This Q and A is based on ISACA member Ross Wescott’s interview with CIOTalkRadio.com. Ross Wescott, CISA, CIA, is chief IT auditor at Portland General Electric (USA).
Q: IT departments are being asked to do more and more in shorter amounts of time. Can someone who is running at 100 miles per hour realistically be expected to adhere closely to the standards and benchmarks?
A: The question seems to imply that standards and benchmarks restrict and hamper IT’s ability to accomplish their projects and deliver value. Actually, it is just the opposite: standards and benchmarks free IT to perform and run 100 miles per hour without crashing and burning. In practice, standards and benchmarks give IT a solid framework on which to build their operations. These frameworks, such as ISACA’s COBIT, provide stability so that IT can operate well at any speed.
Standards and benchmarks help IT to maneuver around obstacles, see things that might hurt them soon enough to make a correction, and finish the race in one piece. With standards, IT actually becomes more agile and more capable. The faster IT is asked to go, the greater the need for standards and governance.
Q: Business expects IT to deliver “yesterday,” so some IT shops end up doing the bare minimum needed for compliance requirements. Is that the best we can do?
A: Just enough is never the best we can do! While compliance with rules and regulations is important, doing things right and doing the right things is equally important. If IT is putting in the bare minimum, the organization will only get the bare minimum value, and that is certainly not the best it can do. Today’s organizations expect more and IT needs to deliver more.
Q: Some organizations do not welcome IT audits or IT governance based on the reasoning that they slow everything down and stifle innovation. Why is that?
A: It has not been my experience that people do not want audits because they will stifle innovation or slow things down. IT audits usually do not last long enough to do either of those things to the point of disruption. Governance guides and directs, but does not stop, innovation.
People do not want to be audited because they do not want anyone looking over their shoulder. They have this nagging fear that an audit will find that they did something wrong. People do not like to feel like they failed. That is the biggest reason why people do not want to be audited: fear of failure. People generally do not run toward what they fear; it is counterintuitive in life-defining moments and in business.
Q: An organization’s IT is only as good as those who run it, and who, for better or for worse, bring along their own tastes, preferences and experience to do so. How can we convince them that there’s something better out there?
A: Convincing anyone to do something different than what they know or what they think they know, when it is not a compliance issue, comes down how much they trust and the relationship they have with the messenger. No relationship or no trust equals no convincing and probably no change, if IT has a choice.
As an auditor, I must approach my job in such a way that my audit clients, whether internal or external, understand that I have their back; that I have their best interests at heart; that I am worthy of having my advice followed. If IT does not believe that I am worthy of trust, nothing that I can do or say will reverse that in the short term, if at all.
For more of Ross’s interview, visit CIOTalkRadio.com. Check back here in upcoming weeks for parts two through four of his interview series.