Monday, March 21, 2016
Managing the human, behavioral and cultural aspects of change and motivating key leadership executives to buy into the change is critical to the success of IT Governance that supports an agency’s IT security program.

To start, guiding principles can ensure that all staff have a common understanding of the core IT Governance criteria. These guiding principles let staff know that IT Governance is recognized by the C-Suite as critical to the organization’s success, and that IT resources result in maximum effectiveness and efficiency across the organization. It ensures that security is integrated in meeting requirements and delivers benefits set by an organization’s business leaders. As a model, the Department of Veterans Affairsestablished a number of principles that could be adapted by other agencies, followed by related imperatives and characteristics. (Read my first blog on this topic.)

IT Governance Guiding Principles

  • IT Governance is critical to the success of the Organization’s Governance and business needs
  • Business (mission) requirements and benefit real­ization are the basis for setting IT priorities
  • Business leaders (Administrations and Staff Officers) establish IT requirements, business ben­efits, and priorities based on the Organization’s Strategic Plan
  • Business leaders oversee full life cycle execution of IT program to manage risk
  • The CIO’s office determines technology solutions and IT related life cycle costs
  • The CIO manages IT resources and IT program execution to maximum effectiveness and efficiency across the Organization to meet requirements and deliver benefits set by Business Leaders
  • Use existing Organizational Governance mechanism to maximum extent possible
  • CIO policies, procedures and processes must be published, communicated, monitored, mea­sured, and reported across the Organization
  • IT Governance enforcement must be equitable, timely, and consistent
  • Industry/Government best practices and standards are assessed and implemented as appropriate

These and similar imperatives must be addressed up front for IT Governance to be well-implemented.  These imperatives describe how people will operate within the new IT Governance program – the need for trust and partnership to make the IT Governance plan successful (these were adapted from the VA case study cited above, and generalized  for the purposes of this blog):

IT Governance Imperatives 

Build Trust

  • Trust must be built among the stakeholders in the management of information and technology in the Department/Agency
  • Trust is not achieved in documents; it is achieved through cooperative partnerships between the business needs of the Administrations and Staff Offices and the IT service provider
  • Structure alone without a foundation of trust will notfunction effectively
  • IT Governance, through carefully defining of roles and responsibilities, provides the requisite foun­dation to address the central theme of con­cern—how to establish trust among stakeholders in the management of information and technol­ogy in the Department/Agency

Build Partnerships

  • IT Governance is not an isolated discipline
  • IT Governance should form an integral part of Organization’s Governance, and needs to be addressed at the most senior levels of leadership
  • IT Governance can be seen as a structure of relationships and processes to direct and control the Department/Agency to achieve its Department/Agency-wide goals by adding value, while balancing risk versus return over IT and its processes
  • Senior leaders must ensure that IT operational risks are mitigated and the value that is returned by technology investments meet the strategic goals and objectives of the Department/Agency
  • Day-to-day communication between the Administrations and Staff Offices with various IT offices can help to ensure close coordination between the businesses and IT

Also, key characteristics or a list of the “rules of the game” are needed to infuse the IT Governance effort.  These range from “builds relationships and processes,” to “ensures that everyone is playing by the same rules” and “doing the right things right.”

IT Governance Characteristics 

  • Builds relationships and processes to direct and control the enterprise, in order to achieve the enterprise’s goals by adding value while balanc­ing IT risk versus return
  • Specifies the distinction between input rightsand decision rights to clarify the differences between advisory entities (such as Steering Committees) and those assigned to manage the process 
  • Specifies the accountability allocated between business requirement owners and the IT organi­zation to encourage desirable behaviors in the use of IT  
  • Assures a process for managing and controllingthe use of technology to create value for the organization and assure benefit realization
  • Oversees the rules and regulations under which an IT organization functions to serve the busi­ness lines
  • Ensures that everyone is playing by the samerules so that the IT environment works for everyone

These guiding principles, imperatives and characteristics provide a model to help departments and agencies create the appropriate environment for addressing specific challenges, including managing changes to culture and behavior.

Leadership at numerous agencies have indicated that before they could address their security weaknesses and prevent future data breaches, they need to establish a strong IT Governance program.  The IT Alliance for Public Sector (ITAPS) recommended a similar approach as a result of the OPM data breach (see issues 1 and 5). As indicated in my previous blog, security and privacy must be based on a rigorous risk management process and a sound IT Governance program.

Read my next blog on this topic.

 

Image courtesy of Stuart Miles at FreeDigitalPhotos.net