Managing projects for the best possible outcome is a bit art and a bit science. From a high-level view, stakeholder management includes: identifying the people that could impact a project, understanding the expectations of the stakeholders and their impact on a project, and developing strategies for effectively engaging the decision-making project stakeholders.
OK, so that’s good. But, in looking at effectively engaging the decision -makers, what kind of strategies do you use for bringing them into the process and getting their buy in? Do you and the stakeholders all agree on the project goal? Are you heading in the same direction, with the same destination? Ideally, yes. Otherwise, your job engaging those stakeholders just got a lot harder.
When faced with a challenging stakeholder, you might tend to want to push this individual in the direction you want them to go. That direction should be the direction (and goal) in which most of the stakeholders agree. But, how often do you start pushing, only to realize the stakeholder is resisting and pushing back?
OK, now what? Maybe pulling this person along is a better idea? But, that also will likely result in resistance. Maybe you’re strong enough to overcome the stakeholder’s resistance, but is winning that battle going to win you the war (a successful project conclusion)? Maybe, maybe not. Some might choose to take that chance, but there might just be a better way.
Perhaps you should engage those challenging stakeholders who can influence the outcome and success of the project. At a minimum, you really need to engage all the influential stakeholders in a conversation about the project goal. This can be done either one-on-one or in a group. Ultimately, you need to discover why the challenger has a different goal than other stakeholders.
What’s wrong with the goal in which most stakeholders agree? Engaging in a dialogue about the pros and cons of the varying goals can help you (and the stakeholders) understand the problem space better and help all of you develop a better solution for the project — with a unified project goal being the ideal result.
So, what are you really doing here anyway? You’ve decided not to push the stakeholder down the road. You’ve decided that pulling the stakeholder down the road isn’t any better. So, perhaps you decide to just walk with them side-by-side on this journey and help this stakeholder along as needed. Perhaps you need to nudge or coax them a little bit here or there, but nothing to cause the stakeholder to become defensive.
And while you’re walking together during this project, you’re probably building trust with your stakeholders. I would call that stakeholder “relationship development,” not “management”. The golden rule here is: while you’re managing the process, make sure you don’t manage the stakeholder.
My guess is your stakeholder did not hire you to manage him or her. This individual wants you to solve a problem, and needs your help. Build a trusting relationship with your stakeholders, and you’ll find much greater project success.
About the author: Ken Russman is a senior project manager with TalaTek, who holds PMP and CISSP certifications and has 20 years of experience in managing projects, strategic planning, and policies and procedures development.
We are in 2019, and have all witnessed the effects of disruptive start-up companies, the growth and stability of the cloud market, the emergence of CI/CD practices and the simple need for agility. Inversely, there are organizations where none of what I mentioned is happening.
There are times when companies become good at what they do, and they become comfortable. With that comfort comes something that leaders and employee may choose to ignore. What is that? Well, to put it mildly, that thing would be the need for change. A provocative question to yourself would be: If I am doing my job properly and getting good results, do I need to change? Some may argue, “No,” and some may argue, “Yes.” From an IT point of view, the question becomes even more complex. This is especially the case when IT has taken on a supportive operational role within an organization, and by doing so, becomes expert at what they do, but finds that innovation is lost and resistance to change grows larger.
Enter the competitive threats. While your business was doing things right, the disruptor (which can be an existing competitor) was building solutions to solve customer issues, creating new products and services, and defining new ways of doing business to go to market. The result can be dramatic; your business suddenly gets a nudge, you have questions being asked by stakeholders, who all want to know:
- How does this impact us?
- What is next on our plate?
- What are we going to do now?
- Are we agile enough to deliver a solution in a short space of time?
At this point, all eyes turn to one of the major business enablers – none other than the IT department. Suddenly, IT goes from doing things right to not being agile enough to support strategy and innovation.
