A major survey from ISACA, a not-for-profit IT governance and security association, confirms the central role that governance plays in information security within large organisations and stresses the fact that 95% of IT professionals within major organisations consider governance to be important.
The study conducted by the IT Governance Institute (ITGI), ISACA’s research affiliate is titled the “Global Status Report on the Governance of Enterprise IT (GEIT) 2011.” It says that two thirds of respondent enterprises have some GEIT activities in place, with the most common being the use of IT policies and standards, followed by the employment of defined and managed IT processes.
According to Rolf von Roessing, CISA, CISM, CGEIT, international vice president of ISACA, the report highlights that the main driver for activities related to GEIT is ensuring that IT functionality aligns with business needs.
"It also shows that the most commonly experienced outcomes are improvements in the management of IT-related risk, as well as communications and relationships between business and IT," said von Roessing. "Obviously, these issues are important to ISACA’s global membership, which
now tops the 95,000 mark, as governance and regulatory compliance are at the heart of the modern information security curriculum."
Von Roessing explained that, with regulatory compliance now high on the agenda of most corporate boardrooms especially in Europe, where best practice compliance is now a statutory requirement in many areas of business, the report makes some interesting, valid points.
It's clear, he says, that the right governance enablers can help ensure that the implementation of IT plans within major organisations is as smooth as possible.
"As the report says, it is now a fact of business life that specific events, activities or even crises will arise that require some GEIT objectives to take precedence over others. It is equally important that managers should take a balanced and holistic view of the five GEIT focus areas - strategic alignment, risk management, value delivery, resource management and performance," said von Roessing.
And, when you dip further into the report, he added, you begin to realise the importance of IT in the management process, as 70 per cent of respondents to the ISACA survey indicated that the head of IT in their organisation is also a member of the senior management team.
"More than anything, the results of our survey confirm the significance of IT in many enterprises. However, there is still a lot of work to be done, as researchers have found that it is still common in smaller enterprises for the head of IT not to be on the senior management team," said von Roessing.
"It is also worth noting that other frequently stated reasons for IT not being on the senior management team are that IT is a support function (32 per cent), and that IT is adequately represented by another member of the senior executive team (32 per cent again),” he added.
"Our in-depth report is a timely indicator that, whilst great strides have been made in helping industry to understand the central role that IT has in a business, IT professionals and security professionals in particular should not rest on their laurels."