Published: March 31, 2020

Abstract

IT Governance is absolutely critical to the establishment, management, control and protection of the Digital Enterprise. Modern Governance programs need to be inclusive, dynamic and comprehensive and are being tested as enterprises become more digital. We’ll describe 5 categories TechVision believes should be included within IT Governance that need to both be individually addressed and choreographed as an overall IT Governance program. The categories are:

1. Governance, Risk and Compliance
2. Information Security Governance
3. Data Governance
4. Identity Governance
5. Business Continuity Planning

IT Governance can be particularly challenging in that it is heavily dependent on people; advanced tools can help, but people decide how a business and its information are managed and how decisions are made. We’ll cover the human and organizational elements, the technologies supporting governance and provide guidelines for establishing and improving IT governance programs.

 

Authors:

Doug Simmons                                  Noreen Kendle

Principal Consulting Analyst            Principal Consulting Analyst

[email protected]   [email protected]

 

 

Executive Summary & Key Advice

Governance is a watchword that has been a staple of successful businesses worldwide – for centuries. The Business Dictionary defines governance as “Establishment of policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization. It includes the mechanisms required to balance the powers of the members (with the associated accountability), and their primary duty of enhancing the prosperity and viability of the organization.”

In business, governance is the way rules, norms and actions are structured, sustained, regulated and held accountable. The degree of formality depends on the internal rules of a given organization and, externally, with its business partners. As such, governance may take many forms, driven by many different motivations and with many different results. For instance, a government may operate as a democracy where citizens vote on who should govern and the public good is the goal, while a non-profit organization or a corporation may be governed by a small board of directors and pursue more specific aims.”

Make no mistake, IT governance is very difficult. There are a number of reasons as to why governance is so hard, but here are a few of the most notable challenges:

1. “Good” governance requires a relatively sizeable number of people (typically) to work together on an ongoing basis and for a long time (see next point). Office politics, personal agendas, carelessness and apathy are only a few of the ways that describe dysfunctional approaches employed by some people who have been assigned to govern the business.
2. Governance is continual. It does not have an end-date. Many organizations we’ve worked with over the years have had significant IT governance programs that were actively managed and executed on for the first six months or so, then gradually waned. We’ve seen this pattern replicated too many times. The reasons for disengaging can include an increasing ‘day job’ workload, office politics, other pressing issues, personnel changes and so forth (see #1 above).
3. The organization’s Risk Management function is not properly or actively engaged in the overall IT governance program. Risk management often feeds the requirements to the IT governance team through clear and concise identification of ‘what is critical to the company’ in terms of short and long term viability in the industry they’re in. Think of it in this way: Risk Management identifies the ‘what’, while IT governance identifies the ‘how’ we will manage IT.
4. A natural tendency to avoid accountability. This is truly where the rubber meets the road. At some point early on in the establishment of the IT governance framework there needs to be a clear statement regarding participants’ ‘duties to protect’. As members of an IT governance team, all members need to assume ownership of the policies, processes and yes, the actual results of such governing. Accountability means responsibility, and responsibility means ‘you own it’ when something under your purview goes wrong. Directly related to #1 above (people), this is often viewed as a recipe for ‘job (in)security’. It is a basic human trait that we all want to survive, in our jobs as well as in life. If we set ourselves up to be ‘held fully accountable’ for what can be a very complex web of IT, we may balk at accepting such responsibility. Unfortunately, we’ll see how this particular facet (accountability) is the single-most important building block of a successful IT governance framework and program.

In this report, we dig deeper into each of the pillars of IT governance:

1. Governance, Risk and Compliance
2. Information Security Governance
3. Data Governance
4. Identity Governance
5. Business Continuity Planning

Based on years of evaluating IT governance in enterprises, there is little doubt that in most organizations some level of IT governance is practiced. That said, there is often a breakdown in the connections between various governance disciplines such as security governance, data governance, IAM governance and so forth. In many cases, we’ve seen large, successful organizations have very little if any IAM or data governance – especially at the levels we describe in this report.

One of the major challenges is determining how much governance is enough. While there may be a concern about ‘over doing it’, we’ve found that to be largely unfounded. The real challenge is finding the right people to actively participate in IT governance functions and ensuring they are given the appropriate amount of time to perform their daily job functions in addition to being given enough time to actually govern.

It is when people begin to feel overburdened or overwhelmed that apathy can creep in. In real world environments apathy is a serious threat to governance, because without the right people fully engaged, all the processes and technologies in the world won’t bring about the real benefits of good IT governance. One might think all of this is terribly obvious, but if it is so obvious, then why is apathy the single most effective destroyer of governance? Governance is about people and their level of engagement and participation. Processes and tools support the people, not the other way around, when it comes to governance.

With this in mind, we recommend organizations make an honest assessment of their existing IT governance functions (or let TechVision help with this process) and answer the following questions truthfully:

1. Does your governance program cover not only IT, but security, data, IAM and business continuity for a full spectrum IT governance approach?
2. Is the organization’s Risk Management function properly or actively engaged in the overall IT governance program?
3. Do you know what it is you are actually governing? For instance, do you have up-to-date reference architectures, KRIs, KPIs, policies and process definitions in order to actually evaluate the efficacy of governance functions?
4. Are the right types and right number of people engaged across this spectrum?
5. Do participants feel truly empowered to perform the many governance responsibilities as outlined in this report?
6. Are office politics and personal agendas getting in the way of continued success?
7. Do some of the same people sit on too many (or not enough) governance boards?
8. Do stakeholders hold themselves and other participants fully accountable and responsible?
9. Is enough attention given to overall workloads placed on stakeholders so that they may govern without developing apathy or resentment?
10. Is your full-spectrum IT governance continual and actively participated in without fail (under normal business conditions)?

Our recommendations are rooted in answering these questions and determining whether there are significant gaps to be filled. Using the information in this report, the job can be made much easier because you can evaluate your overall (full-spectrum) IT governance capabilities by comparing them to ‘what good looks like’, as described in this report.