The need for agility in a rapid, flexible, durable and secure manner can best be delivered by cloud services. Layers of bureaucratic decision, hours of provisioning and other complexities can be addressed with IaaS, PaaS and SaaS solutions, which support CI/CD pipelines. From a security point of view, a lot of effort is put into cloud security, with the provider getting its platform certified by world-recognized standards such as 27001, PCI-DSS, and HIPAA.
What that means for businesses is that, combined with the shared security model of the cloud, they will be able to securely and effectively safeguard data while meeting regulatory compliance and internal enterprise security requirements. Enterprise Architect and GEIT are the solutions that can be introduced or remodeled within your enterprise to create both systems and processes to deal with this type of scenario.
Billy Beane was one of the first general managers in the history of Major League Baseball to use data to build out a successful team with a fraction of the budget relative to his peers. Like many IT leaders, he had to do more with less.
Now, imagine that you’re responsible for managing a Periodic Table’s worth of processes central to a successful IT shop.
You’re overworked, underfunded, and the business doesn’t understand why it should dedicate resources to supporting yet another acronym from the DRP, MDM, or COBIT-letter salad. Where do you go from here?
First, you need to think like Billy Beane. Think hard about your most important KPI. Now, reverse-engineer the drivers that factor into it.
Source: Info-Tech Research Group
For Billy, his KPI was on-base percentage. For IT leaders, your KPI should be stakeholder satisfaction because IT exists to support the business’s capabilities and revenue streams.
At Info-Tech Research Group, we’ve collected data from the thousands of stakeholders with whom our IT leaders work. Our goal was to mine this data until we uncovered the top drivers of stakeholder satisfaction. To this end, we ran a multiple linear regression, and there were two key take-home messages from these results – notably, one of them is more important than the other:
Source: Info-Tech Research Group
1) Your ability to prioritize stakeholder projects is, for obvious reasons, very important. Boiling the ocean is not an option.
2) Critically, however, your ability to communicate, understand, and execute on stakeholder needs carries even more weight than other more expensive drivers. The return on your investment in relationships is far greater than the ROI in innovation, infrastructure, and applications because working on relationships is cheap and effective.
Moral of the story? Maintaining good relationships with stakeholders yields greater dividends relative to investing in a new shiny toy. You can immediately improve relationships for free, which will cost you less than investing in the more expensive drivers of stakeholder satisfaction, like infrastructure or applications. The trick, though, is, you need to use your own data. Remember, the results above are averages across thousands of stakeholders.
Now, back to managing that Periodic Table of core processes. Once you’ve figured out which processes tie into your stakeholder’s top priorities, you must hone your focus on the five or six processes (e.g., DRP or Service Desk) that relate to those priorities. Ask your leadership team in IT how important and effective they perceive these processes to be, and suss out the areas you all agree are important to the business but are also areas in which you are not effective.
Source: Info-Tech Research Group
There are two major benefits to this alignment exercise between stakeholders and across your IT leadership team:
1) You will no longer be as overworked, and the business won’t be stuck supporting yet another acronym from the COBIT-letter salad or paying for yet another new toy that the business doesn’t really need.
2) Your IT shop will climb the maturity tower (see below) and make technology a better business partner.
Yogi Berra, ex-catcher for the New York Yankees, once said, "If you don't know where you are going, you might wind up someplace else."
His words resonate today. Use your own data to help prioritize stakeholder projects and benchmark the quality of business relationships to move the needle on the one-metric-to-rule-them-all, stakeholder satisfaction. As Billy Beane figured out all those years ago, it’ll help you accomplish more with less.
I love COBIT. Why? To begin with, COBIT is useful and usable. Secondly, the newly updated framework combines community knowledge and flexibility.
The What Is COBIT and What Is It Not section from COBIT 2019 Framework: Introduction and Methodology is very clear, and demonstrates how useful and usable the updated version of COBIT will be.
COBIT users know that COBIT in its last two versions utilized the components (formerly enablers) to plan, build and maintain a governance system. They were and are principles, policies and procedures, processes, organizational structures, information flows, culture and behaviors, skills, and infrastructure.
