It is likely that 2020 will remain in history as the year of COVID-19. The virus has changed everything, affecting personal and professional lives across the globe. Organizations have had to change their ways of working, and as a result, many more people are now working remotely to adhere to social distancing protocols. This has put an extra burden on both public telecommunications infrastructures and each enterprise’s private IT environment.
How could enterprises have been better prepared for this? The answer is IT governance.
Governance links business goals with an enterprise’s IT infrastructure and should be based on guidance such as COBIT® 2019. This framework then needs to be tailored to the enterprise’s needs (design factors): enterprise strategy/goals, risk profile, size, threat landscape, compliance requirements, role of IT, sourcing model for IT, IT implementation methods and technology adoption strategy. Design factors are influenced by management objective priorities and target capability levels, component variation and focus areas (specific governance topics).
Although very few enterprises had planned for a scenario such as the pandemic, many do have a business continuity plan (BCP). This is an essential part of enterprise governance, and it is based on solid risk management principles. In COBIT 2019, the BCP is described in management objective Deliver, Service and Support (DSS) DSS04 Managed Continuity as: “Establish and maintain a plan to enable the business and IT organizations to respond to incidents and quickly adapt to disruptions. This will enable continued operations of critical business processes and required information and technology (I&T) services and maintain availability of resources, assets and information at a level acceptable to the enterprise.”1 The purpose is to “adapt rapidly, continue business operations and maintain availability of resources and information at a level acceptable to the enterprise in the event of a significant disruption (e.g., threats, opportunities, demands).”2
Taking the pandemic focus area into consideration, each enterprise should identify which processes are critical for its business, how IT supports those processes and what needs to be done in case something unexpected happens. Different scenarios should be taken into consideration, including measures that should be taken in case the primary site is not operational or connectivity is lost. The IT solution should be resilient and support the enterprise’s needs. Resilience is the ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognized effect. This is part of a healthy governance framework.
Enterprises are looking more and more at the cloud as a safe haven for their data. Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) can be adapted to suit everyone’s needs, either as primary or secondary solutions (enhancing the on-premise deployment). Cloud service providers offer resilience and availability, with the added benefits of lowering the enterprise’s capital expenditures (CAPEX) and cost for highly skilled IT staff. But governance of enterprise IT needs to be done within the enterprise’s governance principles (due care/due diligence), according to the enterprise’s risk appetite.
What is enterprise governance? One definition states: “Enterprise governance is a set of responsibilities and practices exercised by the board of directors and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”3
Certified in the Governance of Enterprise IT® (CGEIT®) is a useful governance credential for managers and practitioners who can use the learnings to assess and build the right governance systems. CGEIT teaches that governance drives the IT security function, and this supports the business. It creates a mindset for the certification holder that is embedded in the program they are running through policy, procedures, standards and guidelines. CGEIT presents the different principles that form frameworks such as COBIT®, ITIL,4 Project Management Body of Knowledge (PMBOK),5 the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27000 series,6 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework,7 The Open Group Architecture Framework (TOGAF),8 the Zachman Framework,9 Sherwood Applied Business Security Architecture (SABSA) framework,10 Lean Six Sigma11 and ISACA’s Capability Maturity Model Integration® (CMMI®) and lets the enterprise pick the components that can be customized to its environment for the governance program it has, which needs to be constantly improved and innovated. The frameworks provide essential knowledge of global best practices that can help organizations navigate hard times, such as the ones faced today.
However, frameworks cannot be implemented entirely as written. They need to be tailored to fit each enterprise’s needs. A working governance program is custom, with individual pieces that are glued together to serve the business needs.
Building the governance “Rubik’s cube” (figure 1) requires IT/cybersecurity knowledge as well as business acumen. Strategy dictates the direction in which the enterprise is going. Governance is the vehicle that keeps things on track.
Figure 1—Customized Program Governance
With enterprise governance in place, the enterprise can monitor deviations from the business strategy and help senior management make important decisions. Having accurate information in real time is a must in this present climate.
The year 2020 has taught us to be prepared for the unexpected. Not everything can be predicted, but governance can help enterprises adapt to an ever-changing environment. Knowing an organization’s current level of governance can be a lead indicator for how it will cope with a future crisis scenario.
Endnotes
1 ISACA®, COBIT® 2019 Framework: Governance and Management Objectives, USA, 2018
2 Ibid.
3 ISACA, CGEIT Review Manual, 7th Edition, USA, 2015
4 Axelos, ITIL-IT Service Management
5 Project Management Institute (PMI), PMBOK Guide and Standards
6 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 27001 Information security management, Switzerland, 2013
7 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control—Integrated Framework, USA, 2013
8 The Open Group, The Open Group Architecture Framework (TOGAF) Standard, Version 9.2
9 Zachman International, Inc., “The Concise Definition of The Zachman Framework by: John A. Zachman”
10 SABSA, “SABSA Executive Summary”
11 International Association for Six Sigma Certification (IASSC), Third-Party Independent Lean Six Sigma Certification
Gabriel Cusu, CISM, CGEIT, CCSP, CISSP, PMP
Is an experienced security program manager with a focus on governance, risk management, change management, digital transformation, improvement methodologies and service delivery. He started his career as a network engineer and has experience in several industries. Currently, he manages cybersecurity programs and can be reached at linkedin.com/in/gabriel-cusu.