Introduction

Governance is a watchword that has been a staple of successful businesses worldwide – for centuries. The Business Dictionary defines governance as “Establishment of policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization. It includes the mechanisms required to balance the powers of the members (with the associated accountability), and their primary duty of enhancing the prosperity and viability of the organization.”

Wikipedia offers the following definition: “Governance comprises all of the processes of governing – whether undertaken by the government of a state, by a market or by a network – over a social system (family, tribe, formal or informal organization, a territory or across territories) and whether through the laws, norms, power or language of an organized society. It relates to “the processes of interaction and decision-making among the actors involved in a collective problem that lead to the creation, reinforcement, or reproduction of social norms and institutions.

In business, governance is how rules, norms and actions are structured, sustained, regulated and held accountable. The degree of formality depends on the internal rules of a given organization and, externally, with its business partners. As such, governance may take many forms, driven by many different motivations and with many different results. For instance, a government may operate as a democracy where citizens vote on who should govern and the public good is the goal, while a non-profit organization or a corporation may be governed by a small board of directors and pursue more specific aims.”

Many of us are quite familiar with the term governance, largely within the realm of IT governance. We work within various frameworks of rules, reporting structures and levels of accountability. Depending on the industry we’re in, these frameworks can be driven by regulatory compliance, leading us to attempt strict compliance with financial reporting (e.g., Sarbanes-Oxley), health information protection (e.g., Health Information Portability and Accountability Act (HIPAA)), consumer privacy protection (e.g., General Data Protection Regulation (GDPR)), and so forth. Even general retail businesses must conform to the Payment Card Industry Data Security Standard (PCI/DSS) if they accept payment via credit card. When the governance framework is driven by these types of regulations, the primary Risk Management focus is on avoiding breaches of such regulated and highly protected information. Breaches often have a significant cost including fines and extensive brand damage.

Another aspect of IT governance is business continuity planning (and directly related disaster recovery planning).  While this isn’t always associated with governance, we believe it should be. While a potential lack of proper IT governance can lead to a data breach and the ensuing fines and brand damage, a natural or human-caused disaster can be just as damaging – if not more so. Sadly, we are starting to recognize this as the COVID-19 virus is destroying many lives and the global commerce their jobs enable.

Information security governance is a specific facet of overall IT governance that focuses principally on the aspects of information protection that help us identify and appropriately manage the people, processes and technologies that guard the fort.  In this case, the fort is the information itself and the systems and networks that support this information. As discussed above, the answer to the question “what information and supporting systems need to be protected?” can be found in large part within the regulatory guidelines the business operates. Not surprisingly, information security governance plays a key role in business continuity planning. In the event of a major disaster, data security can’t fall by the wayside. In fact, it is during times of extreme turmoil that bad actors truly thrive. This is something to keep in mind during the COVID-19 pandemic turmoil.

Make no mistake, IT governance is very difficult. There are a number of reasons as to why this is so, but here are a few of the most notable:

1. “Good” governance requires a relatively sizeable number of people (typically) to work together on an ongoing basis and for a long time (see next point). Office politics, personal agendas, carelessness and apathy are only a few words that can describe dysfunctional approaches employed by some people who have been assigned to govern the business.
2. Governance is continual. It does not have an end-date. Many organizations we’ve worked with over the years have had significant IT governance programs that were actively participated in for the first six months or so, then gradually waned as the decisions became too difficult to arrive at because of a number of reasons. These can include an increasing ‘day job’ workload, office politics, and so forth (see #1 above).
3. The organization’s Risk Management function is not properly or actively engaged in the overall IT governance program. Risk management often feeds the requirements to the IT governance team through clear and concise identification of ‘what is critical to the company’ in terms of short and long term viability in the industry they’re in. Think of it in this way: Risk Management identifies the ‘what’, while IT governance identifies the ‘how’ we will manage IT.
4. A preponderance to avoid accountability. This is truly where the rubber meets the road. At some point early in the establishment of the IT governance framework and organization will use, there needs to be a clear statement regarding participants’ ‘duties to protect’. As members of an IT governance team, all members need to assume ownership of the policies, processes and yes, the actual results of such governing. Accountability means responsibility, and responsibility means ‘you own it’ when something under your purview goes wrong. Directly related to #1 above (people), this is often viewed as a recipe for ‘job (in)security’. It is a basic human trait that we all want to survive, in our jobs as well as in life. If we set ourselves up to be ‘held fully accountable’ for what can be a very complex web of IT, we may balk at accepting such responsibility. Unfortunately, we’ll see how this particular facet (accountability) is essentially the single-most important building block of a successful IT governance framework and program.

In the following sections, we’ll dig deeper into each of the pillars of IT governance:

1. Governance, Risk and Compliance
2. Information Security Governance
3. Data Governance
4. Identity Governance
5. Business Continuity Planning

After that, we’ll wrap up the discussion with a distillation of key recommendations and next steps you may want to consider if your own enterprise IT governance program is currently foundering.

IT Governance, Risk and Compliance

Before embarking on this journey, we must first recognize that information is a strategic asset. Protection of information assets is necessary to establish and maintain trust between the enterprise and its customers, partners and oversight bodies, maintain compliance with the law, and protect the reputation of the organization.

In TechVision’s view, IT risk management is about availability, access, accuracy and agility as well as security. Any risk management plan must be based on the realization that risk cannot be eliminated, only mitigated, and must apply the available resources to reduce risk to a level acceptable to senior management. Specifically:

• Organizational strategy considerations are critical in determining the relative value of a risk and mitigation costs.
• Leaders must be consulted in both the prioritization of risk and the best method or combination of methods for mitigation. IT must contribute as well, since not all risks are apparent to non-IT leaders.
• Once the risks are understood and a consensus on how to manage them is reached, risk management is based on the three disciplines of:
  1. a well-structured foundation of IT assets,
  2. a well-designed and executed risk governance process
  3. a risk-aware culture

Therefore, a consistent Governance, Risk and Compliance Program represents table-stakes and individual organizations and their service providers must maintain effective Risk Management programs appropriate for their operational complexity. As we have said, appropriate risk identification and mitigation requires integrating people, process and technology.