We can find these components in all organizations, and work with them to fix some problems or weaknesses in order to improve the current and future maturity of their governance system and, thus, create value for relevant stakeholders. These “magic resources” that create an appropriate solution are the first element to confirm that COBIT is usable and useful.
New design factors are the second one, and the new Design Guide was published this week. They should be considered by the enterprise to build a best-fit governance system. Not all organizations need the same solution with the same kind and quantity of resources. It is all about the best combination of needed resources to achieve expected or required benefits with a good balance or acceptable level of risks.
Not all organizations have the same strategy, goals, risk profile, I&T-related issues and threats. Compliance requirements, size and role, adoption strategy, sourcing model and implementation methods of IT are factors that we must complete soon.
Design factors influence in different ways the tailoring of the governance system of an enterprise. COBIT 2019 distinguishes three different types of impact, illustrated below.
The New COBIT 2019 Framework: Governance and Management Objectives are free for members and non-members. I believe this is a remarkable step to increase the number of COBIT followers and professional community engagement. How many students and professionals will benefit from these complimentary publications? How many of them will be influenced by COBIT 2019 and decide to initiate an IT career or improve it through a certification?
Will these new followers influence COBIT’s future design? I am sure of it.
Editor’s note: For more information about COBIT 2019 guidance, products and training, visit www.isaca.org/cobit, or view a webinar on the COBIT framework here or the Design Guide and Implementation Guide here.
One of the biggest challenges for modern businesses isn’t being able to collect data, but finding a way to organize it systematically and using the data that piles up. Learning how to interpret random data points and unstructured information often proves to be more than some companies can handle, but it doesn’t have to be.
Finding value in a heap of unstructured data
“Increasing the volume of quality content being fed into big data analytics tools dramatically increases the value of the output – whether it’s improved decision-making or better product design, risk reduction, and enhanced customer experience,” Scott Mackey writes for Adlib Software, a global leader in files analytics and data enrichment solutions. “To realize these benefits, however, organizations must develop the capability to process massive storehouses of unstructured data into a format that big data analytics tools can work with.”
Unstructured data, also known as “dark data,” poses a potential risk on multiple fronts. For starters, it represents a huge missed opportunity in terms of information that could be used to benefit the company’s bottom line.
But the issue goes much deeper than that. In an age when data needs to be encrypted and properly stored, unstructured data is often extremely vulnerable to getting hacked or stolen.
“When data isn’t used, there is a tendency for people to forget its content, purpose or even its existence,” data expert John Spacey explains. “There is a further tendency for such data to go unmanaged and be more vulnerable to security risks, such as unauthorized access that may leak trade secrets and other proprietary knowledge.”
Unstructured data is also resource-intensive and expensive to maintain. It can divert attention from the structured data that the firm needs to stay focused on.
The question is, how do you find value in something that appears so useless? In order to identify the true value in unstructured data, you need a plan of attack. The following tips should help you achieve some positive movement in this endeavor.
1. Get everyone on the same page.
The first step is to ensure everyone is on the same page. Specifically, gatekeepers and decision-makers within the firm must see the importance of tapping into unstructured data so it can be used for practical purposes.
2. Figure out where unstructured data is coming from.
Where is your unstructured data coming from? In other words, what’s the point of ingestion? It might be your website, social media profiles, system log files, healthcare information, financial data, CRM outputs, or a mobile app. If you don’t nail the point of entry, it will be nearly impossible to do anything else with the material.
3. Categorize ASAP.
The best time to apply structure to unstructured data is at the point of ingestion. Once you’ve figured out when and where the information comes from, you may implement systems that will filter and channel the data.
4. Eliminate the waste.
Although a lot of unstructured data can be valuable, there’s likely to be plenty that’s worthless for your organization. Instead of keeping that content around, go ahead and eliminate the waste. This will reduce your overhead and prevent energy from being expended on activities that don’t matter.
5. Combine unstructured and structured data.
Perhaps the best way to use unstructured data is to place it alongside appropriate structured data. When the two play nicely together, they can generate some surprisingly powerful and deep insights that neither would provide in isolation.
