Shadow IT is an (in)famous phenomenon in today’s business environments. Business departments source, develop and maintain systems on their own to support their processes. Although shadow IT supports critical business functions and is therefore accompanied by many risks, it still cannot be prohibited nor suppressed. Because of these risks, there is an urgent need to manage shadow IT. As COBIT 5 is a powerful framework for managing enterprise IT, it is interesting to look into the relationship of shadow IT and COBIT.
In this blog post I would like to focus on three different questions:
1. Which COBIT processes are meant for an organization affected by the existence of shadow IT?
2. Which COBIT processes are missing or lack maturity when business departments run their own IT?
3. How can someone start and run a shadow IT initiative?
The first question concerns the overall IT maturity. In COBIT 5, there are several processes that deal with the overall integrity and effectiveness of a company’s IT. Risk and compliance management and enterprise architecture are topics that require an integrated view on IT. The existence of shadow IT hinders this integrated view, so these important functions are disturbed.
In the case of risk management, for example, processes like EDM03 and APO12 ask for the definition of risk appetite and the definition of a risk-aware culture. Furthermore, all relevant risk should be reported and managed accordingly. Shadow IT by nature is not managed. In our studies, for example, we have never seen a shadow IT-related risk in any risk map, where in more than 16% of all cases, a shadow IT system was critical for processes with an accepted recovery time of less than one day (see Figure 1).
Regarding IT compliance management, we can observe a similar situation: the current European GDPR requirements can be violated by shadow IT, as it may exceed the purpose of data processing that has been agreed with a customer. Furthermore, shadow IT is often unknown, so that a company cannot report all systems with personal data. Finally, shadow systems often lack technical features, making it difficult to control data access and prove deletion of data records.
In terms of the overall enterprise architecture, shadow IT can also be a roadblock to the successful management of a company’s system and technology landscape.
Because shadow IT systems often are not known across the company, its architecture models, inventories and data definitions are incomplete, and thus processes like APO01 and APO03 may be incomplete. Also, processes like EDM04 are ignored as architecture principles may not be followed.
The second question covers the individual quality of shadow IT systems. When assessing existing shadow IT instances, it is important to understand the quality of its current management. Again, COBIT 5 offers a good starting point for this task: several processes deal with the individual IT services and can be used to assess the quality of each instance. As to be expected, business departments lack professionalism in IT management topics; therefore, they omit important processes from the BAI and DSS process areas. Mostly tasks like cost management, service planning, testing and security are not considered. For example, is DSS05.04 asking for a user identity management, which typically does not exist in shadow IT systems? You can find some project examples in Figure 2 below.
Figure 2: Missing COBIT processes
Our third question deals with the justification and the set-up of a shadow IT initiative. As explained above, shadow IT interferes with the overall quality of IT management and lacks individual quality. Both aspects justify starting a shadow IT initiative, as these quality issues impose risks to the company. Nevertheless, do MEA02 and MEA03 require assurance for internal and external compliance, which also includes searching for shadow IT? Also, in executing processes BAI10.05 and DSS04.04, an IT auditor can watch out for shadow IT.
A shadow IT initiative should aim for the identification and evaluation of all existing shadow IT instances as well as the definition of measures to mitigate existing risks. Mitigation, for example, can be achieved by transferring the responsibility for a shadow IT service to the IT department or setting up quality standards for the business department. In addition to the identification of existing shadow IT instances, such an initiative also gives insights into the deficits of a company’s current IT governance.
Shadow IT can be a critical topic. Therefore, it is recommended to watch out for some major success factors: just sending out questionnaires to collect a list of shadow IT instances is everything but promising. Identifying shadow IT by direct interviews is typically more successful but can be very time-consuming. Thus, it is recommended to undertake some pilot projects to create stories and experience within an organization. From there, business departments can identify and analyze their shadow IT in a self-assessment approach. This self-assessment should be embedded within an adaptive IT governance framework that assigns responsibilities between the business and IT department on a flexible basis. The IT audit function should take the role of facilitator and bring the topic to the table to let it be solved by business and IT. After implementation, of course, IT audit needs to assure the quality of the self-assessment approach and functioning of the adaptive IT governance.
