Thirty Things COBIT Taught Us About Governing Technology

Thirty Years. Three decades of helping organizations stop treating technology like a magic box and start governing it like the strategic asset it actually is. COBIT turns 30 this year, and if you’ve spent any meaningful time in this profession, the framework has almost certainly shaped how you think whether you realize it or not.

I’ve been working with COBIT since the days when “governance” meant a binder on a shelf and “alignment” meant IT got invited to the budget meeting once a year. So, in honor of the anniversary, here are 30 things COBIT has taught us about governing technology: lessons that have aged remarkably well as the world around us has changed beyond recognition.

1. Governance and management are not the same thing. One sets direction. The other executes against it. Confusing the two is how organizations end up with boards approving sprint backlogs and CIOs setting risk appetite.
2. Technology doesn’t deliver value. Decisions about technology deliver value. The platform isn’t the win. What you choose to do with it is.
3. Every framework needs a tailoring step. COBIT out of the box is a buffet, not a meal. The discipline is in choosing what to put on the plate.
4. If you can’t measure it, you can’t govern it. And if your metrics only measure activity instead of outcomes, you’re governing the wrong thing.
5. Risk and value are two sides of the same coin. You don’t manage one without the other. Pretending otherwise is how organizations end up with bulletproof security and irrelevant products.
6. Interested parties have needs. Those needs cascade. From enterprise goals to alignment goals to governance and management objectives, the cascade isn’t bureaucracy – it’s the connective tissue that keeps strategy from dying in translation.
7. RACI charts are not a substitute for accountability. They’re a tool for clarifying it. If your RACI has eight people marked “A” on a single decision, you don’t have accountability, you have a committee.
8. Process capability is a journey, not a destination. Level 5 isn’t the goal for every process. The goal is the right level for the value at stake.
9. Culture eats process for breakfast. I’ve watched million-dollar process redesigns get steamrolled by a single executive who refuses to follow them. COBIT’s behavior and culture components exist because the soft stuff is the hard stuff.
10. Information is an asset. Treat it like one. That means lifecycle, ownership, classification and accountability – not just storage.
11. People are a governance component, not a resource. Resources are consumed. People are developed.
12. Services, infrastructure, and applications are interdependent. Govern them in silos and you’ll get siloed outcomes.
13. Principles, policies, and frameworks are different things. Principles are timeless. Policies are situational. Frameworks are structural. Mixing them up is how you end up with a 400-page policy that nobody reads.
14. The board isn’t the audience for your control catalog. They’re the audience for outcomes, exposures, and trade-offs. Save the control IDs for the auditors.
15. Audit is not governance. Audit verifies governance is working. The two are confused constantly, and it’s been to the detriment of both professions.
16. Compliance is a floor, not a ceiling. If your governance program’s ambition is “pass the audit,” you’re already losing.
17. Strategic alignment isn’t a slide deck. It’s a continuous practice of making sure technology decisions and enterprise decisions are pointed at the same goals. The day you stop doing it is the day they start drifting apart.
18. The business doesn’t want IT alignment. It wants outcomes. Stop trying to get a seat at the table and start serving the meal.
19. Frameworks don’t fail. Implementations fail. When someone tells you, “We tried COBIT and it didn’t work,” what they usually mean is “We copied a template and skipped the thinking.”
20. Governance scales down. It’s not just for Fortune 500 companies. A 50-person organization needs governance too — it just looks different.
21. Design factors matter. The same problem in two different organizations almost never has the same answer. Industry, threat landscape, risk appetite, and enterprise strategy all change the math.
22. You can’t outsource accountability. You can outsource execution. You can outsource operations. You cannot outsource the consequences of a bad decision.
23. The Three Lines aren’t a turf war. They’re a system of checks designed to keep the enterprise honest with itself.
24. Continuous improvement requires continuous feedback. Annual reviews are not continuous. They’re annual.
25. Technology change outpaces governance, every time. The job isn’t to keep up. It’s to build governance that’s adaptable enough to absorb change without breaking.
26. Digital trust isn’t a feature. It’s a consequence. It’s what happens when governance, security, privacy, quality, and ethics are all working together. You don’t bolt it on; you build toward it.
27. AI didn’t invent new governance problems. It just made the old ones impossible to ignore. Accountability, transparency, bias oversight — these were on the agenda long before generative AI showed up, but in today’s environment it’s critical to stop ignoring these problems now.
28. Governance without ethics is just compliance theater. Doing what’s allowed and doing what’s right are not always the same thing. The framework points the way, but the judgment is human.
29. A framework is a map, not the territory. COBIT will not tell you what to do. It will tell you what to think about. The difference matters.
30. The best governance is invisible. When it’s working, nobody notices. When it’s broken, everyone does. That’s the standard.

Thirty years in, COBIT has become a key way of thinking about how technology creates and protects value at enterprise scale. The specific objectives will keep evolving. The underlying discipline — clarity of purpose, accountability, measurement and continuous improvement — won’t.

Happy birthday, COBIT. The next 30 years are going to be even more interesting!