ISACA Journal
Volume 2, 2,014 


Communicating IT Governance—Does It Matter? 

Giuliano Pozza 

There is a gap, very wide and very noticeable, between IT professionals and business executives when it comes to communication and listening styles. The gap is particularly dramatic when it comes to IT governance, an area in which IT and non-IT executives need to communicate at least with a basic understanding of each other’s positions.

The following list of 10 real-life questions coming from business executives illustrates this gap:1

  • “IT is too complex and it is not our core business. Why don’t we outsource everything?”
  • “IT security? I believe it is all hype. Don’t you think companies selling antivirus software are distributing viruses as well?”
  • “Can you show me an interesting return on investment for this big infrastructure investment?”
  • “Now that we have the cloud, why should we invest in our private infrastructure?”
  • “Do you really believe social
  • networks are of any relevance for our business?”
  • “Why is enterprise IT not as simple as consumer IT? Why can’t IT professionals be smarter and let everybody bring their own devices and work inside the company as simply as at home?”
  • “Why are you bothering me with diagnostic equipment? Don’t you have enough with information and communication technology (ICT)?”
  • “Your goal is to implement the new system… our processes are already okay. Why are you worried about processes and organization?”
  • “Since you are the chief information officer (CIO), should you not be able to take care of everything, from system implementation to organization and processes reengineering, yourself?”
  • “Why can I not give my username and password to my colleagues if I am doing so to enable the organization to deliver the best possible service to its customers?”

What is remarkable is the fact that many of these questions often come from top executives. While it is not possible to generalize, as there are different cultures and backgrounds among executives, it is significant. “IT-related problems are not rooted in technology, but in leadership failings. The people in the C-suite don’t understand IT problems, don’t provide adequate resources to solve them, and don’t approach the issues as members of unified technology-literate teams.”2

Thus, it is obvious that there is a serious problem. One of the challenges in the coming years will be the ability for people coming from different cultures to communicate effectively to ensure that they are using technology with a wise approach, not being used by technology. This is true at the personal and enterprise level. At the personal level, individuals can and must move from an immature and dangerous approach to ever-present technology, as Sherry Turkle explained in Alone Together,3 to a more calibrated and human approach.

The same is true at the enterprise level. What is worse is that the survival of a company, even a nontech one, often depends on how wise the company is in making the best use of current technologies.

What Does Really Matter?

Since the provocative “IT Doesn’t Matter,”4 the discussion about what really does matter in IT has become impassioned.5, 6 “Effective IT governance is the single most important predictor of the values an organization generates from IT.”7

There are plenty of books and courses about IT governance. Many of the topics touched on by the previous questions are well known and addressed in a clear way. There are sourcing models evaluating the pros and cons of different scenarios, security frameworks, models about benefits and value IT can bring to a company (and showing how to measure the value, beyond the ROI, of infrastructure and architecture investments); there are reports about cloud strategies and adoption models. The risk of bring your own device (BYOD) is well known, and there are books explaining why enterprise IT is different from consumer IT. Nonetheless, the consumers of these precious resources are mostly IT people or, in a few enlightened companies, middle management. Even if “IT governance…is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives,”8 top executives are often uninitiated, even to the basic principles of IT governance, and IT professionals are not prepared to communicate properly about IT governance. In “IT Doesn’t Matter (to CEOs),” the author suggests three actions to be taken and the first one is to increase executives’ literacy on IT. “The senior leadership needs to become literate in technology. IT isn’t somebody else’s job, it’s ultimately theirs. Boards should require that CEO candidates demonstrate not just knowledge of finance and marketing, but also a technology aptitude.”9

However, the “literacy” and “technology aptitude” mentioned by Plant are broad concepts and should be focused, since business executives do not necessarily need to become technology experts. A key component of the required aptitude toward technology is, of course, a basic understanding of IT governance principles as IT and non-IT executives are supposed to communicate effectively, mainly on those principles. In fact, top executives, specifically chief executive officers (CEOs), are often the primary actors of top decisions for ICT that cannot be delegated to CIOs and, for many of these top decisions, sound judgment can be hard if the CEO is at the level of understanding revealed by the 10 questions listed previously. Even assuming IT is working properly and IT governance principles and mechanics are in place, it is like having two cultural groups, with different views of the same complex reality, speaking in different languages and trying to work together. This is a situation quite common in health care, where physician-to-patient communication is often an issue.10 Interestingly, some have introduced the concept of “narrative medicine” to overcome the problem.11

So if it is commonly accepted that IT does matter and that IT governance does matter as well, the IT governance communication gap cannot be overlooked. Many bad decisions could be avoided if only the gap were not so wide.