“While structured data is often easier to process and analyze, it can only reveal overall trends – not the reason behind those changes,” explains Eric Pendleton, a project training manager at a text analytics firm. “Unstructured data can reveal a deep understanding of the why behind the data; it’s just more difficult to track and may be dismissed by skeptical executives who reason that ‘it’s just what a few people say.' "
By combining the “what” (structured data) with the “how” and “why” (unstructured data), you will gain a much more complete and cohesive picture of reality … particularly as it pertains to customer-facing endeavors.
Use data; don’t let it use you
Collecting data for the sake of amassing information is pointless. If you aren’t careful, you’ll end up responsible for massive repositories of information, with nothing to show for it.
But if you develop a strategy for handling unstructured data, you may flip the script and make the most of the information-centric environment your business finds itself having to inhabit.
Practitioners charged with effective governance of information and technology have a tremendous new resource to draw upon with a significant refresh to the COBIT framework. Today, the first two books of COBIT 2019 have been released, with additional publications to follow later this year.
I could go on for hours about the elements of COBIT 2019 that I believe will be well-received by our passionate global community of COBIT users (and considering I am one of those passionate COBIT users, if I catch you in person at an ISACA event, I might just do so). For the purposes of this blog post, I will put forward a list of five aspects of COBIT 2019 that I consider especially appealing.
1. Sharper clarity. Past iterations of COBIT, most recently COBIT 5, helped practitioners across the world solve countless business challenges and help their enterprises better manage and govern enterprise IT. There was a lot to like, but that doesn’t mean they were perfect. In COBIT 2019, we have identified areas for improvement to ensure that COBIT users are able to extract even more value from the framework while making the content more accessible and straightforward.
For example, I often was asked to describe the COBIT 5 enablers, and it was difficult for me to succinctly explain, so I started calling them ingredients. We now have transitioned to referring to them as components of a governance system, a much clearer characterization. Throughout the COBIT 2019 publications, the terminology is less academic and more applicable, allowing users to streamline the adoption timeline.
2. New focus areas. I’m enthused about the new focus areas that are set up to organize certain hot governance topics, such as small/medium sized businesses, cybersecurity, digital transformation, cloud computing, privacy and DevOps.
While the COBIT framework has thrived for 20-plus years because it addresses core business principles that are every bit as true now as they were in the 1990s, it nonetheless was important to provide updated guidance pertinent to key drivers of the current technology landscape, and COBIT 2019 takes a big step forward in that regard.
3. New design factors. COBIT 2019 highlights new factors that can influence the design of an enterprise’s governance system and position organizations for success in the use of information and technology. These include:
- Enterprise strategy
- Enterprise goals
- Risk profile
- Enterprise size
- Threat landscape
- Compliance requirements
- Role of IT
- Sourcing model for IT
- IT implementation methods
- Technology adoption strategy
These design factors take into account enterprise strategy and allow users to better customize COBIT to a specific organizational structure.
4. Updated goals cascade. The new goals cascade supports the prioritization of governance and management objectives based on enterprise goals. Starting with stakeholder drivers and needs, this model seeks to avoid the frequent misunderstanding that these goals indicate purely internal objectives of the IT department within an enterprise. The alignment goals have also been consolidated, reduced, updated and clarified where necessary. These goals are organized using the Balanced Scorecard view and include example metrics to measure the achievement of each goal.
5. Integration between the CMMI maturity model and our current capability model. Performance management is an essential part of a governance and management system. It expresses how well the system and all components of an enterprise work, and how they can be improved up to the required level. As such, it includes concepts and methods such as capability and maturity levels. COBIT 2019 performance management leverages both the current capability model and the CMMI maturity model using the following principles:
- Simple to understand and use
- Consistent with and supports the COBIT conceptual model
- Provides reliable, repeatable and relevant results
- Supports different types of assessments
Editor’s note: For more information on COBIT 2019, its publications and guidance, and new training opportunities, visit www.isaca.org/cobit.