Governance, risk and compliance professionals shared ideas and gathered insights on how their roles are evolving in light of enterprises’ digital transformation efforts, evolving trends in innovation, and growing regulatory and security risks recently at the sold-out 2018 GRC Conference in Nashville, Tennessee, USA.
The conference, organized by The Institute of Internal Auditors (IIA) and ISACA, took place 13-15 August. Key takeaways from the conference include:
It’s time to challenge conventions
Keynote speaker Luke Williams, author, professor of marketing at the NYU Stern School of Business and founder of the W.R. Berkley Innovation Labs, told a packed opening session audience that organizations seldom take the time to question the underlying reasons why existing practices and procedures were put in place, stifling opportunities for innovation.
Williams said enterprises are often “paralyzed by possibility” with an abundance of incremental ideas for improvement, but tend to lack the unconventional, bold strategy options capable of delivering a major impact. Eventually, he said, organizations that lack a forward-looking openness to change will be overtaken by competitors.
Artificial intelligence brings great potential – and risks
While artificial intelligence and machine learning are gaining traction – and generating plenty of buzz along the way – organizations face difficult decisions in knowing where and when to introduce AI. In a session on the ethical considerations related to AI, co-presenters Kirsten Lloyd and Josh Elliot highlighted an extensive list of powerfully compelling uses for AI, such as advancing new medical treatments, preventing cyberattacks, improving energy efficiency and increasing crop yields. They also encouraged organizations to create an ethical review board and the position of chief ethics officer to deal with the related risks.
ISACA board Chair and closing day keynote presenter Rob Clyde implored the audience to focus on safeguards to prevent unintentional harm from AI projects and services.
Audit and governance professionals must actively address cyber risk
The volume and complexity of today’s cyber threats demand that GRC professionals, along with internal auditors, support their colleagues who are in cybersecurity roles and work to provide assurance to ensure organizations are prepared to navigate cyber threats.
In a session on advancing IT audit capabilities in cybersecurity, co-presenters David Dunn and Jon Coughlin noted that the traditional belief that a good internal auditor can audit anything is being challenged by the growing cyber threat landscape, and that standard controls might be insufficient. Internal audit functions must deepen their skills across a range of cybersecurity frameworks.
In the conference’s final keynote, Deloitte Managing Director Theresa Grafenstine called cyber risk a top priority for GRC professionals. When organizations fail to adequately address the risk, said the former Inspector General for the US House of Representatives, it is generally due to a lack of knowledge and resources, rather than not recognizing its importance.
Compliance must become more adaptive
A combination of new regulatory requirements, such as the General Data Protection Regulation (GDPR), and a flurry of emerging technologies being deployed to enable digital transformation call for the recalibration of compliance policies and procedures.
Session presenter Ralph Villanueva encouraged compliance professionals to understand – rather than memorize – the intent of frameworks they are implementing to have a more strategic understanding of how those frameworks best align with enterprise goals. He said compliance professionals also must anticipate how emerging technologies might impact the organization’s compliance protocols going forward.
Security measurement must be improved
While more organizations are recognizing the importance of areas such as risk management and information and cyber security, it can be difficult to quantify the effectiveness of the related investments – a major concern for the C-Suite. Session presenter Brian Contos said organizations need to develop more sophisticated security metrics beyond performing vulnerability scans and patching. Contos addressed several platforms capable of removing guesswork and assumptions from the security equation, while potentially freeing up resources by phasing out outdated tools that no longer serve their intended purpose.
The next GRC Conference will take place 12-14 August 2019 in Fort Lauderdale, Florida.
Imagine this as a GRC professional. It’s April 2016. The European Parliament passes the General Data Protection Regulation (GDPR) with an enforcement date of May 2018. Your organization is impacted. You are going to own this.
