Governance: It's All About Risk Robert Stroud of ISACA on Global Governance Trends, Opportunities
From mobile devices to social media and cloud computing, IT governance is all about risk management. "You can't de-risk everything, but you can de-risk the majority of circumstances you will see in normal operations," says governance expert Robert Stroud

"In the past, risk was totally managed by the business," says Stroud, international vice president with ISACA and the IT Governance Institute.

But increasingly today, information technology and security organizations are responsible for the risks - which are only growing in number and complexity. "I think it's a great opportunity for IT," Stroud says. "It's an exciting time to be a security professional."

In an exclusive interview on global governance trends, Stroud discusses:

  • The global state of governance of enterprise IT;
  • Key findings from a new survey on GEIT;
  • What it takes to launch a successful career in governance.

Stroud is the former chair of the COBIT Steering Committee and is part of the Framework committee. Stroud also serves on the itSMF International Board as Treasurer and Director Audit, Standards and Compliance and leads the itSMF ISO liaisons to multiple working groups.

Formerly CA's global evangelist for service management and governance, Stroud is dedicated to the development and communication of industry best practices and acts as a strong advocate for the customer - working closely with users, industry organizations, government agencies, and IT luminaries to identify and communicate IT best practices. He is a mentor to many organizations, advising them on their implementations to ensure they drive maximum business value throughout the process.

TOM FIELD: For our audiences not familiar with you or the IT Governance Institute, Robert, why don't you tell us a little bit about yourself and the organization.

ROBERT STROUD: Sure. Thanks, Tom. So, the association is focused as a member-based organization focused on delivering value to our members. Our tagline is 'Trusting in value from information services or information systems,' and we focus on serving the assurance audit management and security professionals globally with chapters in almost every country. We have many makings, and we develop intellectual property and then leverage that within our memberships to help them in their careers and gain value out of the systems that they run for their employers.

Global State of Governance

FIELD: Robert, we hear a lot about governance these days. What would you say is the global state of governance of enterprise IT today?

STROUD: Certainly we all are aware with things like Sarbanes Oxley, compliance legislation, and all the other aspects of that which kind of brought governance to the forefront of the last few years. And another aspect of that I think has come even further forward over the last couple of years is the notion of risk, which really supports the security constituency understanding their value to the organization. So what's happened over the last couple of years, and just in the last short period, is we've understood or identified that governance is certainly top of mind of organizations as they go to drive value out of their innovation stage that we're going through after the global recession. There's a couple of interesting aspects that I'd probably like to share a few thoughts with you on right now, and the first is that we're continuing to see cloud computing dominate the topic in the discussion. Now we'll talk more about that and some of the other security aspects of that in a moment, but you know one of the things we're seeing from the recent survey we conducted is that cloud computing is certainly top of mind of organizations trying to understand how to leverage it or understand how to mitigate the risk. We're also seeing continuing expense management and expense watching, as we call it, become an issue, and that leads to organizations having to understand where to invest their IT dollars to drive value. But the other interesting concept is that in terms of governance, when we looked at governance of enterprise IT in a recent survey that we undertook, only 5% identified that they did not consider it important. So what I'm seeing or believing now is that governance is becoming a fundamental and issue for CIOs and organizations as they move forward.

Survey Results

FIELD: Well, interesting that you mentioned this survey. I wanted to talk with you about that, Robert, because I know the institute has just conducted a survey. What would you say are some of the key findings of particular interest to our security audience?

STROUD: Yes, so there are two aspects of the findings that will be very interesting to the studio audience. First is where the industry is going, and then I think the second part of that is it's where the security professional really needs to focus on to ensure that they're driving value out of the work that they do and communicating that value to their organization.

So as I touched on before the emerging technologies such as bring your own device, which is one emerging technology, cloud computing and other industry trends. This new delivery model introduces new opportunities, I didn't call it risk, for our security professionals because we need to understand how we're going to integrate security and other aspects into these devices and leverage them so that we can ensure that our people and organizations are doing their correct things at the correct times with these devices.

The next interesting aspect of that is that the governance is now becoming an assumed area and an assumed process. I mean. it's just happening as part of an organization. You know as we move forward in economic background I think our security professionals really need to understand that they will probably be called on to justify the investments and security as they move forward in terms of business value, not just necessarily simply mitigation of risk. I think that's a key aspect there is that there are instances where we need to really coach this business on the value that security adds.

The third thing I just wanted to mention quickly is what we call IT leading or following. We found that 70% of respondents noted that the head of IT is a member of the senior management team. That's a really interesting statistic. We're seeing that with many of the security professionals here, where we understand that security is part of the end-to-end business process not part of just IT, in so doing that we can ensure that we understand the value that security is going to add through the whole value chain.

The other aspect I just wanted to quickly touch on is social networking. Now, social networking by the respondents is not highly prized in terms of Facebook and twitter. A lot of security professionals have identified that the benefits of employees using social networking outweigh the risk. With that said, organizations re seeing exceptional value in using the social media.

Governance Recommendations

FIELD: Well very interesting findings, Robert. Based on those what are some of the recommendations you have?

STROUD: There are a number of recommendations and I think they go into a few areas that we want to look at. The first area of recommendations is really, I think. understand the value that security offers to the organization. One of the parallels that I often use is that security needs to be a positive word, not a negative word in the organization. So we really need to ensure that security adds value to the organization while understanding where to put the appropriate components in place, where to identify the risk and when not to cry wolf. I think that's a really interesting parallel. We've all heard about the little boy who cried wolf and/or little girl who cried wolf and the child cried wolf so many times that when the wolf was really at the door nobody listened, and I think that's one of the areas that we really need to focus on in terms of the security aspects going forward.