An organization establishes and maintains truly effective IT governance and risk management when it continuously integrates processes, people, and technology to mitigate risks based on recent risk assessments and the organization’s risk tolerance levels. Nobody can define your organization’s risk tolerance levels for you, though regulatory pressure will certainly provide much input.

Even today, many organizations struggle to understand how IT Risk impacts business objectives. Often, this is because the business managers do not understand or appreciate the value of the IT risk information or its relationship to business outcomes. The misperception may be that IT risks are addressed “externally” by a set of separate organizational entities called “IT risk management“, and is therefore not a business problem. Therein lies the rub of accountability. Needless to say, it is incumbent on IT domain managers to engage business managers and facilitate appropriate understanding and responsibility/accountability. One way we have learned how to do this more scientifically is through the establishment of organizational IT Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs).

Mapping KRIs to KPIs can provide business managers with the IT risk information they need, in the right context, to make better business decisions.  A metric designated as a KRI is generally used in efforts to predict and prevent. In contrast, a KPI is used to review and correct.  In a nutshell, KRIs are used to look into the future, and KPIs are used to look at the past performance.

The high-level process for developing KPIs and KRIs is as follows:

1. Define the business scope to be measured in terms of key performance indicators (KPIs)
2. Identify and determine the impact of keys risks to the performance
3. Identify means to measure the risks identified in #2 on an ongoing basis
4. Establish the appropriate IT scope that supports the business scope in #1
5. Determine if the maturity of the supporting IT infrastructure is sufficient by evaluating IT gaps and establishing mitigation plans
6. Determine the priority of mitigation activities through a business impact analysis
7. Capture and analyze the risk indicators (KRIs) and map these to the business performance

An example of a KRI linked to a KPI is provided in Figure 1, below.

Figure 1: KRIs Linked to KPIs

Because many organizations pay great attention to incident avoidance, the KRI is one of the most important security metrics.  Before applying performance measurement to IT risk management, it’s necessary to closely examine how the organization currently identifies its performance metrics and the risks to desirable performance. For example, there should be clear rationale for deciding who and what organization does the examination. That said, there are many stakeholder that need to aware of and involved with IT Risk management including the following key stakeholders by role:

• CEO and Board of Directors
• Chief Information Officer (CIO)
• Chief Information Security Officer (CISO)
• Privacy Officer
• Head of Legal
• Head of IT Security
• Head of Operational Risk
• Compliance Officer
• Head of Enterprise Risk
• Head of Enterprise (Security) Architecture
• Head of Human Resources

While there may be permutations of the list above, we feel this is a strong representative sample of the stakeholders and roles that should comprise the IT risk management and governance board. TechVision’s Principal Consulting Analysts have worked with several organizations in helping to establish, and optimize IT risk management and governance boards and supporting programs. The typical  responsibilities can be summarized in the following categories:

1. Strategy
   1. Business alignment with IT
   2. Business driver identification
   3. Risk identification
   4. Sourcing of IT functions
   5. Governance model
2. Governance
   1. Organization of the governance function
   2. Roles of all participants
   3. Responsibilities of all participants
   4. Resource assignment
   5. Escalation processes
   6. Change management processes
3. Policies and Standards
   1. Policy framework definition and lifecycle
   2. Standards to be adhered to
   3. Lines of Business and groups targeted by the policies and standards
4. Investment
   1. Budgetary allocation and alignment
   2. Program and project funding
   3. Resource allocation and funding
   4. Definition of value for the organization
5. Awareness
   1. Establishing a risk aware culture
   2. Ongoing awareness training and auditing
6. Audit
   1. Continuous monitoring of efficacy of control measures
   2. Result verification of measures put in place
   3. Consistent and appropriate usage of technology
   4. Anomaly detection, investigation and remediation
7. Organization
   1. Resource management; role and skillset definition and management
   2. Organizational reporting responsibility assignment
   3. Ongoing, consistent and accountable governance
8. Process
   1. Process optimization and measurement
   2. Process reporting

Over the past few decades, many organizations have been deploying IT tools to assist with risk management under the umbrella term Governance, Risk and Compliance (GRC). These tools help automate GRC initiatives that are either largely manual or beyond the capabilities of most enterprises. For example, tools like RSA Archer, SAP GRC, LogicManager, Riskonnect and many others enable organizations to create and distribute policies and controls – and, in turn, map these policies and controls to regulations and internal compliance requirements. Many of these tools also have the ability to assess whether the controls are actually in place and working and automating fixing them as needed. Some tools are from an on-premise pedigree, while others are cloud-enabled, while still others have been developed for the cloud, natively.

While this report doesn’t go into an analysis of each vendor and approach, but you should understand that these types of GRC tools can typically ease the arduous process of ongoing risk assessment and mitigation – which are cornerstone activities of a more mature IT governance framework.

Security Governance

There is no single organizational or process model for organizational structure to ensure IT security (or, “cybersecurity”) requirements of any given organization are adequately met. That said, there are some common elements most organizations should look to consider. We’ve seen the greatest success with a three layer approach that includes security governance, security management and security operations as follows :

1. Security Governance ensures the strategic requirements of the organization are defined and that the security program adequately meets those requirements. This includes discussing and adjudicating between organizational needs in complex situations.
2. Security Management activities require enterprise and local Information Security Officers (ISOs) responsible for managing and running the security program to meet the organization’s strategic business requirements. This includes ensuring that security policies, processes and tactics are in place and enforced throughout the enterprise.
3. Security Operations Center (SOC) is responsible for installing and configuring security related monitoring and controls across the enterprise according to documented and approved security processes, and spans data centers, cloud providers, network devices, servers, and endpoints.

In the subsequent sections, we’ll dive into some of the most important actions and areas of focus an organization can take on to improve its overall security governance efficacy and security posture in general. We’ll start with the charter.

Establish (or Update)  Security Charter

The charter for the security governance forum must be clear in establishing that the domain scope includes the entire enterprise (including resources at the enterprise and local market levels), and covers all aspects of information security regardless of whether the information is in electronic, physical (paper) or ephemeral (such as voice) form.