Big data and machine learning have rocketed to the top of the corporate agenda. Executives look with admiration at how Google, Amazon and others have eclipsed competitors with powerful new business models derived from an ability to exploit data. They also see that big data is attracting serious investment from technology leaders such as IBM and Hewlett-Packard. Meanwhile, the tide of private-equipment and venture-capital investments in big data continues to swell.
AI/machine learning also continued to rise toward the top of technologies considered to have the highest potential to deliver transformative value to organizations. While placing second in these rankings according to ISACA’s 2018 Digital Transformation Barometer, AI/machine learning went from 18 points behind big data in 2017 to just 3 points behind big data in 2018. As the perceived value of AI continues to increase, the proportion of organizations planning to deploy AI continues to increase as well, with a 35 percent increase over the 2017 report.
What audit, risk, assurance and security practitioners and executives should know about big data and machine learning projects
Perhaps you have heard about a new algorithm that can drive a car? Invent a recipe? Detect fraud ? Scan a picture and find your face in a crowd? It appears every week that companies are discovering new uses for algorithms that adapt as they encounter new data. Machine learning has tremendous potential to transform companies, but in practice it is usually far more mundane than robot drivers and chefs. Think of it simply as a branch of statistics, designed for a world of big data. Executives who want to get the most out of their companies’ data should understand:
- What it is
- What it can do
- What to watch out for when using it
The enormous scale of data available to firms can pose several challenges. Of course, big data may require advanced software and hardware to handle and store it. Machine learning is about how the analysis of the data must also adapt to the size of the dataset. This is because big data is not just long but wide as well.
Big data projects versus traditional IT projects
“90% of the effort in successful machine learning is not about the algorithm or the model or the learning. It’s about the logistics.”
—From Machine Learning Logistics by Dunning and Friedman (O’Reilly, 2017)
Logistics are not the only issue that matters for success. Connecting AI and machine learning projects to real business value is of huge importance. The social and cultural structures of your organization make a big difference, as well.
The following table shows the distinction between big data and traditional IT projects, tapping into COBIT 5 components (Five Principles, Seven Enablers, Trigger Events, Pain Points and the seven phases of Program Management used in the life cycle model).
BIG DATA PROJECT
TRADITIONAL IT PROJECT
TYPICAL PAIN POINT/TRIGGER EVENT
Develop a new shared understanding of customers’ needs and behaviors
Predict future growth markets
Install an ERP system
Automate a claims-handling process
Optimize supply chain performance
ENABLER 4 CULTURE, ETHICS AND BEHAVIOR
Change how employee think about use of data
Challenge the assumptions and biases employees bring to decision-making
Use new insights to serve customers better, build new businesses and predict outcomes
THE SEVEN PHASES OF PROGRAM MANAGEMENT USED IN THE LIFE CYCLE MODEL
DISCOVERY-DRIVEN PROJECT MANAGEMENT:
Identify relevant data
Refine hypotheses in response to findings
Repeat the process
TRADITIONAL PROJECT MANAGEMENT:
Define desired outcomes
Redesign work processes
Specify technology needs
Develop detailed plans to deploy IT
Manage organizational change and train users
ENABLER 7 – PEOPLE, SKILLS AND COMPETENCIES
IT professionals with engineering, computer science, and math backgrounds (in some cases)
People who know the business
Cognitive and behavioral scientists
IT professional with engineering, computer science, and math backgrounds
People who know the business
CHALLENGES TO SUCCESS: DID WE GET THERE AND HOW DO WE KEEP THE MOMENTUM GOING?
Employee bases decision on data and evidence
Employee uses data to generate new insights in new contexts
Project comes in on time to plan, and within budget
Project achieves the desired process change
In conclusion, big data and machine learning projects involve new technology and new development approaches, and are inherently risky. If you are doing significant data exploration or discovery with big data, you will occasionally fail—which is not really a problem if you learn from the failures. Big data and machine learning projects are still more like R&D than production applications.
