Even just five years ago, governance and regulatory compliance were not major concerns in the boardroom. Certainly, ensuring that the IT department was up to the job of delivering compliance was peripheral, when compared to what was regarded as its traditional security role of keeping out viruses, hackers and other threats.
Since then, a number of corporate scandals and the resulting legislation have combined to push compliance to the top of the corporate agenda and, with it, the board's expectation that the CIO and the systems can guarantee total compliance.
Staying within the law is only part of the story, however, as business begins to see a real competitive advantage in good governance and compliance. A well-executed information security strategy can help the company position itself ahead of its competitors.
Against a background of increasingly complex regulatory environment, more organisations are exposed to rapidly mutating, sophisticated threats to their information and information assets.
These threats, which originate more often inside the organisation than outside it, exploit a range of technical vulnerabilities in corporate IT systems as well as loopholes in procedures and the behavioural characteristics of employees.
However, while the regulatory and commercial penalties of failing to secure information and information assets can be severe and value-destroying, regulatory guidance on compliance requirements is still very limited.
Organisations have traditionally responded to regulatory compliance requirements on a law-by-law, or department-by-department basis. That was, last century, a perfectly adequate response. There were relatively few laws, compliance requirements were generally firmly established and well-understood, and the jurisdictions within which businesses operated were well-defined.
Over the past decade, however, all that has changed. Rapid globalisation, increasingly pervasive information technology, the concerns of governments, the nature of western capital markets, and the worries of consumers within an evolving business risk and threat environment have, between them, created a rapidly-growing, worldwide and complex body of laws and regulations.
While global companies are in the forefront of finding effective compliance solutions, every organisation, however small and in whatever industry, is challenged by the same broad range of state, national and international governance and regulatory requirements.
To one extent or another, these requirements all deal with the confidentiality, integrity and availability of electronically-held information, some of which might be held or managed elsewhere within an organisation's supply chain.
The various regulations, which themselves are technology-neutral, describe what must be done, but not how. Organisations have been left to establish for themselves how to meet each of the requirements. What's more, they have to do this in an uncertain compliance environment where the rewards for success don't grab headlines, but the penalties for failure certainly do.
Many of the new laws appear to overlap. Not only is there very little established legal guidance as to just what constitutes compliance, new laws and regulatory requirements continue to emerge. Increasingly, these laws (such as many of the US state privacy laws) have an apparent geographic reach that extends to organisations located far beyond the immediate jurisdiction of the originating legislative or regulatory body.
Corporate governance requirement are even more important than information-related regulation. Sarbanes-Oxley (SOX), the Combined Code and Basel 2 all require company boards to address risk at both the strategic and operational level, and specifically identify information and technology as areas within which risk must be managed. Internal control frameworks no longer deal only with financial risk. Their objective is the overall control of all risks to the business plan.
Regulatory compliance is seen as part of the internal control environment. Corporate governance requirements depend on the efficacy of an organisation's IT systems and IT general controls providing the control environment within which specific controls operate. In other words, the accuracy of a financial system depends as much on who has access to it as it does on the integrity of the information processing: SOX s404 compliance is impossible without an adequate general control environment.
Network inter-connectivity, remote and mobile working, the importance and value of information up and down the supply chain, and the growing use of outsourced suppliers, all create areas of additional information risk. Organisations respond to these risks by requiring suppliers to demonstrate improved governance and compliance performance (for instance, the UK government's e-Gif framework), and more and more, this expectation is written into the procurement process. Companies that are unable to prove they have at least made a start on the implementation of appropriate compliance processes can find themselves precluded from pursuing new business opportunities.
In most instances, there is not yet a body of tested case law and proven compliance methodologies to which organisations can turn in order to calibrate their efforts to comply with all these regulations.
Neither is there technology which, of itself, can make an organisation compliant with any of the data security regulations or governance requirements, because all data security controls consist of a combination of technology, procedure and human behaviour.
In other words, installing a firewall will not protect an organisation if there are no procedures for correctly configuring and maintaining it, or if users habitually bypass it (through, for instance, instant messaging or the deployment of rogue wireless access points).
In the absence of a coherent, comprehensive, risk-based internal control structure, financial auditors are likely to impose one of their own, however inappropriate it might be for the organisation concerned.
Some organisations simply want low-cost compliance, others see competitive advantage in how they address the challenge. Some want to reduce the cost and disruption of multiple compliance initiatives, and want to minimise the impact on customer-focused business operations. Others want to go further, and look for positive business returns – including growing market share – from their investment in closing information loopholes and improving the security of their information systems.
The way to do this, without having to develop their own custom solution through trial and error, is by adopting an externally-validated, best-practice approach – one that provides a single, coherent, multi-layered framework that supports simultaneous compliance with multiple regulatory requirements.
A best-practice IT governance framework should, therefore, support the co-ordination of enterprise compliance and risk mitigation strategies across multiple channels and guide control responses to multiple threats to all sorts of information assets. It should also simplify compliance and free internal resources for value-adding activities.
Critically, as indicated by recent SOX-compliance research, compliance is more cost-effective when it is built into business processes, rather than being dependant on expensive, after-the-fact checking. In today's competitive business environment, internal control structures must meet the governance requirements of the organisation's listing jurisdiction, as well as requirements of data protection, privacy and other regulations applicable to its business sector and the geographic areas within which it operates.
As it must also deliver tangible business benefits, it must therefore operate at a meta-regulatory level.
ISO/IEC 17799:2005, ITIL and CobiT are the three most important best-practice IT-related frameworks. While they each have different origins, owners and objectives, they all provide established, recognised, publicly-available and respected best-practice guidance. They are all, clearly, part of a potential best-practice IT approach to regulatory and corporate governance compliance.
The challenge, for many organisations, has been to establish a co-ordinated, integrated framework that draws on all of these standards. The recently released Joint Framework, (www.itgovernance.co.uk/page.compliance) put together by the IT Governance Institute (the owners of CobiT) and the Office of Government Commerce (owners of ITIL) has been a significant step in the right direction.
Organisations that decide to use the Joint Framework will have an integrated, compliance approach that delivers corporate governance general control objectives and meets the regulatory requirements of data-related and privacy-related regulation. It prepares the organisation for future/emerging regulatory requirements, and is demonstrably a coherent attempt to comply with competing regulations and to meet complex compliance requirements.
Increased standardisation can lead to reduced costs, improved efficiency and increased quality. Because the framework applies cross-company, it reduces vertical siloes of expertise and practice, thus improving communication and business effectiveness. The fact that the framework can be deployed relatively quickly (because it avoids much "trial and error" re-inventing of the wheel), can reduce an organisation's dependence on expensive technology experts and proprietary methodologies.
This framework helps organisations to improve their business performance, because it focuses on business processes and builds controls into the process. It enables a broad-based shift from reactive to proactive IT operations as well as enabling the effective external training and qualification of staff, and provides a standard measure of assessing both skills and knowledge.
Most importantly, it demonstrates an attempt to satisfy the current and developing governance and compliance expectations of their customers and, therefore, puts them in a great position to seize market share from those who make the mistake of taking it less seriously.
Alan Calder is chief executive officer of IT Governance