An information security charter that is accepted by the enterprise and supported by senior management is a key tool for chief information security officers (CISOs). An effective information security charter has the following characteristics:

• Establishes the foundation for effective information security governance throughout the enterprise
• Communicates a serious senior-level commitment to risk and information security management
• Forms the cornerstone of the enterprise’s security policy framework
• Establishes a clear mandate for an enterprise wide information security program

Establish an Enterprise Security Architecture

An information security architecture is the process that provides the framework for the planning, design and implementation documentation in support of the security program. The enterprise information security architecture must provide the mechanisms that enable the organization to translate business requirements for security, along with general principles and best practices, into operational security and risk management solutions specific to your organization. In practice, the enterprise security architecture dictates a layered set of documentation that links an accepted vision for information security in the enterprise to blueprints for implementing security controls. This is represented using four layers (strategic, conceptual, logical and implementation) and three focus points (business, information, technical), as depicted in the figure below.

Figure 2: Input to the Security Architecture

Security architecture is a collaborative effort that requires expertise in enterprise architecture frameworks and methodologies in addition to information security expertise. Security architects collaborate with various information security subject matter experts during architecture activities.

The focus of security architects is typically limited to conceptual and logical-level planning activities, developing artefacts that can be used in security solution design. Given many organization’s limited staffing, security architects may also develop implementation-level documentation — e.g., security information architecture, service-level agreements, technical reference models, security infrastructure architectures and security service architectures.

Establish a Chief Information Security Officer (CISO) Position

Believe it or not, there are still many organizations that do not have a designated CISO. While nearly every organization has somebody who currently performs many of the duties of a CISO, the CISO position is required within most organizations to build and maintain an effective enterprise-wide information security program, support defensibility in regulatory actions, and balance the need to protect the business against the need to operate the business. A CISO also assumes the role of aligning current security activities with current business needs.

An organization that does not have a strong CISO role is outside the standard of due care and is less defensible in legal, contract and regulatory actions. As a general guideline, an organization with 150 or more IT employees should have a dedicated CISO position.

Create a Separation of Duties Policy

In order to properly govern the IT security ecosystem, it is necessary to create a separation of duties policy and apply the principle to all IT and security functions to improve controls and reduce risk to the enterprise.

Separation of duties (SOD), or segregation of duties, is a key concept within the security industry. In the context of an overall security program, SOD ensures security-related responsibilities don’t overlap in a way that leads to increased vulnerabilities or threats, regardless of whether these vulnerabilities/threats are intentional or unintentional. SOD provides an organization with a set of “checks and balances” that essentially disseminates the tasks and associated privileges for a specific business process across multiple users. Within most organizations, SOD is achieved by splitting security governance-related, security management-related, and security operations-related activities into distinct departments that report up to different executives within the business.

It can be prudent to expand the concept of separation of duties beyond the individual to the workgroup or team so that the team responsible for the design and implementation of a control does not monitor its effectiveness. A common example is firewall management, where duties for approving changes, implementing changes and monitoring changes are completely separate organizational functions.

Although separation of duties improves control, it can reduce confidentiality and availability because it provides more information to more people and can introduce additional delays for changes. For these reasons, the decision on which controls are selected must be based on a risk assessment of the information system involved. An effective organizational structure that clearly segregates the roles and responsibilities for various security related activities is often more efficient and effective than an organization that has all of the organizations and IT security professionals within the same business unit.

Reasonable policies and guidelines based on your organization’s risk appetite and applicable regulations should be established to provide direction to both business and technical staff on when separation of duties is required, and when compensating controls such as monitoring and detection will suffice.

Developing an effective information security organization with appropriate reporting relationships, responsibilities, and skills can be a challenge for most enterprises. TechVision understands that taking this type of federated approach to information security (with responsibilities distributed across several organizational units) requires thoughtful and very clearly defined roles and responsibilities, in addition to well-articulated and consistently implemented workflows for each organization

Establish a Security Organization Consisting of Both Enterprise and Local Network and Systems Engineers

An effective security organization has a top-down (enterprise) view and bottoms-up (local engineering support) perspective. Organizations should group (or, regroup) the security organization to include all the people, processes, and technologies necessary to keep its computing resources (including the facilities, networks, servers, and applications) running in a secure and protected manner. Critical operational activities performed by the security organization include, but are not limited to:

• Performing the day to day operational duties on the network, network devices, systems, and applications including approved change management and patch management activities
• Ensuring network and computing services and associated data are available and operating within certain thresholds or under normal operating conditions
• Monitoring the network and key systems to ensure they meet performance and availability metrics
• Performing periodic penetration tests against network devices, servers, and applications
• Designing, configuring, and maintaining various security tools that scan the network and critical systems for potential vulnerabilities and threats
• Performing periodic backups of critical systems and data for business continuity and disaster recovery purposes
• Reviewing who is accessing various computing resources and under what circumstances or use cases in order to minimize the chance that an un-authorized user can access sensitive or confidential data
• Monitoring the network for significant security events and following appropriate incident response procedures

The security organization should also include a Security Operations Center (SOC) charged with monitoring and incident responses. A key function of an effective security organization includes well-articulated and consistent documentation and workflows for identifying and securing each significant component including:

• IT asset identification and management
• Configuration and change management procedures
• System hardening activities/guidelines
• Data archiving procedures
• System reboot and/or recovery procedures after an outage
• Service Level Agreements (SLAs) specific to each location/region
• Licensing terms and conditions

For many organizations, we recommend that network and security engineers/technicians responsible for the day to day activities listed above report to the same overall IT security organization, regardless of whether they currently part of the enterprise security team, the data-center team, or an engineer/technician assigned to one of the organization’s local business units. This is the only way to ensure all locations are managed with effective and consistent security controls and processes.

Establish a Security Governance Council

Governance provides a systematic way for an organization to make decisions. It establishes decision-making rights, authorities, responsibilities and precepts, and it codifies those precepts as principles, policies, standards, processes, guidelines and consequences for noncompliance.

