In my last update on the Governance of IT, I referenced the critical strategic risk from the convergence of (i) growing dependency on digitisation within all companies and (ii) the growth in prevalence and sophistication of the hackers.
It is not realistic to assume that all board members and managers are expert in the complex world of IT security. This is where a comprehensive IT Governance and Risk Management Framework is so important. Clearly, the board are ultimately responsible for IT governance so they must satisfy themselves that the first and second line defence frameworks are in place, are managed by people who are expert, and are operating effectively. The framework for IT governance will include:
- a) an IT strategy aligned to the business strategy;
- b) risk management processes designed to protect the digital assets; and
- c) structures and plans to deal with recovery of critical operations in the event of a significant incident.
The first element of the framework, the IT strategy has two key objectives; a) to support the business in the delivery of its business strategy and b) to secure the business against system failure or data loss, caused by cyber hackers or some other disaster.
The IT strategy should include at least:
- A complete inventory of digital assets currently in place, indicating those which are directly owned and controlled and those which are ‘rented’ from a third party through an outsource agreement or a service supply arrangement. The review of the digital inventory should also consider which of these assets are strategic to the future of the business and which are supporting legacy products and may need to be upgraded or switched out in the near future. This inventory will provide a good picture of the current IT environment within which the company is operating;
- Having outlined the current inventory of digital assets the IT strategy must set out, in detail, the new digital assets which will be required to support new strategic initiatives in the business. This is where the IT strategy alihns to the business strategy. An early indication of how the company might develop these assets (buy or build) will be useful here;
- With the knowledge of what the business is currently operating and what is required in the future (to swap out legacy systems an/or to develop new systems) the IT strategy should provide a coherent resourcing strategy which is aligned to the needs of the existing infrastructure and to the expansion of that infrastructure.
- In the context of the infrastructure (hardware, software and people) requirements set out above, the strategy for the protection of the company’s IT perimeter from would-be hackers should be documented. This should demonstrate a thorough risk assessment, and consequent deployment of risk mitigation and risk monitoring arrangements, covering the technical tools available as well as ensuring appropriate employee awareness education to combat the hackers;
- Lastly, the strategic approach to planning for incidents, both environmental disasters and company specific attacks should be included. This would focus on the systems critical to the business and set out recovery and/or replacement targets.
All of the above should ensure that the IT strategy is well aligned to the business strategy and that the digital environment is resilient, with recovery plans in place for the unforeseen events.
IT technical expertise will be required to support the development of the strategy and to implement the strategy however, it is critically important that the IT strategy itself is owned by the management and board as a whole and not only by the IT function.
April 2021
To discuss any of your Governance needs call Governance Matters on +353 (0)87 6408750 or email your query to info@governancematters.ie