How Can the Gap Be Closed (Or Reduced)?

Is it possible to close or reduce the communication gap about IT governance issues between top executives and IT management?

There are a couple of concepts to consider. The first is taken from social science. Sociology experts have been studying for quite some time settings in which communities with different cultural backgrounds needed to interact, defining an interesting concept called “boundary objects.” A boundary object is “a concept in sociology to describe information used in different ways by different communities. They are plastic, interpreted differently across communities, but with enough immutable content to maintain integrity.”12 Boundary objects can be quite complex and sometimes IT itself is considered a boundary object.13 In the case of IT governance communication, common cultural background among IT professionals and executives may be the basis to build boundary objects. The idea is not new since there are many kinds of soft skills courses that use models and techniques from sports, theater (with real actors sometimes used to train managers), cooking, even books. Metaphors from other contexts can help groups with diverse cultural and professional backgrounds (and different social identities) to interact and communicate effectively across boundaries.

The second concept is related to reality and representation of reality: “The belief that one’s own view of reality is the only reality is the most dangerous of all delusions.”14 The effort to communicate should start from an awareness of the difference between reality and the personal view of reality everyone shapes based on his/her culture and experiences.

Starting from these considerations, it is possible to envision a new way of communicating IT governance working simultaneously on the business executive/management and on the IT executive/management side of the problem, but in different ways.

Closing the Gap: The Business Executive/Management Side

The concept of boundary objects leads to a search for ways to experiment using nonconventional (at least in the IT governance context) communication mediums, leveraging the common cultural interests and background among IT and non-IT professionals. Some of the possible choices are easier to address; others are far too complex to be used in an experimental phase. To engage an actor for a comedy show about IT governance may be a great idea, but quite expensive and difficult to manage. Other techniques, for example, the sharing of short novels, are easier to use. One example of this technique is the short book Our Iceberg Is Melting.15

Figure 1The different options can be plotted on a diagram (figure 1), considering two critical variables: the easy/difficult to develop and test axis and the time-consuming/low time-consuming for executives axis. Of course, the best options to play with would be those in the “easy to develop and test” and “low time-consuming for executives” quadrant, considering that the first objective is to experiment with a new communication channel and that, typically, executives are very time-sensitive.

According to the diagram, the leading option seems to be a short novel, e.g., a 100-page book (or e-book) with a cannot-put-down plot that touches on one or more of the most important governance, security, architecture and sourcing topics. In general, the content of the book should be written as a novel without explicit educational content, but with clear links to governance issues; however, at the end of each chapter, it may be interesting to add one educational page, written in a very easy style, expanding on some of the topics and explaining the terms used in the novel as a kind of cross-cultural dictionary.

The goal should be to keep it short, something to be read in one night, three to four hours of reading maximum. The novel could be extended by a companion web site that expands on some of the topics addressed.

The closest example of this approach is The Adventures of an IT Leader,16 but the book is too long to be read in one night and it probably offers too much of an educational style for many top executives.

Once the short novel is written, a testing and distribution channel must be found. In other words, an organization or a university willing to test the book on a select number of executives and, if the test goes well, to distribute it (as a book or as an e-book) to a greater panel. The final objectives should be to evaluate the outcomes from the point of view of increased literacy regarding IT governance among the executives involved before and after reading the book and discussing the contents. Will the executives gain a better understanding of the basic principles of IT governance and IT risk after reading the novel?

To write the novel and to test the outcomes, a minimum team is needed with a solid technical background and a good inclination for writing. The team should probably include:

  1. One/two CIOs to share real-life experiences and to work on a credible plot
  2. Possibly two experts: one IT governance expert and one security expert
  3. Possibly one CEO-level executive
  4. One organization/university willing to support the developing and testing phase involving a selected panel of top executives

To maximize the outcomes, the novel should overcome one of the major limitations of the classical “business fable.”17 The novel should be focused on “showing” and not “telling” what to do or what not to do.

