We should mean almost, digitally. With serious considerations to best practices, widely acceptable principles including that of, directly and indirectly related, applicable laws and, if any, for the sake of thoughtful and sensible transparency. Almost everything, in this case is about, as nations and industries are already taking it as an initiative to protect entities such as people, enterprises, assets, properties including but not limited to information, which is the sole subject of information security specialists but it's reality is more complicated than arguing on which security can cover which area. Technology practitioners should appreciate it. Those who goes beyond a few specializations could realized it and make an effective position paramount to a cybersecurity responsibility. And the size of that responsibility may mean breaking and delegating it with various roles, with those who are effective and prudent in their jobs.
The key stakeholder in a publicly traded organization is board of directors. They are charge, on behalf of the company and shareowners, to deliver and achieve corporate value. On top of anything, is to take care of their money (see on CG of MS, NASDAQ, WB), it takes into account the overall resources; it also facilitates direction and oversees organizations' capability to achieve goals and comply on regulations. Management down the ranks does the rest, working on every details from reporting to supporting business operations and future plans. The capability of any organization to attain expected outcome depends on how both board and management ascertain the need in, for the purpose of the subject take IT. Business people, unless former or current ICT practitioner, rarely knows about the field including the detailed part of it. Management have lots of experts though (from being an specialist of certain IT task, analyst up to managerial level) to rely on when necessary. Many high-level documents primarily ISO/IEC 38500 imply that board and management's active working relationship on, particularly, IT matters would save their organization from investing towards a failed effort.
Besides, investment has a pretty much clear definition, so-called investment does not seem to fit in failure. According to Security Analysis, 1934, an investment operation is one which, upon thorough analysis promises safety of principal and adequate return. Operations not meeting these requirement is speculative. That means any failed IT efforts are called a business speculation, not investment, in IT.
Many big and small organizations, according to many sources including the Web, have failed on their strive to improve their business operations with the help of IT due to lack of many factors including primarily a governance framework. On one hand, IT nowadays is easier e.g. enabling a particular network service. Vendors have completely documented the process to make it easier for somebody to get it work unlike the old days. On the other hand, it becomes even more complex that IT now reflects on a need to underpin business goals. It apparently adds up the many standards and practices out there, where organizations have to choose the correct pattern to help them improve their IT and to create value for the business. Sometime decisions goes to say, we need this and we need it now, without going through careful evaluation by other concerned stakeholders, if it is really a necessity or would be good to the organization. Documents stated that, IT is no longer just an IT professional job. It now requires collaboration from among the stakeholders and even external providers.
Having IT in a corporate governance system would make directors realized, especially in countries with stringent laws, their accountability with their organization's strive on IT is irreplaceable. Directors are not being asked to do much on IT as this may disrupt their other, or existing, governance chores. Majority of the provisions in ISO/IEC 38500 can be delegated to the management and it is up to the directors to direct and monitor certain part of IT to make sure any investment being proposed or made is going to meet an organization's particular objective. How do stakeholders know whether business is performing well as to their use of IT? If IT is continuously providing the mechanism required by the business, not only maintaining its competitive advantage but also providing value to the whole organization and other parties including external stakeholders. Like for instance and maybe the most popular issues for a few organizations, minimizing if not getting rid of waste and unpredictable and prolonged disruption of service, could be a good indication that business is maximizing the value being undertaken with IT.
Comments