Under the auspices of an executive sponsor, TechVision recommends that organizations set up an executive committee that is responsible for:

• Establishing the accountabilities and responsibilities for information security within the organization
• Acting as an arbitrator and reconciling differences and disputes
• Overseeing the management and monitoring of governance processes
• Approving the security charter and enterprise security policies

Members of the committee should include representatives of the primary information owners and business-unit leaders from across the organization. A best practice is to use a multilayer governance structure (see Figure below). This allows for scalable governance around different scopes of control, functions and outcomes.

Assess and Address Gaps in Staff Resources Needed to Deliver the Security Program

Some organization’s current security-related staff may be considered small given the organization’s size, complexity and overall risk profile. It may be likely that additional resources will be needed to make the program improvements recommended in this report.

The number of staff and specific skills required will likely depend on:

1. The phasing of future security program improvements
2. How well information security functions are performing regardless of whether you reorganize security-related staff or not
3. Your organization’s strategies for outsourcing certain security functions, the success of future automation initiatives, and the speed that that your organization acquires additional organizations or spins-off separate businesses (e.g., mergers and acquisitions). We typically recommend a conservative approach to hiring, with a bias toward outsourcing and contract labor for positions not involving ownership, accountability, oversight or coordination functions.

Sometimes, the perspective is that greater subject matter expertise is needed in several areas to support information security program improvements, including:

• Risk management
• Information security architecture
• Application security
• Vulnerability management
• Data loss prevention
• Security information and event management

We often recommend taking a structured approach to raising the overall level of security skills available through methods such as:

• Hiring and contracting
• Skill and certification requirements for specific positions
• Training opportunities
• On-the-job training and mentoring
• “Lunch and learn” sessions

Finally, TechVision recommends ongoing monitoring of the internal skills profile to ensure the staff has the skills and experience needed to achieve program objectives as staff acquire new skills, accept other assignments and leave the organization. Consistent maintenance of information security operations documents such as standard operating procedures (SOPs), diagrams and other knowledge will reduce the risk of specific knowledge about your organization’ s information security services being lost when individuals with unique expertise are unavailable or have left the organization.

Identify Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to Measure the Success of Your Information Security Program

As discussed in more detail in the section focused on Risk Management, executive management will not be able to measure the success of your organization’s information security program unless it has established metrics to determine the effectiveness of many of the security program’s remediation projects, policy-process development activities, security controls activities, and other program activities. As we have indicated, a prevailing good practice within the security industry is to identify a number of KRIs/KPIs and map them against the overall security program objectives to discern how effective various changes are within program and whether additional steps need to be taken to improve the security program’s overall progress via additional policy, process, or technology improvements.

Data Governance

Even organizations with “formal” data management policies, standards, and processes often end up “practicing” data management in theory only. Proactive data management activities rarely take place in most organizations. The urgency of timelines and tight budgets pressure IT departments to bypass data management processes, sometimes without even realizing it. Despite formal documented data management processes, standards, policies, strategies, and governance being in place, nearly every project is still granted an exception justified with the intention of coming back and fixing it someday and doing it right the next time.

But “someday” never arrives and there is no next time. These organizations fool themselves into believing they practice formal data management and then wonder why they continue to have data issues, questioning the effectiveness of data management as a practice rather than questioning the effectiveness of their data management execution. It takes time and commitment to get and keep the data right. The irony is that it takes more time and resources to get the data wrong.

Furthermore, escalating regulatory and corporate governance requirements are creating multiple data challenges for organizations. Keeping data secure and private, as well as addressing a variety of compliance mandates, requires an accurate understanding of the meaning, location, ownership, source, and use of the data. When organizations lack meaningful data definitions and have data spread across and repeated in many systems, addressing compliance and keeping information secure becomes much more complex, if not impossible. It is a complex undertaking to identify data to be secured and/or protected with the lack of a data inventory and meaningful data definitions and the existence of redundant data everywhere. Even when the data to be secured and/or protected is identified, without healthy data management in place, securing and protecting the data is still extremely challenging due to the lack of standards, people, and processes.

Illustrated below is our Reference Architecture for the Data Governance function which encompasses a wide range of activities intended to oversee an organizations business data assets through the establishment and execution of authority and decision-making rights over the business data assets.

Figure 3: TechVision Research’s Data Governance Framework

Our Data Governance Reference Architecture has four major categories: the Controls/Rules, the People/Organization, the Governance Processes, and the Governance Support. The Data Governance Function will utilize many of the Data Strategy component deliverables for the governance rules (e.g. data policies the data standards, the data architecture and management guidelines), as well as the additional rules and guidelines set within the Data Asset Management Function.  Our Data Governance Reference Architecture is rooted in the following guidance:

• Data governance goes hand-in-hand with Data Ownership because Data Governance enacts and reinforces the Rules/Policies that give the Business Information Steward’s authority to perform their data responsibilities.
• Data Governance is part of IT Governance, which is tied to the organizations business governance. The core to effective Data Governance is a business driven enterprise-wide focus with enterprise-level authority.
• Governance over the business data assets covers their entire lifespan including their creation, movement, storage, maintenance, usage, archival and destruction.
• Responsibility for, and performance of these activities involves the collaborative effort of both business and technology resources.
• Data Governance overall goal is to improve the quality (i.e. consistency, accuracy, availability, etc.) of the information/data assets which will reduce operational costs and improve revenue.
• The Data Governance function is not a project, rather an ongoing initiative, which once launched continues to grow, change, and adapt to satisfy the ever changing data landscape of an Organization.

To reiterate, the objective of Data Governance function is to establish the appropriate level of governance of the enterprise core data assets in order to optimize their management through definition / enforcement of consistent data  polices and  standards, as well as elimination of duplicate data, thus enhancing the performance.

In the figure below, we highlight the how data governance improves the business data assets; the most important assets most organizations have:

Figure 4:The Data Governance Improvement Cycle

This figure also illustrates the connection between the business, data governance, and Technology.  There is a cyclical nature of the data improvement as it improves both IT capabilities and that add benefits to the business.  Data Governance capability is dependent upon the business input and direction, as well as Technology’s implementation of improvements and process changes.

