IT and information security governance belongs at the top of any organization. Yet an organization’s reporting structure sometimes prevents this from happening.
How, then, can we solve this problem? At a recent Chief Information Security Officer (CISO) summit, Sanjeev Sah, CISO at the University of North Carolina (UNC) Charlotte, presented an elegant solution. Later I talked with Sah and obtained more details about the model described in this figure:
Taking On the Org Chart
In his presentation on "The Role of IT Governance for Effective Information Security Management" at the CISO Summit in Scottsdale, Ariz. in December, Sanjeev Sah tackled the hierarchical structure and related challenges he's encountered.
In order to be strategic, the CIO and CISO should report to the top layers of an organization. However, history, politics, and personalities frequently cause a sub-optimal organizational structure, which becomes a barrier to strategic IT governance. Changing the organizational structure can be quite difficult. Forming a steering committee that reports to the head of the organization and is empowered to be the strategic body for IT governance can be an effective solution. This is the path UNC Charlotte chose.
When Sah joined UNC Charlotte, he found what is typical in many large universities:
- The bulk of IT spending distributed across multiple colleges
- A central IT group and several distributed IT groups within colleges and business units
- The central IT group controlled roughly 30 percent of the total IT spending at the institution
- There was no transparency or strategic governance over the bulk of institutional IT spending.
Sah recognized that the institution had to establish an IT governance structure based on the following well-established strategic principle: Business units, guided by institutional mission and priorities, should decide what needs to be done while IT should decide how to do it. As shown in the diagram, Sah envisioned an Information Technology Executive Steering Committee (ITESC) comprised of institutional executive leaders reporting to the Chancellor and the Board of Trustees. ITESC would be advised by an IT Advisory Committee (ITAC), which would also have the role of operationalizing the portfolio of IT activities as well as information security. He and his CIO then evangelized and obtained buy-in for this vision from the rest of the institutional executive leaders.
The result, according to Sah, has been very positive. The ITESC:
- Ensures IT strategic planning is integrated with the university’s strategic planning
- Makes IT strategic investment and policy decisions
- Sets campus-wide priorities for IT services, resources, and facilities
- Makes decisions employing a campus-wide funding model that rewards cost-effectiveness and discourages non-strategic IT spending
- Communicates and aligns with the Board of Trustees
- Monitors information security, IT risk management, and regulatory compliance.
- Assesses and determines strategic fit of proposals
- Performs portfolio reviews and defines project priorities
- Addresses project risks
- Serves as governance, risk, and control sponsor
- Reviews policies
- Ensures IT services are aligned with IT strategy
- Directs execution and integration efforts
- Monitors projects to ensure success
- Oversees IT governance processes.
Several subcommittees advise the ITAC in various domain areas such as services, technology, infrastructure, client interfaces, applications, technology standards and practices, integration, information security, and compliance. Overall, the model engages the entire organization in a cohesive IT and information security governance strategy that is inclusive, transparent, and cost-effective. To me, the model appears promising -- and applicable to many other academic, government, and business organizations that have a need for strategic management of IT spending.
— Mansur Hasib has served in CIO/CISO and other leadership roles in the public, private, and education sectors.