IT and information security governance belongs at the top of any organization. Yet an organization’s reporting structure sometimes prevents this from happening.
How, then, can we solve this problem? At a recent Chief Information Security Officer (CISO) summit, Sanjeev Sah, CISO at the University of North Carolina (UNC) Charlotte, presented an elegant solution. Later I talked with Sah and obtained more details about the model described in this figure:
Taking On the Org Chart
In his presentation on "The Role of IT Governance for Effective Information Security Management" at the CISO Summit in Scottsdale, Ariz. in December, Sanjeev Sah tackled the hierarchical structure and related challenges he's encountered.
In order to be strategic, the CIO and CISO should report to the top layers of an organization. However, history, politics, and personalities frequently cause a sub-optimal organizational structure, which becomes a barrier to strategic IT governance. Changing the organizational structure can be quite difficult. Forming a steering committee that reports to the head of the organization and is empowered to be the strategic body for IT governance can be an effective solution. This is the path UNC Charlotte chose.
When Sah joined UNC Charlotte, he found what is typical in many large universities:
The bulk of IT spending distributed across multiple colleges
A central IT group and several distributed IT groups within colleges and business units
The central IT group controlled roughly 30 percent of the total IT spending at the institution
There was no transparency or strategic governance over the bulk of institutional IT spending.
Sah recognized that the institution had to establish an IT governance structure based on the following well-established strategic principle: Business units, guided by institutional mission and priorities, should decide what needs to be done while IT should decide how to do it. As shown in the diagram, Sah envisioned an Information Technology Executive Steering Committee (ITESC) comprised of institutional executive leaders reporting to the Chancellor and the Board of Trustees. ITESC would be advised by an IT Advisory Committee (ITAC), which would also have the role of operationalizing the portfolio of IT activities as well as information security. He and his CIO then evangelized and obtained buy-in for this vision from the rest of the institutional executive leaders.
The result, according to Sah, has been very positive. The ITESC:
Ensures IT strategic planning is integrated with the university’s strategic planning
Makes IT strategic investment and policy decisions
Sets campus-wide priorities for IT services, resources, and facilities
Makes decisions employing a campus-wide funding model that rewards cost-effectiveness and discourages non-strategic IT spending
Communicates and aligns with the Board of Trustees
Monitors information security, IT risk management, and regulatory compliance.
The ITAC:
Assesses and determines strategic fit of proposals
Performs portfolio reviews and defines project priorities
Addresses project risks
Serves as governance, risk, and control sponsor
Reviews policies
Ensures IT services are aligned with IT strategy
Directs execution and integration efforts
Monitors projects to ensure success
Oversees IT governance processes.
Several subcommittees advise the ITAC in various domain areas such as services, technology, infrastructure, client interfaces, applications, technology standards and practices, integration, information security, and compliance. Overall, the model engages the entire organization in a cohesive IT and information security governance strategy that is inclusive, transparent, and cost-effective. To me, the model appears promising -- and applicable to many other academic, government, and business organizations that have a need for strategic management of IT spending.
— Mansur Hasib has served in CIO/CISO and other leadership roles in the public, private, and education sectors.
@Paul - Big difference is the engagement of the top level executive leadership. A disadvantage can be that it is no longer free for all - you give up some freedom for the good of the organization. Organizational value for every dollar spent on IT and IT security is huge. The organization is powered forward strategically by IT.
We were having this discussion here a couple of months ago; someone was saying the CISO should report to the CEO, and should drive strategic decisions on new products and partnerships. That didn't quite make sense to me.
Thanks for the blog. In your assessment, how do you think this IT governance model differ from the others? In what specific area(s) do you think this model will suffer a disadavantage?
I agree with you sentiment completely. It'sa fabulous piece of innovation. I think this is the kind of Governance structure that is capable bringing up IT to leadership status. One good thing about this governance model is that itis fully integrated to the governance structure of the University/Enterprise.
Very impressive governance structure, Mansur. It is comprehensive and positions IT as a strategic asset.
I also like the client interface role. As IT begins to link the technology and the user, I think the technology asset will grow throughout the organization.
@mharden - Thanks. This type of model recognizes the strategic nature of information technology and information security - they are viewed as a mission driver and revenue source. The CISO role is evolving as we speak. I have always viewed it as a component of the CIO role which requires specialized attention - just as the CIO role is a component of the CEO role which requires specialized skills. I can only hope that some model of this type becomes more common.
Good article Mansur. What this boils down to is that a very effective way to structure IT Security within an organization involves having the CISO, or equivalent, reporting directly to the senior/executive level of the organization while having their full support, commitment and involvement. How common is this within organizations today? I remember a few years back when the CIO in some organizations reported to the CFO, but know with so much attention on security these days the CIO and CFO are peers which make helps in gaining top level commitment for the development of high standards and corporate governance.
@Alison - I do not think one size fits all. Nor is there an easy answer to your question. In both this article and the one about architecting IT organizations, I wanted to point out that governance and alignment with the mission is essential. This is a practical example of a large institution solving it very well. Indiana University has also done a good job with IT governance based on the same principles.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
In all my years interacting with CFOs, I have not met one who actually understood IT -- not that I expected them to.
Why, then, do I continue to see ads seeking a strategic CIO who will report to the VP of Administration and Finance or the CFO? Sometimes ads are slightly better: CIOs report to the Chief Operating Officer. Those conducting the recruitment will sagely say: “The CIO will have complete empowerment and access to all cabinet members and the president.” However, these organizations appear to lack an understanding of the role of the CIO and the CFO.
After observing and writing about CEOs who do not leverage their CIOs to propel their organizations forward, it was very refreshing to learn about the great CEO/CIO partnership at Kaiser Permanente at this year’s World Health Congress held in Maryland.
Despite an initial round of federal funding to develop state health information exchanges (HIEs) as part of Obamacare, these clearinghouses were challenged to develop a financially sustainable model. Because it addressed sustainability early, the Delaware Health Information Network is viewed by many as a template for HIE success.
It began as a relaxing visit with my college buddy and his family. It became a glimpse into the technology-enabled future of worldwide collaboration in engineering.
True story: Despite the HITECH Act of 2009, the CEO of a major urban hospital continued his institution's policy of not hiring a CIO or CISO. Like many others, he took a wait-and-see attitude, even though HITECH strengthened the enforcement of healthcare security and privacy laws, and provided financial incentives for healthcare organizations to adopt electronic health records and information security.
Cisco's rumored sale of Linksys suggests we may have problem with innovation and profit at the edge of our Internet, and that could be critical to the evolution of many Internet-delivered services.
The very low-tech "scrum" project technique introduces "crowd talking" to projects and also sets the entire crowd to problem solving. So far, these new social-media-style meetings appear to have supercharged project execution.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
As enterprises leap into the Web 2.0 world of blogging, commenting, and social networking, just 'being there' won't deliver ROI. You may want a 'Web Evangelist' to systematically harvest the feedback in order to polish your product or service.
More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Big-data has become a big point of emphasis for many businesses. While the technology is available to deploy these applications, the needed personnel often is not. As a result, analytic engineers' salaries have blown past the six-figure mark, and hiring these experts has become a challenge for IT managers.
50 billion household devices will be on the Internet by 2020, according to Cisco. And we're hearing foreign governments are hacking our infrastructure. Surely our refrigerators are next!
New tools like laptops, tablets, smartphone, and wireless connectivity let us work from San Diego to Katmandu, and anywhere in between. But time management remains a problem.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Subsidized handsets, rather than locked handsets, should be the focus of regulators. We're not getting good deals, not fostering innovation, and weakening our power as buyers.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
