We’re talking a lot about the need for IT to align with business. But it’s not about a one way road. There is no doubt that IT has to think much more “business”. Risk focus (here and here), performance management, the understanding of IT as Information Technology instead of Information Technology, the path towards an ERP for IT,… I think that many CIOs and CISOs are well aware of this and many of them are working towards that goal.
However, if I look at the business side, it appears to me that IT still is somewhat ignored when it is about alignment. Two examples out of many from my practice:
- When talking about GRC initiatives at the IT level, customers frequently complain about risk management initiatives with focus on organizational risks where they are not even able to start a discussion about integration. However, any IT risk is just a risk because its associated with organizational and (sometimes) strategic risk. Thus, you can’t ignore the IT risk perspective from an “Enterprise” GRC perspective (which, by the way, is sort of an arrogant term, ignoring exactly the fact I’m discussing here – “Business GRC” would be much more appropriate). You can’t run a business without IT. It’s part of the operations. And IT risks might have severe impact on your overall business performance – look at fraud in financial institutions, data theft, and so on.
- When talking with the Business GRC vendors – look at the upper layer here – some of them (not all!!!) show an attitude of “we’re doing the relevant business GRC instead of the irrelevant IT things” and claim that they don’t need to provide integration or to support the IT part of the business.
However, given that IT is an important part of every business (the German Bafin – the government agency responsible of auditing and controlling the financial institutions – explicitly claims that IT is a core part of banking business and has to be understood that way), that means ignoring risks. And, even more, it means ignoring that there are elements in risk management which are provided by IT. You need automated controls besides the manual controls. And all the Business GRC tools are IT tools, by the way.
The problem from my perspective is that as well some vendors as many responsibles in the organizations don’t want to play with the IT guys. However, they could not only do a much better job by better executing their controls but they as well could do their job correctly, by really adressing the whole breadth of (operational and strategic) risks.
That’s just one example where business has to learn to better align with IT – and it’s not the only one. Look at the description of business services. For sure there has to be a translation into IT services at some point of time. But before you can do that, you have to have something which can be translated. And frequently, the problem isn’t the translation but what has to be translated. If the original text isn’t sufficient, the translation result never will be. Everyone dealing with software development probably has made this experience: Many issues in software development are caused by an insufficient descriptions of the requirements.
I think that it is time that not only IT understands that it exists only because it provides value to the business but that businesses rely on IT and thus have to align with IT. And that Business/IT alignment is definitely not only something where IT has to learn a lot. Businesses have to do as well – to understand the operational impact of IT (and IT risks), to describe their service requirements, to accept that the operational risk associated with an IT risk has to be balanced with the opportunities of a business service. Just think about all the insecure applications we have in organizations just because a department required them and IT security concerns have been ignored. That has not only been because IT wasn’t able to translate the IT risk into an operational risk – it has been as well because business didn’t understand IT.
Thus, both have to learn. And sometimes it appears to me that business has to learn even more than IT. Not only the people within organizations, but as well the consultants at the different levels. So if your consultant for risk management hasn’t yet covered the operational impact of IT risks and how to deal with that, you should ask him why – and if he doesn’t provide a valide answer, you should re-think the engagement…
This is almost uncanny: May I point you to a book titled "I.T. Wars: Managing the Business-Technology Weave in the New Millennium" – I don't want to run the risk of this being flagged as commercial spam: Much of the book is available for FREE reading on Google Books, and you can glean a lot of great ideas from that. I would urge every business person and IT person, management or staff, to get hold of a copy of "I.T. Wars" – it's in our library too (Fairfax, VA). Our project managers are reading it. Our vendors are required to read it (they can borrow our copies if they don't want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book – then ask your boss to read it – then ask your staff and co-workers to read it. It has made a tremendous difference where I work
Martin,
Excellent series of posts on GRC. I couldn't agree more. In order for security executives to "have a seat at the adult's table", these executives must be able to related their security operations, budget, and achievements back to business objectives, enterprise risk and compliance priorities. Conversely, business needs to stop treating security like a black box and understand that in this day and age, much of an organization's business risks are IT related. GRC and security need to converge and we are certainly seeing that in our customer base. It does seem like CISOs are the ones leading this transformation, not the business.
[...] is really on a roll now. A nice follow up from Martin about how security and business functions must be better aligned. This is very timely to my [...]