The findings of a recent survey by global technology association ISACA shed some light on the relationship between business and IT goals, as perceived by 732 senior business leaders worldwide. While it is encouraging to see that more than 90% of these leaders agree that strong technology oversight contributes to improved business outcomes and greater agility, the survey data that speaks to digital security suggests there is still much work to be done.
According to the survey:
- Only 55% of organizations’ leadership team and board are doing everything they can to safeguard their digital assets and data.
- As a part of overall governance, cybersecurity policies and defenses (things like strong passwords), were cited as the number one corporate governance technological challenge and opportunity faced by senior leadership teams. Yet:
- Only 21% of senior leadership and boards are briefed on risk topics at every senior leadership meeting.
- Only one-third of organizations assess risk related to technology use on a monthly or more frequent basis.
Thankfully, it’s not all doom and gloom, as ISACA’s survey findings also reveal that many leadership teams are prioritizing and increasing funding for cybersecurity and risk management programs going forward. Specifically:
- 48% of organizations will prioritize funding expansion in cyber defense improvements.
- 64% of organizations have already increased spending on risk management in the past year versus last year, and 33% plan to increase spending in enterprise risk management programs over the next 12 months.
If you’re among these business leaders moving improved IT governance higher up on the list of “to dos” for 2018, consider these 5 best practices.
1. Get your business priorities straight.
The role of governance is to assure alignment between your IT investment strategy and the strategic priorities of your business. If your strategic priorities aren’t clearly defined, your IT governance efforts are doomed to fail.
2. Have the right people at the table.
To ensure focus and accountability, your executive committee and major business leaders (IT, finance, operations) need to be present, engaged, and clear on their responsibilities. While it may be tempting to “go big or go home,” smaller groups can be more impactful. It’s also important to have a single person who officially owns IT security and governance.
3. Remember the three Ps.
Policies, practices, and performance measures are a must – and should reflect your strategic priorities, from both business and IT perspectives.
4. Before looking too far forward, look back.
A regular review of your existing IT investments – with an eye for whether these projects are realizing their business case – should accompany any planning for the future. Among the questions you’ll want to ask:
- Is the availability, security, and continuity of your IT services where they need to be?
- Do you have the resources – human, financial, and structural – needed to secure, scale, and support your IT services over the long-term? (Don’t forget about the importance of ongoing staff education / training.)
- Are you regularly assessing risks (both known and emerging) associated with your various technologies? Is there transparency and clarity around efforts to mitigate risks?
5. Right-size your governance approach.
The more complex the organization, the more complex the governance program will likely need to be – i.e. more players, more reporting, and more communications. Regardless of how complex (or simple) your program ends up being, own it and stick with it. Consistency supports understanding, commitment, and long-term value.