The risk of data loss is growing as more data is created and shared via mobile devices, social networks, and file sharing services. Governance policies must reflect these trends whether or not your business is regulated. Some IT governance policies are falling short – and the issue is not limited to technology.
Technology innovation is moving considerably faster than organizational cultures. As organizations have extended out to clouds and mobile devices, IT departments have had to radically change how they operate, including how they procure products and services, how they manage technology and data assets, and IT’s own role within the organization. Similarly, governance policies have to evolve to better align with the modern business world, but they often lag behind the availability of technology.
Many organizations struggle to define policies that support modern ways of working while minimizing risk exposure. As a result, depending on the industry and company, IT governance policies can range from Draconian to lax. When the governance policies are too rigid, innovation may suffer. When they’re too lax, that fact becomes self-evident, if not costly.
Effective governance requires the right mix of people, processes, and tools to ensure that the policies are well-defined and also enforced.
What’s Wrong with Governance
Some organizations have trouble establishing effective IT governance committees because historically suits were suits and nerds were nerds. As businesses embrace new technologies and modern ways of working, historically-separate domains no longer have the luxury of operating in a vacuum. Business competitiveness depends on business-technology alignment. Newer generations understand this, but some (but not all) long-standing executives may have trouble adapting.
A major transportation company had to resolve that particular problem. One of their successful actions was making sure that the tech-savvy committee members with business titles could demonstrate a technology’s business value to their comparatively technophobic counterparts. Collectively, the committee defined a business strategy that included the technology they needed to make the strategy successful. If the company was going to transform itself, management knew, it needed the means to measure and improve performance. The transportation company’s strategy included monitoring mechanisms to ensure regulatory compliance, policy compliance, and many aspects of business performance.
While CIOs play a central role in the process, effective governance needs to be enforced by executives who represent the various aspects of the business. Collective decision-making can result in executive buy-in that helps drive more business value from technology investments, but policy enforcement can fall short when the organization lacks tools to monitor and manage compliance. Regulated industries dictate the use of certain types of technologies; however, unregulated companies can expose themselves to unnecessary risks when they fail to support and enforce IT governance policies. Some companies’ governance policies are not reflected in their HR policies, which can further complicate enforcement.
IT governance committees also may get involved with prioritizing technology investments. Operating units or departments may be vocal about their individual needs, but their actual needs usually vary. For political reasons, some organizations distribute IT investment dollars “equitably” which tends to yield several incremental improvements, some of which have dubious value. The problem with departmental investments is that little or no thought may have been given to the ecosystem in which the solution will run which can negatively impact IT, other departments, and the business at large.
An effective governance committee that has an accurate view of “the big picture” can observe how investments in one area of the business affect other areas of the business, and prioritize investments accordingly – including “free” investments. Outdated IT governance policies can expose businesses to risks. For example, some of today’s technologies, such as social networks and file sharing services, don’t require departmental budgets because they’re free or cheap and easy to use, which is why employees and operating units unilaterally decide to use them. Even though that may not be the best idea for organizations that need to track data and who has access to it.
Managing Risks Effectively
One of the most important roles of an IT governance committee is to manage risks, including protecting information assets. The business rules programmed into individual systems may define what can and cannot be accessed and shared; however, employees nevertheless find ways to share data, often in ways the organization has not considered or not considered adequately.
Some companies sanction enterprise-grade cloud-based services that meet their privacy, security, eDiscovery, intellectual property, and compliance requirements while allowing the use of less-robust public cloud services for content that is less valuable and thus exposes the organization to less risk.
Meanwhile, the volume of information created and consumed on mobile devices is growing, which is also changing the way individuals use and share information. As employees spend more time using their personal devices, interacting on social networks, and sharing information via file-sharing services, organizations must look for ways to ensure security and data preservation. In addition, mobile usage needs to be tracked for auditing and eDiscovery purposes.
Some organizations make a point of educating employees and managers about their policies. They may also encourage employees to review their policies before uploading and sharing content. Hope is an ineffective strategy, however. Businesses need strategies and mechanisms to ensure policy compliance whether or not they operate in a regulated industry.
Effective IT governance is a cross-functional activity that requires a unified vision, collective commitment, and enforcement. File sharing services, social media, and mobile devices have presented organizations with data security and business risk management challenges, but the larger problem – as always! – is a people issue. Employees will do what comes naturally in the absence of clearly articulated policies – and even then, effective enforcement is required to ensure that governance policies actually do govern behavior.