At first, you ask yourself – should I get going on this now? The answer is yes; the reality is you won’t. A year passes and the media pipes up about the clock ticking. You start to hear in your peer groups that people are starting to think about what they are going to do, but there’s little action. The clock strikes Q4 2017, your anxiety elevates, the consulting firms and professional organizations inundate your inbox with updates, trainings, services, etc., so you start your journey (late). You get organized, start reaching out to HR, IT, anyone who could be impacted. Crickets. A month passes. Two months pass, and it’s Q1 2018. You follow up. Finally, a response, maybe two come in. Finally, some momentum!
You re-engage your stakeholders, you email, call, try and set up meetings. Crickets. Q1 earnings come around. Analysts are asking. Your CEO says you are all over it and ready for the go live. Senior leadership is looking for an update. You’re working on it as best you can. The emails get responded to, finally. It’s a fire drill. You work tirelessly. GDPR goes live. You’re not quite there, but close enough that you finish by your Q2 earnings release. It’s been a disaster, but it’s over (until the next time).
GRC professionals, a lot of them, live this awful cycle every time there’s a new regulation, accounting standard, etc. Why is this? Our jobs should be simple. We carry the big stick! Most of what we support is tied to law, standards and regulations. Our organizations have to comply or face potentially stiff penalties and reputational damage. Why don’t they? They claim no resources, or budget, or time. We’ve heard it all.
Why aren’t they listening? I argue that we don’t leverage persuasion and build the skills to persuade.
The reality we live in as GRC professionals is that we simply can’t be successful in our job if we don’t persuade, and if we can’t persuade, we risk insufficiently addressing or failing to address risks to the organization. The repercussions could be severe. We could hinder our own and our teams’ careers and damage our reputations. In the narrative above, we all know who’s going to be on the hook if there’s a problem. And it won’t be those who ignored us for the better part of a year.
Persuasion is a skill. Some of it can be taught; most of it we already know (or could be defined as common sense). We simply need to be aware of this and implement some simple (in most cases) techniques to tilt the scales:
- Rapport is critical. If they don’t like you, send in someone else they do. We can’t persuade someone who doesn’t like us.
- Acknowledge the stigma that may be attached to your title and role. Let’s be honest – colleagues not may really enjoy getting a visit from a GRC colleague. Acknowledging this might help remove the first barrier.
- Recognize the impact of mood. Having a bad day? Your counterpart having a bad day? Move the meeting; it simply won’t be productive.
- Get out of a negative environment. The workplace can be a source of stress, so go grab a coffee or lunch or a drink. This is the real reason so many folks utilize “let’s grab a coffee” or similar approach to get things done.
- In person is always better. Smile a lot and use your colleagues’ name when you see them – people like hearing their name. Keep your tone of voice positive and upbeat. And while you’re at it, avoid using the word “I” – it will turn them off.
- Use how, not why, when requesting support. To most people, “why?” feels like an accusation. Don’t believe me? Think about how you feel when your boss or your spouse ask “why” you didn’t do something. It puts most people right on the defensive. “How” invites both parties to strive toward a common goal. The simple statement “GDPR goes live in 6 months – how do we ensure our organization is prepared?” invites both potential solutions and a sense of ownership in both parties.
- Listen. I mean it. Really listen. Can you do it? I can’t. Why? Because when I’m not talking, I’m thinking about what I am going to say next. Is that really listening? Bring someone with you to important meetings, and make it their job, and only job, to listen (take note of tone), watch body language, take notes, etc. Review that feedback after the meeting.
This seems easy enough, but the reality is if you don’t thoughtfully leverage some of these steps routinely, you’ll never reap the rewards. These won’t work all the time, but they’ll help increase the chance of success in your GRC role.
Have they helped me? You tell me – ever convinced a subsidiary to upgrade their ERP as part of an audit report? I have. And it was by using these tactics.
I’ll be discussing this topic further at the GRC conference next week in Nashville, Tennessee, USA. Track me down at GRC; I’d love to speak about these topics and lend a hand if I can.
Enterprises are becoming increasingly digital. Consider a bank that refers to itself as an information technology firm that happens to process financial transactions. Or, perhaps a manufacturer that likewise refers to itself as a technology company. The management of data is critical to all enterprises.
