As a Security Solutions person, I think people should start with taking a broader view from IT governance instead focusing many different security technologies straight away.
To ensure a progressive and substantial development in IT Security, three specific areas related to security need to be addressed. Firstly, it is highly imperative to bring to awareness the importance of IT Governance. Bearing in mind that IT Security is not limited to merely avoiding and preventing hacking, it also serves to facilitate the management of an IT environment assessing and addressing any possible risk. In addition, such IT environments needs to be supervised under a specific regulative and thus the three areas have been consolidated, and termed as GRC – Governance, Risk, and Compliance.
The prospects and potential development of GRC is exhibited through recent acquisitions in the industry. Key security vendors in particular, are keen on acquiring GRC Solution with the intent of enriching their offerings. To name a few examples, McAfee’s acquisition of Solidcore, and EMC’s acquisition of Archer Technologies are merely two significant acquisitions of the many that have occurred in recent years.
The IT Governance comprises of an IT Framework, and five different domains. Chronologically, these five domains are:
- Strategic alignment of IT with the business
- IT Value delivery
- Management of IT risks
- IT Resource Management
- IT Performance measurement
A great resource to gain further insight on IT Governance would be a book entitled, “Board Briefing on IT Governance” by IT Governance Institute.
I would like to share some relevant pointers, as I feel will greatly aid your understanding in this context:
- A CIO is no longer merely an IT Manager, but a Business Manager as well
IT should be regarded as a business and incorporating IT investment with business value is the key to success. Every project with regards to IT investment should most ideally be supported by a business case. Analyzing a business case enables one to generate the business value of that particular case, and it also coordinates and attunes expectations and requirements across the organization.
Investing on an intangible resource, for example, infrastructure, is usually challenging, but when the infrastructure is improved and is in accordance with the new system, business values will increase.
Reference: Building the Business Case for COBIT and Val IT: Executive Briefing, available as a free download.
- Many business initiatives are supported by the IT team, but increasingly more business initiatives are being led by IT teams
Launching a new customer service portal would require the IT team to propose the latest and relevant technologies and protocol, to ensure that the portal will be able to meet business needs for the next 3 – 5 years. Therefore, it is essential that IT teams equip themselves with relevant business knowledge that will enable them to build the required architecture in future.
- Enterprises should consider developing and/or customizing their own standards, instead of merely following customary standards
Firms most commonly adopt the customary standards set in their specific industries, as in this case, would be the common standards set for the framework of IT Governance. However, firms should realize and remember that they can customize these standards to fit their specific business environment and requirements. This is important because once standards have been altered to meet your business requirements; it would lead to efficiency and productivity.
- There is more to Risk Management than just “Security”
It is commonly understood that security constitutes of Confidentiality, Integrity, and Availability (CIA). However, risk management is made up of Risk Evaluation, Risk Governance, and Risk Response. Therefore, it is important that individual business units, the entire business committee, and IT managers assume the responsibility of Risk Management all together.
- Components of Resource management
Apart from human resource and capital investment, IT Resources includes infrastructure, information, application, process, partners and many more. The meaning of Resource Management is not to obtain as many resources as possible, but to identify and properly utilize available resources. For example, only authorised IT systems can access to backend data, therfore the backend database would not be abused.
Amice Wong is for security solution strategic marketing and sales planning for Datacraft Hong Kong, where she is also the primary spokesperson on security solutions and services. She was previously a Solution Sales Manager with PacNet before she joined Datacraft three years ago. Amice is a Certified Information System Auditor, with 10 years of sales and marketing experience in security solutions.
{ 4 comments }
good piece
Educative. And thanks for the links on additional information.
Thanks. Quite a lot of informative references are there.
Thanks for your support!
Comments on this entry are closed.
{ 1 trackback }