IT Security and Governance

Cyber Security Operations Consulting IT Security and Governance, Governance, Risk and Compliance services, you get to retain a board-level resource who can ‘virtually sit inside your company’ and manage your security strategy, budget, review of risks and regulatory programs.

CyberSecOp describle IT governance as, "Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT." If desirable behavior involves independent business units, IT investment decisions will be with the unit heads. If desirable behavior involves an enterprise-wide view of the customer with a single point-of-contact, then central IT control works best.

Three Functions of Governance

  1. What decisions must be made to ensure effective management and use of IT?
    1. IT principles - clarifying the business role of IT
    2. IT architecture - standardization and integration requirements
    3. IT infrastructure - shared services that provide the foundation for IT capability
    4. Business application needs - specifying the business need for purchased and internally developed IT applications
    5. IT investment and prioritization - choosing what initiatives to fund and how much to spend
  2. Who should make decisions? Archetypes for allocating decision rights.
    1. Business monarchy - senior business executives (excluding IT) make the decisions
    2. IT monarchy - IT executives make the decisions
    3. Feudal - each business unit makes independent decisions
    4. Federal - a combination of corporate center and business units, with or without IT, make decisions
    5. IT duopoly - IT and one other group, such as senior executives or business unit leaders, make decisions
    6. Anarchy - individual users make independent decisions for themselves
  3. How will these decisions be made and monitored?

Why is IT Governance Important

  • Financial payoffs
  • IT is expensive
  • IT is pervasive
  • New technologies
  • IT governance is critical to learning about IT value
  • Not just technical - integration and buy-in from business leaders is needed for success
  • Senior executives have limited bandwidth, especially at large institutions, so they can't do it all
  • Governance patterns depend on desired behaviors
    • Top revenue growth - decentralized to promote customer responsiveness and innovation
    • Profit - centralized to promote sharing, reuse and efficient asset utilization
    • Multiple performance goals - blended centralized and decentralized governance

IT Governance Challenges


  • is increasingly easy to digest and digitize
  • has increasing importance and products and services
  • is difficult to value or price
  • has increasing risk of security and exposure
  • is expensive

Governance Archetypes

  • Business monarchy: Senior business executives make IT decisions
  • IT monarchy: IT executives make IT decisions
  • Feudal: Business unit leaders make IT decisions to optimize local needs, but does not facilitate enterprise decision-making.
  • Federal: Coordinated IT decision-making between the center and the business units.
  • IT duopoly: IT executives and one other group (such as senior executives or business units) make IT decisions.
  • Anarchy: Individual users or small groups make IT decisions. Anarchy is expensive, difficult to support and rare, but sometimes used when very rapid customer responsiveness is needed.

Different types of decisions might use different archetypes.

  • Decisions
  • IT Principles
  • IT Architecture
  • IT Infrastructure
  • Business Applications
  • IT Investment

What Governance Arrangements Work Best

  • Monarchies work well when profit is a priority.
  • Feudal or business monarchy arrangements might work best when growth is a priority.
  • Federal arrangements can work well for input into all IT decisions. Avoid federal arrangement for all decisions since it's difficult to balance the center with the business unit needs.
  • Duopoly arrangements work well for IT principles, investment decisions and business application needs. Duopolies also work best when asset utilization is a priority.

Governance Mechanisms

Governance is implemented using the following mechanisms.

Decision-Making Structures

Organizational units and roles responsible for making IT decisions, such as committees, executive teams, and business/IT relationship managers.

  • Executive or senior management committees
  • IT leadership committee
  • Process teams with IT members
  • Business/IT relationship managers
  • IT council of IT and business executives
  • Architecture committee
  • Capital improvement committee

Alignments Processes

Formal processes for ensuring that daily behaviors are consistent with policies and provide input back to decisions. These include IT investment proposal and evaluation processes, architectural exception processes, service-level agreements, chargeback, and metrics.

  • Tracking of IT projects and resources consumed
  • Service-level agreements
  • Formally tracking business value of IT
  • Chargeback arrangements

Communications Approaches

Announcements, advocates, channels, and education efforts that disseminate IT governance principles and policies and outcomes of IT decision-making processes.

  • Work with managers that don't follow the rules
  • Senior management announcements
  • Office of CIO or IT governance
  • Web-based portals and intranets for IT

Mechanisms should be:

  • Simple: Unambiguously define the responsibility or objective for a specific person or group
  • Transparent: A formal process that's clear to those that are affected by or want to challenge decisions.
  • Suitable: Engage individuals best positioned to make given decisions.
  • Mechanisms do not work in isolation. The impact of governance depends on interactions among mechanisms.

Principles for Establishing a Set of Effective Mechanisms

  • Use all three types: decision-making structures, alignment process and communication approaches.
  • Limit decision-making structures. Too many structures leads to contradictions and disconnections. In large enterprises, decision-making responsibilities should be disseminated using alignment mechanisms, not decision-making structures.
  • Provide for overlapping membership in decision-making structures. Input is needed from business and technology to avoid disconnect between IT and business decisions.
  • Implement mechanisms at multiple levels of the organization. Architecture and IT budget process often provide the connection between enterprise governance and business unit governance in large organizations.
  • Clarify accountability. Management objectives and metrics will help reduce confusion over who is responsible for what.


Characteristics of Top Governance Performers

Top performing institutions are transparent about the tensions around IT decisions such as standardization vs innovation.