A breach can cause enormous harm outside of the core business of the enterprise. Target had a significant data breach that caused the company material damage. Technology firms are obviously at risk. Witness the recent breach at Equifax – the repercussions of that event are still being measured.
The short story is that no matter what business you’re in, data must be cared for!
The Getting Started with Data Governance using COBIT 5 paper looks at these issues from the perspective of using enablers to put goals and internal controls in place that will assist in the good shepherding of data. The paper extends the application of the COBIT 5 framework to the practice of data governance. The practice of data governance is described, and then elements of COBIT 5: Enabling Information are explored. Specific examples are provided against each of the COBIT 5 enablers.
Data maintenance and management are becoming ever more complicated. Data environments (e.g., the cloud) change rapidly, and so do internal enterprise data requirements. COBIT 5 provides definitions, good practices and modeling to assist practitioners in dealing with the critical role of data within the enterprise. Strong management provides the underpinning of good data governance.
Corporate governance and IT governance are credited with putting frameworks and standards in place to assist enterprises in using their resources effectively and efficiently to create and deliver value to their stakeholders. Data governance uses the same concepts, but applies them more narrowly to the protection and use of data. Enterprises must still define their needs for data and what resources will be available to accomplish those goals.
Once the right resources are in place, there needs to be performance measurement mechanisms put in place to ensure that the newly created, or altered, processes are functioning as needed. Reporting on the performance of data governance processes completes the data governance cycle. The governing body can then make additional, or new, directives to accomplish the enterprise’s data governance needs.
CMMI Institute became a subsidiary of ISACA in 2016, and the organizations focused attention on the synergies between the current offerings in their combined suite of products. The first joint project was to map COBIT 5, with its enterprise-wide IT governance focus, to the CMMI’s Development reference model for software development and delivery.
Employing a similar approach, ISACA and CMMI Institute engaged in mapping COBIT 5 to the Data Management Maturity (DMM)SM Model. The DMM is a reference model of fundamental data management best practices. It focuses on management of data as an enterprise asset, emphasizing the ownership and activities of business line staff over the data they create and manage. Data governance is a very important element of the DMM; 104 of the model’s 414 functional practices address approvals, decisions, and collaborative efforts concerning enterprise data. Since data governance is an important component of overall IT governance for an organization, one can view the DMM as extending the scope of COBIT to focus in detail on the data layer.
The COBIT 5/DMM Practices Pathway Tool, built in Excel for ease in navigation and end-user modification, is available for download on ISACA’s website. It is designed to be applied bi-directionally. Users of COBIT 5 can search for aligned practices in the DMM, and users of the DMM can search for aligned practices found in COBIT 5.
For instance, if starting from the DMM’s Data Quality category, the user can select a statement identifier from the DMM and retrieve COBIT-specific guidance. Conversely, if starting from the COBIT 5 Build, Acquire, and Implement domain, the user can select a specific practice and retrieve DMM-specific guidance.
Editor’s note: For more information on this topic, view an archived version of the “Leveraging COBIT 5 and DMM” webinar, which addresses scope and conceptual affinities between COBIT 5 and the DMM; how we approached creating this mapping tool; and a demonstration of how it can be applied from either the COBIT 5 or the DMM perspective.
The world has seen a surge of attention regarding cyber activity, and it has not been in a positive light.
Many organizations have experienced the threat that accompanies the adverse intentions these activities come with, especially organizations that have not prioritized nor made cyber risk part of their risk management agenda. Being exposed to cyber threats is no longer something that only affects big multinationals with massive data centers. Cyber threats are applicable to any organization that operates on, and is connected to the Internet grid. A cyber breach, which almost always would have adverse impact to an organization, is no longer a matter of if; it is a matter of when.
The question that leadership of organizations should be asking is how prepared they are from a risk management perspective to deal with risks that come with the use of information and technology. Is this a prominent and standing agenda item on the board’s and executive committee’s meetings? If the answer to each of these questions in not affirmative, then the organization is more exposed to the risk of a cyberattack, and of not being able to recover operations as quickly as would be required to enable business to carry on as usual.
