With the collapse of Enron, many urgent and vital business issues are on the minds of boards of directors.
For IT professionals, trying to wrest even a few minutes of undivided attention from the board can be difficult in the best of times, but with the Enron situation it becomes an even greater challenge.
While boards now are being asked to seriously consider corporate governance challenges relating to financial reporting in this post-Enron environment, they cannot afford to overlook serious IT governance issues. These issues range from basic security breaches of law to serious financial losses.
The stakes are high and the economic fallout related to information security breaches is rapidly mounting. In February 2002, Global Crossing, a telecommunications firm, admitted that a former IT employee had, for several months, been posting the names, social security numbers and birth dates of company employees on his personal web site. Some employees blamed lax IT security and controls for this major security violation.
These types of security breaches create untold problems for employees who may be subject to related identity theft, and they create legal problems for the companies involved.
In a study involving 1,000 IT executives worldwide and the issues critical to them, Computer Sciences Corporation found that nearly half (46 percent) of respondents say their organizations do not have a formal information security policy in place. In addition, 68 percent do not regularly conduct security risk analyses or security status tracking.
IT security was considered to be such an important issue by KPMG, one of the large accounting firms, that it was the sole topic at a third quarter 2001 series of roundtable discussions sponsored by the KPMG Audit Committee Institute. In addition, the American Institute of Certified Public Accountants identified IT security and control as the number one technology issue in 2001.
Financial losses are another concern. According to a study conducted by the Computer Security Institute, 64 percent of respondents acknowledged financial losses due to computer breaches. In fact, they reported more than $377 million in financial losses due to computer crime. This compares to approximately $266 million in losses reported in 2000 and an average of $120 million over the previous three years.
Despite increased awareness, in January 2002 the Computer Emergency Response Team released statistics showing that the number of security incidents reported in 2001 (52,658) was more than double the number of incidents reported in 2000 (21,756).
Most IT professionals realize these trends will continue to escalate unless board members take strong interest and initiate decisive actions relating to governance over IT. Board attention to IT governance is instrumental in:
- assuring the security, reliability and integrity of strategic information;
- protecting the enterprise's investment in information technologies, including systems and networks;
- ensuring the appropriate management of the enterprise's information assets, which often are directly responsible for the success and survival of the enterprise itself.
The first basic step is for governance of IT to be upgraded from a reactive activity to a proactive process. IT is now woven inextricably into nearly every organization's core fabric, making IT governance not a luxury, but a necessity. The days when a separate IT function simply supported traditional business processes are long gone. IT is now critical to the continued existence of most of the world's largest enterprises.
Thus, the board's most important involvement with IT governance is concerned with two critical responsibilities. Board members must ensure that IT is delivering acceptable value to the business, and they must be satisfied that IT risk is being mitigated. They must clearly understand and support the strong bond between business objectives and IT activities.
Currently, IT governance concerns are not given appropriate discussion time and in-depth study at some boardroom tables either because board members feel they do not have an intricate understanding of detailed technological issues, or because they do not believe that IT is a board matter.
There is no need for leaders who oversee businesses to become IT authorities; however, they do need to proactively execute their fiduciary responsibilities and work toward mitigating IT-related risks in the organizations under their watch. To be sure, IT has far-reaching implications that are worthy of board attention - extremely large staff time and financial investments, and the potential for devastating, crippling outcomes.
While the risks seem to grow daily, expenditures earmarked for IT are being scrutinized and often trimmed. CIO.com released survey results in 2001 showing that only 18 percent of respondents answered "no" when asked if their IT budget was trimmed during the year. For 45 percent of the IT professionals, funding had been cut permanently.
Although there may have been some excess built into IT budgets during the roaring 1990s, appropriate governance of IT at the board level should encourage a stringent focus on IT budgets and plans in relation to the overall needs of the business. At a time when all corporate expenditures are under review, it is more important than ever for board members to equip themselves with a high-level understanding of their changing roles and responsibilities regarding IT oversight.
Indeed, one of their most important responsibilities is for board members to ensure that the organization's IT practices are aligned with their business objectives. The growth and success of nearly all businesses rely on taming information technology for secure, profitable use. Companies striving for success in this environment must integrate IT with business strategies to attain their business objectives, get the most value out of their information and capitalize on the technologies available to them.
As for all assets, management must demonstrate to the board that the organization is satisfying the quality, fiduciary and security requirements for its information. This includes making the most of available resources, including data, application systems, technology, facilities and people. An internal control system must be in place to support the business processes and it must be clear how each individual control activity satisfies the information requirements and impacts the resources.
All organizations benefit from a comprehensive and integrated approach to risk management, security and controls. As these entities continue to take advantage of new technology, critical decisions arise about the level of investment that's appropriate for IT security and control. In addition, businesses must respond quickly to the needs of their employees, customers and business partners, yet still maintain security of vital information systems.
Planning for an unknown and unpredictable future, while difficult, has become the normal course of business. IT leaders and board members should work together to ensure their organizations to implement an IT governance program because it:
- allows management to understand the appropriate scale and cost of current and future investments in information and information systems;
- helps ensure IT delivers on its promise;
- reduces vulnerability to a variety of internal and external threats;
- helps the organization prepare for changing technology and business practices;
- provides adequate security and continuity assurance, especially important now that many companies depend on information systems for their very livelihood.
Governance of IT encompasses several initiatives for board members and executive management. Business leaders must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate, measure performance, understand risk and obtain assurance.
Two publications recently released by the IT Governance Institute address these activities by describing why IT and IT security have become critical to enterprise governance and how boards and management need to address the issues and risks involved in IT. The Board Briefing on IT Governance and a related publication, Information Security Governance: Guidance for Boards of Directors and Executive Management, can be downloaded at no charge from the IT Governance Institute (www.ITgovernance.org/resources.htm). They offer practical information and build on guidance from international regulatory and standards-setting bodies, including COBIT, an international generally accepted IT control framework.
The Board Briefing includes a high-level governance framework, performance measures and an IT governance checklist. Tools to evaluate information security status and understand what security governance should deliver, as well as questions that can help uncover potential security weaknesses, are included in the Information Security Governance publication.
Providing oversight over IT in an enterprise presents extraordinary challenges and opportunities for members of boards and executives. Businesses require effective strategy-based IT governance planning.
IT governance is not about board members becoming experts in the intricacies of technology. Rather it involves applying their incisive management skills to a critically important and constantly changing facet of business. Obtaining high-level expert guidance on IT oversight demonstrates the board's commitment to understanding and managing the opportunities and risks that affect the future stability and growth of the enterprise.
For those enterprises where IT is critical to the success of the business, boards also may want to consider setting up a board committee relating to IT strategy, with at least one board member on the committee or acting as its chair.
A professor of accounting at the University of Southern California, Robert Roussey, CPA, is international president of the Information Systems Audit and Control Association (ISACA, www.isaca.org). He is past chair of the International Auditing Practices Committee. He can be reached at [email protected].