The business benefits that can be achieved through better data governance are as follows:

1. Decreased redundancy and increased accuracy, integration, availability, completeness, and efficiencies of the data assets
2. Improved System Performance – Reduced Operational Costs
3. Improved Information Worker Efficiencies – Reduced Operation Costs
4. Improved SDLC
5. Provides/enhances opportunities for monetization of Big Data
6. Improvements to business intelligence for more accurate reporting, analytics, mining, and decision making capabilities
7. Enables unified processing needed for things like HR and Finance
8. More accurate customer data for better profiling, which can lead to increased sales, better customer service, and increased valued customer retention
9. Business Opportunities can be quickly assessed, prototyped, and solutions/products provided
10. Enhances Compliance by reducing cost to achieve compliance, increasing the likelihood of compliance and improving the ability to prove compliance audits

On the flip side, some of the challenges (and possible mitigation approaches) most organization face when implementing Data Governance are as follows:

1. Resource Availability for Business Ownership of the Data Assets
   1. Challenge: Business Subject Matter Expertise & Business Ownership of the Data Assets
   2. Mitigation: Assure Executive Support & have reasonable time expectations of
2. Scope Containment
   1. Challenge: There are many data issues and areas that could be addressed
   2. Mitigation: Value Driven Prioritization
3. Organizational Maturity
   1. Challenge: Many Organizations are not able to sustain Data Governance
   2. Mitigation: Design DG to the reality of the Maturity Level
4. Proving Value of Data Governance
   1. Challenge: Many Data Governance initiatives fail to show value
   2. Mitigation: Continue to Monitor and Audit DG using Measurement of Business Value

A key fundamental for better establishing data governance is building a Data Oversight Framework (DOF) to establish a “playbook” (the strategy, principles, policies, and rules for the information-data assets) along with the functions to implement and support it. The framework covers all of the data strategy components necessary to establish and orchestrate the data assets’ well-being. The DOF is foundational for all other data strategy components (e.g. data governance and ownership, data security, data asset management, etc.). Developing the framework gets everyone on the same page and in agreement as to the direction, value, importance, and priority of the information-data assets.

Many organizations have attempted to launch an information data governance function and have failed. The major reason for this failure is that the fundamentals are broken, where the business-to-data connection and a Data Oversight Framework (DOF) are missing. After all, it is very difficult if not impossible to govern anything without a correct understanding of what one is governing, the rules to govern by, and the infrastructure necessary to execute the governance. Just imagine attempting to govern or control traffic without traffic rules, driver’s licenses, law enforcement, basic street signs, traffic lights, and lane markers. In every organization where TechVision Research has addressed data governance, the Business-To-Data Connection and the Data Oversight Framework (DOF) were missing. In every case, our first step to establishing a Data Governance Practice is standing up the Framework along with a Business Blueprint. With these in place, the governance practice has functioned well and thrived.

Much more detailed research and analysis on the topic of data governance is available in the TechVision’s reports entitled “Data: The Fundamentals Are Broken” and “Fixing the Fundamentals: The Business Blueprint”, authored by Noreen Kendle, a global expert on data management and governance.

Identity Governance

Throughout the digital age, the most difficult activity – and responsibility, to carry out has traditionally been governance of IAM. IAM Governance is also one area that often gets overlooked; and given the stakes as we discussed as organizations become Digital Enterprises, governance of high value identity data and processes is critical.  There are two categories of governance we’ll discuss here:

1. Governance of the IAM infrastructure
2. Identity Governance and Administration (IGA)

Governance of the IAM infrastructure is crucial because this is where the business meets the people, processes and technologies that support it. Organizations often struggle with creating, sustaining, and completing IAM initiatives. They tend to reuse the same program management techniques that were effective for non-IAM initiatives, only to discover such practices yield unsatisfactory results for IAM. A successful IAM program demands adoption of a formal program management model that emphasizes consensus-based vision from a broad range of stakeholders – including business leaders.

In many ways, IAM is no different from any other large business process engineering effort. Today, many large organizations’ IAM environments are primarily viewed as an IT responsibility. However, delivering technology is not the most significant challenge; fully understanding business needs and changing participants’ behaviour are greater challenges. As the ensuing age of Zero Trust begins to materialize, the IAM program must be managed and viewed as a business program, not simply an IT – or even security project.

A well-organized IAM program provides the necessary structure for all IAM services in a way that addresses the challenges of coordinating technology projects that require identity-related services, ensuring alignment with business needs and providing oversight of ongoing operational activities.

Figure 5: IAM Governance Activity Cycle

Governance of the IAM program is important to ensure:

• Alignment of IAM investments with business priorities
• Effective IAM policies, standards, and processes
• Harmonization of IAM activities and communication across multiple functional areas

Technology deployment without appropriate governance simply cannot succeed. Therefore TechVision recommends that enterprises immediately begin engaging in the following activities:

• Establish an IAM Steering Committee (if you don’t already have one)
• Engage an executive sponsor for the IAM program
• Articulate the purpose and authorities of the steering committee, preferably via a formal charter
• Engage decision-making IAM stakeholders to participate in an IAM steering committee
• Conduct periodic meetings (monthly if possible), with a focus on decision-making rather than information sharing since information-sharing forums tend to lose focus and participation over time
• Charge working groups as needed to provide input to the steering committee. Many of the same people are likely to be required for multiple working groups, so care must be taken to avoid over-extending individuals by running too many working groups simultaneously
• Record all meeting minutes and distribute to stakeholders through a formalized communication channel (at minimum, email distribution lists)
• Publish IAM policies and standards that encompass all regions globally.
• Build IAM requirements into the standard set of security requirements for projects, contracts, and procurements
• Train project managers and IT procurement specialists in implementing new IAM-related checkpoints
• Develop methods to ensure policies and standards are followed. Develop methods to track and record exceptions that assign residual risk ownership to the appropriate business stakeholder(s)
• Review current contracts and agreements where identity data or access to corporate resources is involved to assess whether IAM requirements are clearly and appropriately addressed. Establish a project to implement remedial actions as necessary.