To ensure the continuity of business, the board should ensure that the organization’s risk management framework addresses cyber risks. Cyber risks must be identified, quantified in relation to the organization’s environment, and appropriate actions taken to minimize the impact of cyber-related incidents. The leadership of the organization should ensure that business continuity plans and arrangements are in place for incidents that may result from a cyberattack.
It is no longer the responsibility of only the operational staff in the IT department to deal with cyber risks. Cyber threats are too great to not afford them the level of attention they require at board and senior leadership levels.
Cyber security, risk management and business continuity planning must be standing items on the board and executive committee’s agendas. This will ensure that appropriate attention is given to areas where gaps may exist. This way, commitment will be afforded to enable the implementation of the required processes and solutions to address identified gaps and minimize risk exposure, as well as the impact that risk poses to the business.
Editor’s note: See more commentary on this topic from Emily, as well as from several other leading industry experts, at www.isaca.org/tech-governance-impact.
Directors and executives want to believe their companies are adequately protected against cyber threats. ISACA’s recent survey of leadership teams reinforces the notion that most corporate leadership teams recognize cyber risk is a material threat to their businesses. As the research points out, 55% of respondents agree that their organization’s leadership team or board is doing everything it can to safeguard the organization’s digital assets. But, does this perception represent reality?
In a recent study conducted earlier this year by NYSE Governance Services and Diligent, 381 directors of public companies were surveyed regarding their secure communication practices and their level of awareness of how those practices might impact the company’s level of cyber risk. The results were sobering – and indicate a disconnect between what directors and executives believe about cyber security and the cyber risk created by their own communication practices.
To illustrate this point, consider that 92% of respondents use personal email accounts – including unsecured systems like Yahoo! Mail, Gmail, and AOL – at least occasionally to conduct board business. While 74% reported using secure board communication software to receive and transmit sensitive documents, 54% regularly download these documents onto personal devices or drives. Even when companies use secure board communication software, only 8% ask the IT, IS or data security team to sanction directors’ communication methods. Worse still, 62% indicated their company doesn’t require directors to participate in any cyber security training, and in ISACA’s new research, only 15% of respondents expect their organizations will fund an increase in cyber security training for board members in the next year.
Why does this matter? The job of a director requires access to extremely sensitive company data. Yet, directors don’t often receive direct oversight from the IT or data security team. Hackers have clearly figured this out. Consider this report on China’s APT 10 hacking group, which specifically targets corporate directors as an easy entry point to high-value information. Even someone as sophisticated as former Secretary of State Colin Powell, a director of Salesforce, was successfully hacked when a slide deck for an upcoming Salesforce board meeting was stolen from a personal email account. The data from the slide deck was leaked to the Wall Street Journal in advance of the board meeting, negatively impacting both Salesforce’s business strategy and its share price.
Meanwhile, a number of new regulations are cracking down on corporate negligence on cyber security and data privacy, and are holding directors and executives responsible for breaches. In March 2017, new regulations took effect with the New York State Department of Financial Services that require board members (or senior officers) to personally certify that the company has adequate cyber security programs in place, and that those programs are regularly tested and reviewed. While this regulation is at the state level, it applies to any financial services firm – and any vendors serving those firms – that conducts business in New York. Another case in point is the EU’s new General Data Protection Regulation (GDPR) – set to take full effect in May 2018. This new regulation includes fines as high as 4% of annual worldwide turnover in the event of a major breach, as well as potential jail time for the directors or executives who are responsible. GDPR doesn’t just apply to EU companies; rather, any company that stores, processes, or accesses the data of EU citizens is liable.
Both of these regulations reinforce the idea that directors and top executives hold the ultimate responsibility for overseeing cyber security and risk management for their organizations. Not only must they be aware of the cyber security programs and risk profile of their companies, they must also set the right tone for the rest of the company’s employees – demonstrating by their adherence to secure communication policies and practices that cyber security is important enough to warrant the regular time and attention of the company’s leaders.
This all begs the question … why are corporate leaders so bullish on their level of cyber security? Perhaps one culprit is the approach we generally take to raising cyber security issues in our boardrooms. Most board discussions on cyber risk include a “briefing” by the CSO/IT security team on what the company is doing to secure customer data and internal systems. Rarely do these briefings include a review of director communication methods, raising directors’ awareness of their own cyber risk, and training on how to handle sensitive data.
