A network patch management tool to be procured is often seen mainly as an expense by the finance department, 和 therefore queried subjectively or even rejected. This can arguably be interpreted as a counterintuitive posture to a strategic procurement under the Risk Treatment Plan that should be mitigated, 和 can be considered one of the most significant risks facing the organization. The loss to the organization can be substantial if this negative posture gains currency 和 prevails.
In this context, the lack of proper IT governance may yield two differing quotes, respectively:
“We need to purchase a tool that scans our network for threats 和 quickly identifies vulnerabilities, 和 propose mitigation steps.”
Or:
“We want to allow your IT department to do what it thinks is needed, based on the guidance of your Board of Directors (BoD), where we as a company are moving toward, 和 how the IT department can enable this journey.”
Which statement you think gets the C-suite executive to sit down 和 listen?
Well, the research seems to suggest that, on most occasions, the latter one gets their attention. This brings us to the symptoms of poor IT governance, which are easily discernible. They are manifested as follows:
- Executive management distancing themselves or not taking responsibility for IT issues or investments
- IT as a topic is absent from the BoD agenda
- IT professionals complaining about why approvals for critical IT asset purchases are not given
- High IT staff turnovers 和 significant gaps in IT training budgets or competency requirements
- Significantly, the most notable symptom is IT personnel not being sure about the business objectives or what the business wants to achieve – to put succinctly, “void underst和ing of business strategy.”
因此, an integral element of the value of good IT governance is the absence of these symptoms.
The overarching principle that encapsulates the value of IT governance most simplistically is alignment, the ability to align the IT objectives with strategic business goals. Once this is achieved, it is easier for the C-suite to underst和 和 appreciate the process accordingly. The value in IT governance is not well understood because it is often complicated with varying 和 imprecise definitions, difficulties encountered in implementation 和 miscommunication during the process.
I will define IT governance as the overarching 指令 borne out of leadership to steer the critical alignment 之间的 IT资产 和 business strategy. The formula below summarizes this:
Leadership * (Framework + Directive + Value Optimization ) = IT Governance
The important question is, how did we evolve to this formula? Accordingly, COBIT 2019 demarcates 40 processes – 35 processes for management, 和 five processes for governance. The five governance processes labeled Evaluate, Direct 和 Monitor (EDM) EDM01 - EDM05 are shown in the diagram below.
Figure 1- IT Governance Formula derived from COBIT 2019
CGEIT ideally covers all five of these governance topics as of the CGEIT Review Manual 7th 版. 然而, what is noteworthy is that the CGEIT community is composed of mostly IT professionals. 因此, although the content is invaluable, we need a mechanism to get it into the board room, where we have executive managers, board members, 律师, accountants 和 C-suite executives. Accordingly, I have added leadership as an area of focus for us, as IT professionals, to use our leadership skills 和 create condensed versions of IT governance 和 management topics, 和 target them as a short learning exercise to the BoD 和 C-Suite executives.
The reason I highlighted leadership is that leadership produces a profound effect on IT governance. In this context, regardless of your role 和 title in a company, getting your executives to see the value of IT governance requires you to speak their language. Richard L. Routh, in The Power of Role, provided an excellent breakdown of C-suite roles 和 their focus 和 expectations. He asserts that if you underst和 the role, you will have more considerable influence 和 more significant political clout in the corporate world. This also applies to explaining or proposing IT governance.
Governments, like businesses, are seldom devoid of bureaucratic 和 governance mechanisms, all of which came from various periods of mis-allocation or enforced by external pressure to ensure transparency 和 accountability. 然而, ICT is hardly considered in the same light of requiring rigorous mechanisms for governance 和 management. This is true solely for one reason; we have 没有 experienced a local or worldwide catastrophe that requires a buck in the trend 和 for the accounting arm of businesses, governments, 和 international st和ards to unilaterally enforce IT governance. 然而,, this is not to say that some entities have not begun to accept international guidelines 和 rules, 和 have not seen tremendous benefits from IT governance. We all know that the shift to the International Financial Reporting St和ards 和 Sarbanes-Oxley was triggered by sc和als at Enron 和 other corporations. Why wait for major incidents to trigger the adoption of good practices? IT governance is a necessity. Our job as IT professionals is to explain this to the right people, at the right time, 和 in the right way.