With an appropriate IAM Governance team in place, the subject of Identity Governance and Administration (IGA) can be addressed. Similar to IAM governance in general, IGA has not always been given adequate attention and funding within the context of enterprise identity programs. This needs to change as the effective management and governance of identity services is a key to enterprise security and essential to the efficient operation of the identity services.

To reiterate, enterprises need a consistent framework for operationally managing and governing their rapidly expanding digital ecosystem – and IGA is an important piece. At its core, the goal behind IGA is simple: Ensuring appropriate access, when and where it is needed.

A key component of IGA is, ultimately, the automation of the identity lifecycle through an  identity provisioning infrastructure.  This helps both fulfillment and the enforcement of access decisions. The automation and enforcement helps prevent deviation from these decisions and reduces the amount of effort required for the next round of access reviews.

In the TechVision Reference Architecture for IAM, IGA is characterized principally as a “Time of Change” operation intending to address the question “What does appropriate access look like?”, as illustrated below (bottom left).

Figure 6: IAM Reference Architecture

It should be understood that IGA is much more than technology, but can be thought of as an ongoing means of governance through a set of controls, processes, and actions related to the determination and enforcement of appropriate access throughout the organization’s environment. This is a continuous process of grooming, review, decision making, documentation, and enforcement for how access privileges are issued.

These types of activities are illustrated in part in the next-level drill down of the IAM Reference Architecture, below.

Figure 7: IAM Reference Architecture Drill Down

IGA combines entitlement discovery, decision-making processes, access review and certification with identity lifecycle and role management. IGA operates in the intersection of business process management and access automation allowing people and systems communicate with each other, fulfilling day-to-day operational needs. It focuses on the process and operational components of Identity and Access Management. From a technology perspective, from a governance perspective and from a process perspective, the governance, administration and lifecycle management areas need to be a significant area of investment for most enterprises over the next five years.

An organization with a low level of technical maturity often struggles with disjointed or poorly defined processes – mirroring the siloed isolation of the administration of each system. This may be observed by each administrator individually addressing process challenges with a lack of communication and coordination between administrators.

The inconsistency that arises from segmented approaches also opens up the enterprise to security vulnerabilities given inconsistencies in processes and potential gaps in understanding processes.

The graphic below shows the improvements that can be achieved as an organization’s IGA processes are matured.

Figure 8: IGA Process Maturity

Process improvements, however, often require a level of organizational maturity that corresponds to how well the people within the organization are aligned with their responsibilities and the ability to execute those responsibilities. For example, enabling a LOB owner to both finalize an access control decision within his domain and to provide attestation as to the current access state will score higher than the organization that has access control policies solely being managed by resource administrators.

Maturity also applies to the organization, of course. An organization with a low level of technical maturity often struggles with disjointed or poorly defined processes – mirroring the siloed isolation of the administration of each system. This may be observed by each administrator individually addressing process challenges with a lack of communication and coordination between administrators.

Figure 9: IGA Organizational Maturity

The inconsistency that arises from segmented approaches also opens up the enterprise to security vulnerabilities given inconsistencies in processes and potential gaps in understanding processes.  Effective IGA requires a collaborative, cross-functional effort and the organizational maturity should reflect engagement of different areas of responsibility.

For example, resource owners working with the identity teams should be responsible for gathering entitlement information from each resource and organizing this information into meaningful, documented sets. These documents should be self-explanatory to support a meaningful review by decision makers from the lines of business. This data then gets stored and maintained within the entitlement catalog – which provides a point of coordination in this process between the IT teams and the lines of business.

Decision makers within LOBs are accountable for reviewing both the organization of the entitlement catalog’s contents and for utilizing the entitlement catalog in the review of how these entitlements are doled out to individuals, groups, or roles. The ultimate goal is to increase the organization’s maturity on all of the fronts. There are major business benefits in doing so.

This is not, of course a trivial task. Serious, continuous governance is key to an effective and usable IAM program and also critical to properly managing enterprise risk.

For more detail, TechVision Research goes into effective IGA design and deployment in the research report titled “Designing and Implementing an Effective Enterprise Identity Governance and Administration Program”. We also plan to have an updated IGA-centric report with vendor assessments available in 2020.

Business Continuity Planning

Bad things can happen and they can seriously undermine your organization’s ability to function, if not survive. Within the past 20 years alone, we have seen a number of wide-ranging catastrophes that have rendered business unable to perform, such as 2001’s 9/11 terrorist attack, 2005’s Hurricane Katrina, 2008’s global financial meltdown, 2010’s Hurricane Sandy, catastrophic wildfires in 2015-18, and now, 2020’s global pandemic, COVID-19. And this just reflects the U.S.-centric catastrophes, largely. Around the globe, there have been tsunamis, nuclear meltdowns, wars and so forth.

The point is, these have not been complete surprises. In almost every case, it is a matter of “when and where”, not “if”.  Unfortunately, organizations and many governments have simply not been up to the task with respect to resilience planning. While we largely don’t know what disruptive event will occur, we are certain something requiring recovery will happen and some level of preparedness is increasingly necessary.

Resilience processes such as Business Continuity Planning, Business Impact Analysis (BIA) and IT Disaster Recovery (ITDR) are focused on the needs and priorities of the organization as a whole, and are tightly integrated or aligned with the organizations overall risk management, crisis/emergency management and recovery plans. From an IT perspective, resilience processes and plans must be driven by an understanding of how essential business functions will be impacted by the loss of data or IT service availability. This understanding is derived from a business impact analysis, which requires establishing a baseline and periodic updates to maintain the viability of downstream resilience processes.

