CIO
7 IT governance myths
By: John Edwards
When designed and functioning properly, IT governance plays an integral role in aligning IT and business goals, helping to focus, fortify, and advance an enterprise’s overall business strategy. Yet all too often, IT leaders fall victim to popular misconceptions that not only derail effective IT governance, but directly conflict with key business objectives. The final outcome is an enterprise that’s burdened by unnecessary risks, compliance vulnerabilities, and missed opportunities, among other serious deficiencies.
Getting IT and business governance frameworks to run smoothly and on the same track requires avoiding the many fallacies that have emerged over time to derail otherwise sound strategies. Here are seven particularly destructive myths you should immediately dodge or ditch.
1. Outsourcing a business process outsources its risk
Many IT leaders blithely assume that third-party vendors practice good cyber hygiene. “[They] often fail to perform due diligence to validate that the vendor is ... operating basic IT controls over all aspects of their enterprise,” observes Tom Garrubba, vice president and CISO at Shared Assessments, a global membership organization dedicated to developing the best practices, education, and tools needed to drive third-party risk assurance. “Such blind faith can immediately catch the outsourcer off guard in the event of a cyber incident, including system unavailability.”
Garrubba advises performing periodic, detailed assessments aimed at validating vendors’ IT hygiene controls and how they align with the risk of the data being handled. “Additionally, it’s wise to continuously monitor [vendor’s] cyber performance with various tools to ensure they’re living up to expectations,” he adds.
Garrubba warns that organizations that fail to conduct full third-party risk assessments, regardless of industry, are already behind the curve. “Such assessments are now viewed as standard operating procedure across all industries,” he says.
2. Software can resolve problems rooted within the organization
Workflow software can be used to effectively guide an organization’s operations in order to ensure adherence to and completion of a well-defined process. Yet for many organizations a “well-defined process” is little more than a mythical concept, observes Bryan Shoe, an IT governance instructor at software training firm DevelopIntelligence. Software can only provide support for an organizational process, he notes: “Tools are not the process. They’re not a panacea for solving the organizational issues at hand.”
Before turning to software for governance guidance, organizations must first ensure they’ve clearly defined their vision, mission, goals, and objectives. “From there, governance guides the decisions around creating the operational processes to support the organizational vision, mission, goals, and objectives,” Shoe says. “Then the organization can select and configure software tools to facilitate the processes that will help in achieving organizational objectives.”
3. Governance can be achieved through a single pane of glass
Successful IT governance optimizes risk management, resources, and strategies to meet planned objectives. “The ability to gather and report on critical aspects of IT performance and delivery across multiple domains is the basis for determining the effectiveness of your IT governance program,” says Andrew Morrison, U.S. cyber risk services strategy, defense, and response solutions leader for business and IT advisory firm Deloitte.
Unfortunately, the desire to visualize IT governance reporting in clear and concise business terms in a form that’s readily consumable by decision-makers, has created a market full of vendor claims that a single tool or solution can provide all of the visibility and complex evaluation needed across the entire enterprise.
The reality is that the demand for real-time data, aggregated across disparate technologies, processes, policies, and people, far outpaces the actual supply of such data.
“Additionally, the complexity of today’s IT systems, and the accelerated pace of change within IT, make maintaining the connectivity to rapidly changing inputs a potential fool’s errand,” Morrison claims. “While many excellent tools provide a unified view of portions of IT governance — such as risk, security, compliance, controls, and operational cost — most organizations will be more effective optimizing the use of multiple purpose-built reporting solutions in lieu of trying to achieve a true ‘single pane of glass.’”
4. Metrics ensure compliance
Actually, metrics are virtually meaningless unless they’re presented in context. “Leadership needs metrics to understand security and to prove program maturity, but metrics alone don’t prove compliance,” says Karen Walsh, founder and CEO of Allegro Solutions, a cyber security compliance advisory firm.
Context emerges from just about everything surrounding metrics, including people, processes, and technologies. “At the end of the day, governance is about knowing your business and your IT stack and understanding how one drives the adoption of the other,” Walsh observes. “Your business goals drive your IT purchases which, in turn, ultimately drive the next evolution of goals.”
Instead of worrying about whether teams will hit certain target metrics, the IT leader’s goal should be to compare one quarter to the next, Walsh says. “If you’re seeing consistency from one quarter to the next, and you’re satisfied with what you’re seeing, then you have stability,” she notes.
5. Governance eliminates cost control issues
Although governance controls can raise cost visibility, as well as assist initial workload placement and sizing (which affects cost), governance is not an instant cure for all things cost-related, states Brian Adler, senior director of cloud strategy at software asset management and license optimization provider Flexera.
IT cost optimization is a never-ending endeavor, but it does get easier over time. “As organizations continue to develop provisioning-related governance controls, their initial exposure to cost overruns will be reduced,” Adler explains. He adds that organizations need to realize that cost control and optimization is not a “once and done” task. “It’s an ongoing, iterative process,” he says.
Governance plays a major role in controlling costs, especially during the provisioning process. Yet optimizing costs also involves other key functions that aren’t necessarily part of the mindset developed in traditional on-premises environments.
Adler urges CIOs to resist the tendency to overprovision. “If you’re in the cloud, use the scalability that it provides,” he advises. “Put non-24x7 resources on a schedule.” Adler also recommends taking advantage of provider discount offerings, such as reserved instances and licensing models. “Governance is a great first step to controlling costs, but it’s exactly that — the first step,” he says.
6. Governance can compel compliance
A significant number of CIOs believe that IT governance primarily serves to discipline parties who fail to adhere to government compliance policies, as well as various internal and external requirements.
“While compliance is certainly one function of IT governance, it shouldn’t dominate the front-facing narrative concerning IT governance programs,” says Matt Donahue, a compliance and risk analyst with IT management and optimization software provider Entrust Solutions.
IT governance’s top priority is engendering a strong synergy between financial and technological goals, addressing both stakeholder and client interests. “Misconceptions that paint IT governance as a disciplinary body negate the potential for powerful work and the additive value that governance provides to both providers and vested parties,” Donahue explains. “Fewer companies are likely to invest in IT governance structures if they don’t believe that it can be beneficial.”
7. Governance is an inherently bad thing
The biggest IT governance myth is that governance is, at best, a necessary evil. That’s simply not true. Instead, CIOs need to view governance as a powerful tool that’s necessary to achieve desired goals.
“Use what you need and don’t use what you don’t need,” advises Mike Kelly, CIO for open source software and services provider Red Hat. Choose what to govern and how much governance is necessary. “In this way, governance always serves the greater good,” he states.
Remember, too, that governance should never be imposed from the top down. “To increase buy-in, make governance a collaborative, grassroots effort,” Kelly says. “With buy-in, you get excellence in implementation.”
The last thing to remember is that IT governance must continually evolve. “Subtract from the process, add to the process,” Kelly explains, “but always see it as something that can and should be changed to meet evolving needs and conditions.”