Shadow IT is an (in)famous phenomenon in today’s business environments. Business departments source, develop and maintain systems on their own to support their processes. Although shadow IT supports critical business functions and is therefore accompanied by many risks, it still cannot be prohibited nor suppressed. Because of these risks, there is an urgent need to manage shadow IT. As COBIT 5 is a powerful framework for managing enterprise IT, it is interesting to look into the relationship of shadow IT and COBIT.
In this blog post I would like to focus on three different questions:
1. Which COBIT processes are meant for an organization affected by the existence of shadow IT?
2. Which COBIT processes are missing or lack maturity when business departments run their own IT?
3. How can someone start and run a shadow IT initiative?
The first question concerns the overall IT maturity. In COBIT 5, there are several processes that deal with the overall integrity and effectiveness of a company’s IT. Risk and compliance management and enterprise architecture are topics that require an integrated view on IT. The existence of shadow IT hinders this integrated view, so these important functions are disturbed.
In the case of risk management, for example, processes like EDM03 and APO12 ask for the definition of risk appetite and the definition of a risk-aware culture. Furthermore, all relevant risk should be reported and managed accordingly. Shadow IT by nature is not managed. In our studies, for example, we have never seen a shadow IT-related risk in any risk map, where in more than 16% of all cases, a shadow IT system was critical for processes with an accepted recovery time of less than one day (see Figure 1).
Regarding IT compliance management, we can observe a similar situation: the current European GDPR requirements can be violated by shadow IT, as it may exceed the purpose of data processing that has been agreed with a customer. Furthermore, shadow IT is often unknown, so that a company cannot report all systems with personal data. Finally, shadow systems often lack technical features, making it difficult to control data access and prove deletion of data records.
In terms of the overall enterprise architecture, shadow IT can also be a roadblock to the successful management of a company’s system and technology landscape.
Because shadow IT systems often are not known across the company, its architecture models, inventories and data definitions are incomplete, and thus processes like APO01 and APO03 may be incomplete. Also, processes like EDM04 are ignored as architecture principles may not be followed.
The second question covers the individual quality of shadow IT systems. When assessing existing shadow IT instances, it is important to understand the quality of its current management. Again, COBIT 5 offers a good starting point for this task: several processes deal with the individual IT services and can be used to assess the quality of each instance. As to be expected, business departments lack professionalism in IT management topics; therefore, they omit important processes from the BAI and DSS process areas. Mostly tasks like cost management, service planning, testing and security are not considered. For example, is DSS05.04 asking for a user identity management, which typically does not exist in shadow IT systems? You can find some project examples in Figure 2 below.
Figure 2: Missing COBIT processes
Our third question deals with the justification and the set-up of a shadow IT initiative. As explained above, shadow IT interferes with the overall quality of IT management and lacks individual quality. Both aspects justify starting a shadow IT initiative, as these quality issues impose risks to the company. Nevertheless, do MEA02 and MEA03 require assurance for internal and external compliance, which also includes searching for shadow IT? Also, in executing processes BAI10.05 and DSS04.04, an IT auditor can watch out for shadow IT.
A shadow IT initiative should aim for the identification and evaluation of all existing shadow IT instances as well as the definition of measures to mitigate existing risks. Mitigation, for example, can be achieved by transferring the responsibility for a shadow IT service to the IT department or setting up quality standards for the business department. In addition to the identification of existing shadow IT instances, such an initiative also gives insights into the deficits of a company’s current IT governance.
Shadow IT can be a critical topic. Therefore, it is recommended to watch out for some major success factors: just sending out questionnaires to collect a list of shadow IT instances is everything but promising. Identifying shadow IT by direct interviews is typically more successful but can be very time-consuming. Thus, it is recommended to undertake some pilot projects to create stories and experience within an organization. From there, business departments can identify and analyze their shadow IT in a self-assessment approach. This self-assessment should be embedded within an adaptive IT governance framework that assigns responsibilities between the business and IT department on a flexible basis. The IT audit function should take the role of facilitator and bring the topic to the table to let it be solved by business and IT. After implementation, of course, IT audit needs to assure the quality of the self-assessment approach and functioning of the adaptive IT governance.