  • Managers in leadership positions can describe IT governance.
  • Rather than informal chats, use communication approaches (listed above) to engage managers and increase their knowledge IT governance.
  • Direct involvement of senior leaders in IT governance.
  • Clear business objectives for IT investment, usually just a few of the following
    • Reduce costs
    • Improve customer service
    • Provide information to management
    • Enhance customer communication
    • Support new ways of doing business
    • Enable a complete view of the customer
    • Improve product quality
  • Differentiated business strategies based on value disciplines (such as customer intimacy or product innovation) rather than operational excellence. Operational excellence is often a default strategy to reduce costs and points to the need for strategic focus.
  • Fewer renegade and more formally approved exceptions.
  • Fewer changes in IT governance from year to year.

Aligning IT Governance with Strategy and Performance

Six Components of Effective IT Governance Design

  1. Enterprise strategy and organization. Strategy focuses employee attention on simple and achievable messages. Governance reinforces and transcends organization structure in defining responsibilities for implementing strategies.
    1. Competitive thrust of the enterprise
    2. Relationships among business units (autonomy vs. synergy or centralized vs. decentralized)
    3. Intentions for the role and management of information and IT
  2. IT governance arrangements. Identifies the archetypes used for each type of IT decision.
  3. Business performance goals. Clear objectives for the governing bodies and benchmarks for assessing the success of governance efforts.
  4. IT organization and desirable behaviors. Enterprise strategy and organization provide the direction for organization and desirable behaviors. Desirable behaviors must be in harmony with strategic direction or an enterprise cannot achieve its performance goals.
  5. IT metrics and accountability. Who is responsible and how they will be evaluated.
  6. IT governance mechanisms. Well designed mechanisms reinforce and encourage desirable behaviors and lead to outcomes specified in metrics and accountability.

Strategies for IT Governance

  • Value disciplines are usually one of the following
    • Operational excellence. Emphasizes efficiency and reliability. Leaders in price and convenience. Minimizes costs; streamlines supply chain. Governance is usually more centralized.
    • Customer intimacy. Focuses on building relationships with the customer. Governance models might allow more individual discretion.
    • Product or service leadership. Leaders in innovation, new solutions and rapid commercialization. Governance models might blend centralized approaches for fast innovation with decentralized approaches to allow more autonomy for innovation.
  • Business unit autonomy vs. synergy (centralized vs. decentralized)
    • Business unit autonomy can yields more growth
    • Business unit synergy can yield more profit

Management Principles for Designing Governance to Address Strategic Objectives

  • Make tough choices
  • Develop metrics to formalize strategic choices
  • Determine where organizational structure limits desirable behaviors. Design governance mechanisms to overcome the limitation.
  • Allow governance to evolve as management learns the role of IT and how to accept accountability for maximizing IT value. To facilitate synergy, firms use:
    • IT architecture committees
    • Chargeback
      • Clarifies cost savings for the shared model
      • Encourages responsible use of resources

Top 10 Leadership Principles for IT Governance

  1. Actively design IT governance
  2. Know when to redesign
  3. Involve senior managers
  4. Make choices
  5. Clarify the exception-handling process
  6. Provide the right incentives
  7. Assign ownership and accountability for IT governance
  8. Design governance at multiple organizational levels
  9. Provide transparency and education
  10. Implement common mechanisms across the six key assets
    1. Human
    2. Financial
    3. Physical
    4. Intellectual property
    5. Information and IT assets
    6. Relationship assets

IT Governance for Nonprofits and Government

More focus on consensus, transparency and equity in nonprofits and government impact IT governance design. Successful IT governance relies more on partnerships and joint decisions between business and IT leaders. Formal mechanisms such as committees are also important.


  • Measuring value and performance
  • IT infrastructure investment
  • Coproduction and architectures
  • Citizens, clients and customers

How Top Performers Govern IT in Nonprofits and Government

  • Joint IT and Business decision making for principles
  • Consider IT infrastructure decisions to be strategic business decisions
  • Don't use feudal archetype for business application needs
  • Use duopolies for decisions about IT investments

Mechanisms for top performers

  • Executive committees focused on all key assets including IT
  • IT council comprising business and IT executives
  • IT leadership committee comprising IT executives
  • Architecture committee
  • Tracking of IT projects and resources consumed
  • Business/IT relationship managers

Symptoms of Ineffective Governance

  • Senior management senses low value from IT investments
  • IT is often a barrier to implementing new strategies
  • The mechanisms for making IT decisions are slow and contradictory
  • Senior management cannot explain IT governance
  • IT projects run late and over budget
  • Senior management sees outsourcing and a quick fix to IT problems
  • Governance changes frequently

CyberSecOp offers  Governance Risk and Compliance (GRC) consultation services for many compliance mandates, including:

  • PCI DSS Governance, Risk & Compliance (GRC)
  • HIPAA Governance, Risk & Compliance (GRC)
  • HITECH  Governance, Risk & Compliance (GRC)
  • GLBA Governance, Risk & Compliance (GRC)
  • FISMA Governance, Risk & Compliance (GRC)
  • GDPR Governance, Risk & Compliance (GRC)
  • NYDFS Governance, Risk & Compliance (GRC)
  • ISO 27000 Governance, Risk & Compliance (GRC)
  • NIST Governance, Risk & Compliance (GRC)

 We know a good Governance, Risk and Compliance program will protect your organization from Cyber Criminals.