It’s time for us to help directors understand their real level of cyber risk and provide them with the secure tools, training and support to keep their communication – and our companies’ data – safe. An easy first step is to provide this article to your directors and add some time on the next board meeting agenda to discuss it. Get directors’ concerns out in the open. Only by candidly reviewing what’s happening now – and what should be happening – can any change be implemented.
There is little doubt that better governance of technology leads to better business outcomes. More than 9 in 10 respondents in ISACA’s new Better Tech Governance is Better for Business research affirmed that reality.
But how can organizations ensure that they’re leveraging technology successfully, beginning with effective oversight from the board of directors?
The majority of ISACA’s survey respondents identified ensuring alignment between IT and stakeholder needs and establishing a clearer connection between business goals and IT goals as leading priorities that should drive organizations’ governance of technology.
That starts with a firm commitment to strong governance at the board level. This approach is an absolute necessity for all enterprises that intend to compete – and survive – in today’s technology-driven business landscape.
It can be challenging, however, for organizations to bring in board directors with the level of technology savvy needed to make sure that the right issues are being addressed and the right questions are being asked when it comes to making technology-related investments, and addressing key business imperatives such as cyber security, risk management and digital transformation.
Finding at least one board member with technology expertise can be a real difference-maker for the organization. This will naturally become easier over time, as digital natives grow into leadership positions, but can be a real challenge for now. Organizations should aggressively leverage their networks and tap into industry professional associations to find prospective board directors with much sought-after technology backgrounds.
What organizations must not do is bring aboard a “token geek” – that is, a person who is well-versed in technology but otherwise thoroughly unqualified to serve as a board director. Companies that have tried going this route end up with somebody who is ill-suited to be a board director and needs to be educated around the majority of discussions, detracting from the board’s overall efficiency and leadership capabilities.
A better option, provided an organization is struggling to secure quality board directors who are tech-savvy, is to work with outside experts who can bring that level of expertise to the board room. Organizations seeking technology consultants with instant credibility often turn to large, global firms that regularly provide this type of guidance to boards of directors.
An encouraging trend in enterprise governance of technology has been the evolution of CIOs and CISOs. In recent years, these leaders have elevated beyond technology honchos to become true business leaders, as well as excellent resources for boards of directors. The CIO or CISO should regularly be updating the board of directors about front-burner technology threats and opportunities that require board oversight. With the explosion of cyber security and emerging technology risks in recent years, the relationship between the CIO or CISO and the board of directors is one that organizations have to get right, or the consequences can be dire.
Aside from the board’s composition, organizations striving toward that critical connection between business goals and IT goals can benefit from governance frameworks such as COBIT. ISACA research participants identified risk management, cyber security and business and IT integration as the top three areas that benefit from a governance framework.
Effectively leveraging technology is the common denominator in today’s global economy. Beginning at the board level, organizations must determine their path to strong governance and prepare for the flurry of technology-centered challenges and opportunities that will only accelerate in the years to come.
Working in healthcare technology is about as exciting as IT gets. Between the rapid evolution in healthcare technology and the increase in cyber threats, there has never been a sector with a greater need to balance effective governance with lean but agile delivery of new technologies.
You might have noticed that most of us now carry or wear devices capable of accurately measuring our physical activity, heart rate, blood oxygen levels and more. Most of us wear these for fun or to help promote a healthier lifestyle. However, have you ever stopped to consider the consequences if critical technologies in clinical environments were not functioning or became unavailable when they were needed?
Just how much care has to go into designing, developing and delivering a modern pacemaker? How robust does a pharmacy software system need to be to help ensure that nobody is given the wrong prescription due to the technology?
Managing information technology in clinical environments is somewhat different to other environments because the consequences of errors can be much greater. It may seem overly dramatic to state that people sometimes die when clinical technology does not function as it should or when it should, but that is the reality. It’s a statistical fact measured by various regulatory agencies around the world.