Governance, risk and compliance professionals shared ideas and gathered insights on how their roles are evolving in light of enterprises’ digital transformation efforts, evolving trends in innovation, and growing regulatory and security risks recently at the sold-out 2018 GRC Conference in Nashville, Tennessee, USA.
The conference, organized by The Institute of Internal Auditors (IIA) and ISACA, took place 13-15 August. Key takeaways from the conference include:
It’s time to challenge conventions
Keynote speaker Luke Williams, author, professor of marketing at the NYU Stern School of Business and founder of the W.R. Berkley Innovation Labs, told a packed opening session audience that organizations seldom take the time to question the underlying reasons why existing practices and procedures were put in place, stifling opportunities for innovation.
Williams said enterprises are often “paralyzed by possibility” with an abundance of incremental ideas for improvement, but tend to lack the unconventional, bold strategy options capable of delivering a major impact. Eventually, he said, organizations that lack a forward-looking openness to change will be overtaken by competitors.
Artificial intelligence brings great potential – and risks
While artificial intelligence and machine learning are gaining traction – and generating plenty of buzz along the way – organizations face difficult decisions in knowing where and when to introduce AI. In a session on the ethical considerations related to AI, co-presenters Kirsten Lloyd and Josh Elliot highlighted an extensive list of powerfully compelling uses for AI, such as advancing new medical treatments, preventing cyberattacks, improving energy efficiency and increasing crop yields. They also encouraged organizations to create an ethical review board and the position of chief ethics officer to deal with the related risks.
ISACA board Chair and closing day keynote presenter Rob Clyde implored the audience to focus on safeguards to prevent unintentional harm from AI projects and services.
Audit and governance professionals must actively address cyber risk
The volume and complexity of today’s cyber threats demand that GRC professionals, along with internal auditors, support their colleagues who are in cybersecurity roles and work to provide assurance to ensure organizations are prepared to navigate cyber threats.
In a session on advancing IT audit capabilities in cybersecurity, co-presenters David Dunn and Jon Coughlin noted that the traditional belief that a good internal auditor can audit anything is being challenged by the growing cyber threat landscape, and that standard controls might be insufficient. Internal audit functions must deepen their skills across a range of cybersecurity frameworks.
In the conference’s final keynote, Deloitte Managing Director Theresa Grafenstine called cyber risk a top priority for GRC professionals. When organizations fail to adequately address the risk, said the former Inspector General for the US House of Representatives, it is generally due to a lack of knowledge and resources, rather than not recognizing its importance.
Compliance must become more adaptive
A combination of new regulatory requirements, such as the General Data Protection Regulation (GDPR), and a flurry of emerging technologies being deployed to enable digital transformation call for the recalibration of compliance policies and procedures.
Session presenter Ralph Villanueva encouraged compliance professionals to understand – rather than memorize – the intent of frameworks they are implementing to have a more strategic understanding of how those frameworks best align with enterprise goals. He said compliance professionals also must anticipate how emerging technologies might impact the organization’s compliance protocols going forward.
Security measurement must be improved
While more organizations are recognizing the importance of areas such as risk management and information and cyber security, it can be difficult to quantify the effectiveness of the related investments – a major concern for the C-Suite. Session presenter Brian Contos said organizations need to develop more sophisticated security metrics beyond performing vulnerability scans and patching. Contos addressed several platforms capable of removing guesswork and assumptions from the security equation, while potentially freeing up resources by phasing out outdated tools that no longer serve their intended purpose.
The next GRC Conference will take place 12-14 August 2019 in Fort Lauderdale, Florida.
Imagine this as a GRC professional. It’s April 2016. The European Parliament passes the General Data Protection Regulation (GDPR) with an enforcement date of May 2018. Your organization is impacted. You are going to own this.
