those decisions."
If anyone should know, it is Nicholson. As vice president of ISACA, Nicholson is responsible for advising the more than 40,000 IT governance professionals from around the globe who make up the association's membership ranks.
"For many years boards of directors and executive managers have viewed IT as something that the IT department was responsible for, as an adjunct to the organization, but it never has been," says Nicholson, who in addition to his role at ISACA also works as a business analyst for the City of Salisbury, part of Adelaide in South Australia. "Things that happened in the recent past, like the Enron and WorldCom scandals, demonstrated what can happen if executive management take their eye off the ball in terms of financial integrity and poor corporate governance," he says.
"The same thing can and almost certainly will happen because of poor IT governance."
Based in Chicago, ISACA was founded in 1969 as a peer-to-peer knowledge exchange for issues surrounding IT governance, security and assurance, and now operates some 170 chapters worldwide. ISACA's initial constituents were drawn from the IT audit and compliance fields, but in recent years their ranks have swelled with the addition of a range of other IT professionals, including IT security specialists, IT governance experts and, as Nicholson puts it, "anybody who has an interest in ensuring that their IT is operating efficiently and effectively, and is aiding in the achievement of organizational objectives".
Today, in addition to publishing the Information Systems Control Journal, ISACA also administers several key international information systems auditing and control standards, most notably the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) accreditations.
ISACA's non-profit research and development offshoot, the IT Governance Institute (ITGI), develops and releases the majority of the association's publications. The best known among these is Control Objectives for Information Technologies, or COBIT, a global standard for IT management processes.
Of even greater interest to governance-minded IT executives, however, is ITGI's latest ongoing project, ValIT, a governance framework that builds on the existing COBIT methodology to help organizations realize better value from their IT-enabled investments. "ValIT is designed to be cumulative in nature, there's no designated endpoint to it," says Nicholson, who served as chair of ISACA's Membership Board for almost four years before being elected vice president in 2004. The next update of ValIT is scheduled to be released in February 2006 and will feature an in-depth study of the governance practices of international investment giant ING Group, as well as other research from the past several months.
However, one thing the latest version will not include, Nicholson says, is any backing down on ITGI's assertion that the key to effective IT governance is aligning IT investment with overall business priorities.
ValIT & Security
Nowhere are ValIT's principles more applicable than in the security realm, where the ability to make informed decisions - and assign accountability for those decisions - can be critical to the organization's survival. Nicholson, for one, is sceptical of companies that rely too heavily on outsiders to provide them with security assessments. "Organizations need to accept the responsibility and accountability for assessing their own security needs," he says.
"If you're the one responsible for managing IT within your organization, you're the one who understands the value of your information and how critical the data you hold is to your business needs, not to mention how vulnerable you are if any of that information is compromised. If organisations are overspending on security, it's often because they don't fully understand their business imperative or real value of the data they hold. In effect, they're spending $1000 to protect something that's only worth $100."
ISACA, in partnership with the American Society for Industrial Security (ASIS) and the Information Systems Security Association (ISSA), recently commissioned BoozeAllenHamilton to conduct a study into the convergence of physical and IT security issues. One of the things that the research revealed, Nicholson says, is that many enterprises tend to "over-concentrate" on certain aspects of security to the detriment of the organisation as a whole.
"There really needs to be a holistic view of security," Nicholson says. "It was quite common to find companies who had invested quite heavily in their network security but which had let their physical security lapse. Access from outside into the organisation's IT network was well controlled, but if you walked in wearing a suit and tie, or wearing a pair of overalls and carrying a toolkit, you could walk into a lot of organisations, find an unoccupied workstation that was still logged on to the network and compromise the network.
"You have to assess what your needs are, and you have to get alignment between those needs and what's already in place," Nicholson advises. "The premise that good IT governance will aid in achieving good security is hard to find fault with, but it still doesn't guarantee it. You have to sit down and really think about what you're doing. There's no quick fix."
Failure into Success
Nicholson feels compelled to preach the governance gospel in part because of all the negative associations heaped on the word thanks to corporate scandals like Enron and HIH. He not only acknowledges that corporate governance is on everyone's mind because of the high-profile collapse of several large organizations in Australia and overseas, he claims the situation is no better with regard to IT governance.
"We're reading about corporate governance in the media because of financial failures like Enron, and we're hearing about IT governance because of the ongoing failure of a large percentage of IT projects," Nicholson says.
"IT projects do fail," Nicholson says. "And because projects will always fail, the idea is to pick out the ones that are going fail early on and say: 'Hey, this doesn't have alignment with the overall business objectives, or with the current infrastructure or with the organizational architecture, so we'll cancel it now at the time of minimal expenditure'.
"The key messages that we're trying to get across through ValIT - like increasing the transparency of costs, risks and benefits - are all about increasing the potential to pick winners. IT governance is about being able to pick the right system, to pick the right infrastructure and increase the likelihood of success."