The novel could represent a sort of first-generation boundary object, allowing IT and non-IT executives to build a basic-level, common language and to engage in a dialog about basic IT governance principles, as a starting point of a journey aiming to increase literacy among top executives on IT governance themes.18

The approach could be extended to develop second-generation boundary objects as deliverable IT tools or organizational structure; according to some, organizational structures such as project management offices could be considered “boundary objects-in-use” as well.19

Closing the Gap: IT Executive/Management Side

What can be done on the IT side? Here the focus should be less on IT governance, since basically all IT executives have extensive IT governance training; communication training is the answer. The starting point is the first axiom of the school of Palo Alto: “One cannot not communicate.”20 The same concept is expressed by other authors: “The best CIOs are aware they are always communicating, with the tone of their voice, their word selection, their body language, their energy level, and, oh yes, what they actually say. Because they know they are always sending a message, they make sure they are communicating effectively in all ways—up, down and sideways.”21

Since communication is of paramount importance, the career path of IT professionals should include specific communication training. This should be mandatory in the basic certifications of CIOs and their first-line business information managers and business analysts. Another way to help IT professionals could be a book about how to communicate about IT and IT governance with real-life examples of best practices for IT executives/managers.


Both business and IT must work to close the gap of communication on IT governance issues. On the business executive/management side, the approach suggested consists of trying to increase the executives’ literacy on IT governance principles using nonconventional communication channels (at least for IT governance) based on different mediums or boundary objects—e.g., a short novel with an engaging plot that touches on major IT governance topics. The expected outcome is an increase in the level of literacy about IT governance among top executives included in the experimental phase.

On the IT executive/management side, the proposal is to work on the CIO’s (and his/her top staff’s) communication skills with specific training pathways. Besides the additional communication training, a book about IT communication for IT managers, focused on real-life experiences of constructive IT governance communication, would be a good starting point to help IT professionals improve their communication competences and share best practices.


1 These questions come from the author’s real-life experiences.
2 Plant, R.; “IT Doesn’t Matter (to CEOs),” 15 August 2013.
3 Turkle, S.; Alone Together: Why We Expect More From Technology and Less From Each Other, 2012
4 Carr, N. G.; “IT Doesn’t Matter,” Harvard Business Review, May 2003
5 Porter, M.; “Strategy and the Internet,” Harvard Business Review, 2001
6 McFarlan, F. W.; R. L. Nolan; “Why IT Does Matter, Harvard Business School Working Knowledge,” 25 August 2003,
7 Weill, P.; J. W. Ross; IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, 2004
8 Parkinson, M. J.; N. J. Baker; “IT and Enterprise Governance,” Information Systems Control Journal, ISACA, USA, vol. 3, 2005
9 Op cit, Plant
10 Lucchini, A.; Il Linguaggio della Salute, Sperling & Kupfer, 2008
11 Charon, R.; “Narrative Medicine: A Model for Empathy, Reflection, Profession, and Trust,” JAMA: The Journal of the American Medical Association, 2001
12 Star, S.; J. Griesemer; “Translations and Boundary Objects: Amateurs and Professionals in Berkeley’s Museum of Vertebrate Zoology,” Social Studies of Science, Institutional Ecology, 1989
13 Gal, U.; Y. Yoo, Y; R. J. Boland; The Dynamics of Boundary Objects, Social Infrastructures and Social Identities, 2005,
14 Watzlawick, P.; How Real Is Real?, 1976
15 Kotter, J.; H. Rathgeber; Our Iceberg Is Melting, Macmillan, 2006
16 Austin, R. D.; R. L. Nolan; S. O’Donnell; Adventures of an IT Leader, Harvard Business Press, 2009
17 Evers, K.; “Business Fables: The End,” Harvard Business Review, August 2013,
18 Interestingly, there are similarities between the proposed approach and the narrative medicine approach mentioned previously. “Narrative IT governance” could be a useful concept to be developed as well.
19 Taylor, H.; J. P. Woelfer; E. Artman; “Information Technology Governance in Practice: A Project Management Office’s Use of Early Risk Assessment as a Relational Mechanism,” International Journal of Information Technology Project Management, 2012
20 Op cit, Watzlawick
21 Waller, G.; G. Hallenbeck; K. Rubenstrunk; The CIO Edge: 7 Leadership Skills You Need to Drive Results, Harvard Business School Press, 2010

Giuliano Pozza is the chief information officer (CIO) of Fondazione Don Carlo Gnocchi Onlus, a large social care and rehabilitation entity in Italy. Previously, Pozza worked as the CIO for Istituto Clinico Humanitas, a hospital in Italy. At the beginning of his career, Pozza worked in the health care practice of Accenture. He can be reached at


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.