At first, you ask yourself – should I get going on this now? The answer is yes; the reality is you won’t. A year passes and the media pipes up about the clock ticking. You start to hear in your peer groups that people are starting to think about what they are going to do, but there’s little action. The clock strikes Q4 2017, your anxiety elevates, the consulting firms and professional organizations inundate your inbox with updates, trainings, services, etc., so you start your journey (late). You get organized, start reaching out to HR, IT, anyone who could be impacted. Crickets. A month passes. Two months pass, and it’s Q1 2018. You follow up. Finally, a response, maybe two come in. Finally, some momentum!
You re-engage your stakeholders, you email, call, try and set up meetings. Crickets. Q1 earnings come around. Analysts are asking. Your CEO says you are all over it and ready for the go live. Senior leadership is looking for an update. You’re working on it as best you can. The emails get responded to, finally. It’s a fire drill. You work tirelessly. GDPR goes live. You’re not quite there, but close enough that you finish by your Q2 earnings release. It’s been a disaster, but it’s over (until the next time).
GRC professionals, a lot of them, live this awful cycle every time there’s a new regulation, accounting standard, etc. Why is this? Our jobs should be simple. We carry the big stick! Most of what we support is tied to law, standards and regulations. Our organizations have to comply or face potentially stiff penalties and reputational damage. Why don’t they? They claim no resources, or budget, or time. We’ve heard it all.
Why aren’t they listening? I argue that we don’t leverage persuasion and build the skills to persuade.
The reality we live in as GRC professionals is that we simply can’t be successful in our job if we don’t persuade, and if we can’t persuade, we risk insufficiently addressing or failing to address risks to the organization. The repercussions could be severe. We could hinder our own and our teams’ careers and damage our reputations. In the narrative above, we all know who’s going to be on the hook if there’s a problem. And it won’t be those who ignored us for the better part of a year.
Persuasion is a skill. Some of it can be taught; most of it we already know (or could be defined as common sense). We simply need to be aware of this and implement some simple (in most cases) techniques to tilt the scales:
- Rapport is critical. If they don’t like you, send in someone else they do. We can’t persuade someone who doesn’t like us.
- Acknowledge the stigma that may be attached to your title and role. Let’s be honest – colleagues not may really enjoy getting a visit from a GRC colleague. Acknowledging this might help remove the first barrier.
- Recognize the impact of mood. Having a bad day? Your counterpart having a bad day? Move the meeting; it simply won’t be productive.
- Get out of a negative environment. The workplace can be a source of stress, so go grab a coffee or lunch or a drink. This is the real reason so many folks utilize “let’s grab a coffee” or similar approach to get things done.
- In person is always better. Smile a lot and use your colleagues’ name when you see them – people like hearing their name. Keep your tone of voice positive and upbeat. And while you’re at it, avoid using the word “I” – it will turn them off.
- Use how, not why, when requesting support. To most people, “why?” feels like an accusation. Don’t believe me? Think about how you feel when your boss or your spouse ask “why” you didn’t do something. It puts most people right on the defensive. “How” invites both parties to strive toward a common goal. The simple statement “GDPR goes live in 6 months – how do we ensure our organization is prepared?” invites both potential solutions and a sense of ownership in both parties.
- Listen. I mean it. Really listen. Can you do it? I can’t. Why? Because when I’m not talking, I’m thinking about what I am going to say next. Is that really listening? Bring someone with you to important meetings, and make it their job, and only job, to listen (take note of tone), watch body language, take notes, etc. Review that feedback after the meeting.
This seems easy enough, but the reality is if you don’t thoughtfully leverage some of these steps routinely, you’ll never reap the rewards. These won’t work all the time, but they’ll help increase the chance of success in your GRC role.
Have they helped me? You tell me – ever convinced a subsidiary to upgrade their ERP as part of an audit report? I have. And it was by using these tactics.
I’ll be discussing this topic further at the GRC conference next week in Nashville, Tennessee, USA. Track me down at GRC; I’d love to speak about these topics and lend a hand if I can.