The second issue is understanding the value. You've got to really understand the value of security. You've got to communicate it in terms of business value not just saving money or not just losing money, but also how you add value in terms of the organization growing and moving forward.

So, I think the next aspect is to be proactive. We need to leverage the governance mechanisms in our organization to be proactive. We need to ensure that IT has a proactive role in the organization and one of the concepts there is instead of just IT listening to the business requirement and just going by way and then delivering it ... there needs to be a clear relationship between the IT member and the executive leadership, a clear relationship between the organization's business values and strategy, and I think security professionals can really address that by getting deeply involved in delivery of service and understanding the business value and then understanding how to drive that forward.

The other thing is helping enterprises address the current issues. Now once you've got the close relationship with the business, you can then focus on the key aspects of the business and the key considerations. In an economic downturn, which you've just been through, you're going to do things like reduce the number of stock, remove the number of consultants and things like that. Now if your trained professionals are very good at ensuring that things like access is removed, that we put our systems in place, you put the right backups and restoration, staff aren't leaving with inappropriate data. I think the value for security professionals is really to grow beyond that and really add value in areas where they can add significant impact.

So one of the aspects that I can quote on there are things like cloud computing. Cloud computing coming aboard is going to really drive value and drive opportunity, and what needs to happen with security professionals is we need to work those cloud providers that we may or may not use into the air. The system of security that we have so that our security requirements for the organization to protect our data, our people, our investments and privacy are maintained. The third thing is going back to the first thing, really. Supporting the organization's business strategy. That, I think, is a great guide to security professionals. Once we understand the strategy, we know where to support it, we know where to put our resources. We know where to put our people and help them and have them drive value moving forward.

For security professionals, I believe what we have found is the track that they're on typically is the right track, and we need to keep moving forward, and of course at the same time ensure that we understand the variables in the economy, the variables in our business, the changes in strategy and adjust or tweak where we go with security at the same time.

Global Trends

FIELD: Robert, let's leverage some of your global perspective. As you look at some of the key trends that interest you the most, how do these governance trends differ if at all in the various global regions?

STROUD: Yes, governance trends do differ. In companies with large compliance legislation, for instance, we see a strong focus on compliance, complying with the law, putting the roles in place to meet those requirements. One of the clear aspects or security considerations globally right now is privacy -- personal information, what to do with that. How do we secure that? How we manage that?

The second aspect is in terms of investment and value. Organizations that are in the growth economy now and growth market are looking for business value and business opportunity. So while they're doing that, they may be prepared to accept some level of risk as they grow that business and evaluate the opportunity before it becomes mainstream and comes under control.

The third aspect of governance that's changing globally is the adoption and use of cloud computing. That introduces its own security issues, which have been well communicated and talked about and just a simple aspect of that is data privacy laws and security professionals must be aware of what those data privacy laws are so they can guide their organizations. So for instance you may be in Europe once again, which has strong laws in terms of data privacy, data storage and where that data is stored. So the adoption of cloud computing although inevitable, I believe, for many businesses and many organizations may be changed in terms of the evaluation process that cloud provided in that regional geography, and I think as you look at those aspects and many aspects of the governance professionals or the industry professionals, we have so much that we need to be cognizant of.

One of the things I've clearly seen is back in North America. where of course I live and breathe and work, is that you can see the governance processes mandated by the health industry and the finance industry are getting tighter and tighter and stronger, whereas another industry may be looser and not so tight, and then even those requirements will vary by geography. I think that's an interesting aspect that we need to be aware of especially in this global economy where the barriers and walls of geography have been reduced.

I recommend the old analogy: Measure twice, cut once. And I clearly believe that as we move forward we're going to have to consider that in terms of how we deliver value only to ensure quality and consistency of service as to deliver IT services that we may not have done so in the past.

Career Opportunities

FIELD: For these professionals that want to get into the field today, what's your advice to them to be successful when either starting or restarting a career here?

STROUD: Yeah I reached out in my career or changed tracks multiple times, and each time it's been more rewarding than the time before. Professionals moving into risk or governance have a couple of interesting opportunities. #1 ISACA and the IT Governance Institute offer a network of industry professionals, like-minded industry professionals, local meetings, local chapter meetings in your area. You can also go to the website www.isaca.org and of course have a look at where your local chapter is and how to get involved. In doing that, one of the things I strongly recommend is read some of the freely available or easily available documents we have on our website associated with members, and then of course take the opportunity to look at education and certification in the areas of risk and governance which ISACA and other organizations offer. As you go through this task, you're going to look through education and training that drive you through and help you understand that there are a couple of quick tips.

So, for anybody in the governance area, #1 is realize that you're going to be learning business language. IT language is great and it's important to your role, but you're going to start to need to be able to walk among the shoes of the business. So you're going to need to understand the terms they use, the issues that are important to them, the opportunities that are important to them.

#2 you'll need to get training and certification. You know we certainly understand at ISACA with the recent certification which we call CGEIT: Certified and Governance of Enterprise Information Technology. You can gain that certification. We hold exams twice a year, and that requires practical experience as well before you can get that certification.

But more importantly than that, I think you need to look at the opportunities that are in the marketplace as a risk professional. A lot of my friends who are IT auditors have moved into risk. A lot of my friends who are security professionals have moved into that area as well. A lot of information out there. The best place to start of course is our website which I mentioned before www.isaca.org.




Around the Network