Just what are the potential consequences if a hospital has its vital systems taken down by ransomware or any other form of cyber attack?
To find out how different the governance of enterprise information technology (GEIT) in clinical environments can be, ISACA recently commissioned a new paper on clinical GEIT. It aims to provide ISACA members with a concise introduction to this topic.
What can you expect to learn if you read this new ISACA paper? GEIT for Health Care aims to provide an overview of the principles behind the key regulations and standards that the management of a clinical environment often has to consider. After all, clinical environments can be dealing with life critical equipment, highly sensitive medical information and even financial transactions. That means these environments can find their governance needing to efficiently comply with clinical, financial and privacy regulations, sometimes within a single system.
For example, remember that pharmacy system? That could easily be required to manage the prescription of life critical drugs, the personal details of the people they are prescribed to and the financial information required to take payments.
All clinical technologies are expected to be fit for their intended purpose. The paper includes a summary of the principles of Good Clinical Practice (GCP) – the rules that help to ensure processes and technologies are appropriate. It also looks at how the use of electronic signatures is regulated, as well as efficiency tips on how some organizations manage their governance model.
How do the small clinical environments cope? Well, they mostly buy in commoditized technologies that are designed to meet the required standards. The more a clinical environment develops, designs and utilizes technology innovatively, the greater the amount of due diligence required to ensure those technologies are fit for purpose.
The ISACA paper can also be useful for people working in other highly regulated environments. It provides some valuable insight for all ISACA members into just how complex and sensitive some IT environments can be. The clinical GEIT publication also sets out to demonstrate how a controlled and efficient approach, using policies and procedures, is a fundamental requirement to effective compliance in highly regulated environments.
Many people fear the complexity of environments where large amounts of regulation exist. The reality is that by applying a structured but efficient governance model, regulatory standards can be met with far more efficiency than you might think. After all, the difference between the controls we use for safe financial processing and for managing human health are more closely related than you might think.
If you want to find out the basics of how to manage the governance of enterprise information technology in clinical environments, this new ISACA guidance is well worth a read (and I’d say that even if I weren’t the author).
Despite the prominence of larger companies, the growth of small businesses and entrepreneurs also is critical to a society’s development. Entrepreneurship can drive the growth of new businesses, provide solutions for various market niches, foster innovation and generate job creation. The entrepreneurial activities of today can impact the Fortune 500 of tomorrow.
Small businesses or start-ups serve as the beginning point for many who are seeking to navigate the complexities of modern enterprise. One of the things that may be overlooked at the beginning are the implications of IT governance and security on an enterprise’s future health. Regardless of the sector, both factors have important roles to play in continued success. Below are some standard considerations for both areas.
General security perspectives needing consideration:
- What industry/market sector is being entered? It helps to understand the product/service to be developed.
- What are the sector’s regulations? It is critical to understand compliance and mandatory obligations.
- What are the risks? Understanding existing constraints and future possibilities provides essential context.
- What is the overall strategy and security strategy? Understand and build the risk appetite at the start.
General IT perspectives needing consideration:
- What existing technologies can we leverage at this time? Cloud; small, in-house data centers; and outsourcing options—all are considerations.
- What type of information is needed from customers? Basic information required to create mailing lists, personally identifiable information (PII) and or payment information may be required.
- How can IT work with and support the business plan/strategy? Ensure the correct investment is made based on business requirements.
- How does IT grow with the business? Explore digital avenues that can enhance the customer experience and increase the customer base.
There is a certain excitement for an entrepreneur entering into the market–the joys of prospects unknown and the hope of building a satisfied, stable customer base. However, cash flow can be a major challenge, so many things can be overlooked in order to get the business off the ground. This can be problematic and result in problems down the road, such as regulatory fines, data breaches and compliance issues, just to name a few.
The alignment of the entrepreneurial vision, security and IT can provide a strong foundation to build out the enterprise. GEIT principles can be helpful in the smallest of enterprises since they can be tailored as business expands and provide the necessary checks and balances to mitigate risk. A little time at the start can be helpful in the long run to face the digital disruption roller coaster of the future.