While many organizations have disaster recovery plans, they often need to be expanded to include business continuity capabilities for critical applications within each regional environment. For example, a healthcare organization should have a Business Continuity Planning & Policy Statement will formalize efforts to identify other biomedical devices within hospitals that are not visible or are not being monitored on a regular basis. Business Continuity coordinators should be assigned to each of these critical devices, and should be responsible for developing procedures that identify what to do if these devices experience an outage.  Recovery time objective and Recovery point objective (RTOs and RPOs) should also be formalized so it is well known what timeframe these systems have to be restored to avoid crises conditions. The healthcare organization may find that in some cases, it may be necessary to move patients to other hospitals or areas if life support systems are unavailable for any reason.

A Business Impact Analysis (BIA) is needed to identify the most critical functions and systems within various corporate and satellite locations in order to prioritize security-related and disaster recovery activities across the enterprise. BIAs can also help the organization quantitatively or qualitatively specify the potential impact to the business in the event of disasters (natural or man-made) or compliance violations in terms of lost revenue, fines, or other legal challenges that could tarnish an organization’s reputation. In other words, a BIA helps an organization to focus first on recovering and restoring the most mission-critical systems and functions when a disruptive event turns into a disaster.

BIAs are important integration points between the information security program and the rest of the business. Continuing the healthcare example,  a BIA within a health care organization is a functional analysis and hierarchy of critical health-care related services and transactions that are conducted on a daily basis within the affected hospitals and ambulatory care locations. These services and transactions are then ranked according to their criticality to the business by a local committee of health care professionals. Finally, each local committee must specify how long can it function without this particular service or transaction, and what the business impact is (in terms of dollars, patients’ lives being put at risk, or potential litigation) if the service is unavailable for an extended period of time.

An organization that does not have BIAs in place, or regularly update its BIAs, runs the risk of overlooking critical systems, applications, and data. In the event of a disaster, a non-existent or out-of-date BIA may result in the restoration systems or functions that are no longer used or critical to the organization.

Business Continuity Planning and the related activities are crucial IT governance functions. They should be encapsulated within the IT governance, risk management and security governance functions outlined in this document. The critical thing to put front-and-center is that disasters will happen. Table-top exercises to work through worst case scenarios must be performed. The emphasis should be on worst case scenarios. TechVision feels that far too many organizations have failed to consider a worst case scenario could happen to them. But, as we have seen over the past two decades, that is merely hiding one’s head in the sand.

Conclusion and Recommendations

In this report we cover many IT governance approaches, initiatives and trends and there are some common over-arching themes that are crucial for all organizations to consider. We’ll describe these key themes and specific steps to take in this section.

From our years of experience, one of the key “lessons learned” is that every aspect of governance is connected and all must be given sufficient attention. This strong connection between the governance disciplines such as security governance, data governance, IAM governance and business continuity planning are often to generally lacking in organizations. In many cases, we’ve seen large, successful organizations have very little if any IAM or data governance – especially in the forms expressed in this report. As organizations become Digital Enterprises and extend business processes, expand customer connections, integrate “things”…getting a handle on all aspects of governance should be amongst the highest priorities.

One of the major challenges is determining how much governance is enough. While there may seem to be a risk of ‘over doing it’, we’ve found that to be a largely unfounded concern. The real challenge is finding the right people to actively participate in IT governance functions and ensuring they are given the appropriate amount of time to perform their daily job functions in addition to being given enough time to actually govern.

It is when people begin to feel overburdened or overwhelmed that apathy can creep in. And apathy is the most serious threat to governance, because without the right people fully engaged, all the processes and technologies in the world won’t bring about the real benefits of good IT governance. One might think all of this is terribly obvious, but if it is so obvious, then why is apathy the single most effective destroyer of governance? Governance is about people and their level of engagement and participation. Processes and tools support the people, not the other way around, when it comes to governance.

With this in mind, we recommend organizations take a sober look at their existing IT governance functions and answer the following questions truthfully:

1. Does your governance program cover not only IT, but security, data, IAM and business continuity for a full spectrum IT governance approach?
2. Is the organization’s Risk Management function properly or actively engaged in the overall IT governance program?
3. Do you know what it is you are actually governing? For instance, do you have up-to-date reference architectures, KRIs, KPIs, policies and process definitions in order to actually evaluate the efficacy of governance functions?
4. Are the right types and right number of people engaged across this spectrum?
5. Do participants feel truly empowered to perform the many governance responsibilities as outlined in this report?
6. Are office politics and personal agendas getting in the way of continued success?
7. Do some of the same people sit on too many (or not enough) governance boards?
8. Do stakeholders hold themselves and other participants fully accountable and responsible?
9. Is enough attention given to overall workloads placed on stakeholders so that they may govern without developing apathy or resentment?
10. Is your full-spectrum IT governance continual and actively participated in without fail (under normal business conditions)?

Our recommendations are rooted in answering these questions and determining whether there are significant gaps to be filled. Using the information in this report, the job can be made much easier because you can evaluate your overall (full-spectrum) IT governance capabilities by comparing them to ‘what good looks like’, as described in this report.

We hope you have found this report useful. We realize that nobody likes to hear that their ‘baby is ugly’, and we certainly are not saying that about your existing IT governance programs. However, an honest evaluation and introspection is almost always the best way to bring bad habits – most notably apathy, to light. And even if your governance programs are sufficient today, as your organization becomes more-and-more “Digital”, your governance programs will need to be in the forefront.

The beauty of governance is that it can be made better. It is not a single piece of software or an app, or a one-and-done throw it against the wall and see what sticks kind of exercise. With an understanding of and respect for duties to protect, accountability and transparency – virtually anything is fixable.

About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skill sets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About the Authors

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for ten years and security, and running Global Identity Management and Security Consulting at Gartner for five years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Noreen Kendle is a recognized leader in the field of Information-Data Strategies, which includes Information Asset Management, Data Governance / Information Ownership, Information Policies & Standards, Business Data Architecture, Meta-Information, Enterprise Data Design, Information Quality, Data Valuation, Enterprise Foundational Data, Data Globalization, and Business Intelligence Strategies.

She has held enterprise information leadership and practitioner positions within large global organizations for over 30 years including Delta Air Lines, AT&T, Masco, Travelport, and The Home Depot, as well as data industry consultant/advisor for Gartner and Burton Group.