COVID-19 has left a deep impact on society. It still affects the way we live and the way we work. Companies changed their delivery models, and many more people are now working remotely to adhere to new social distancing protocols. No organization was 100% prepared for COVID-19. However, having strong governance at the center of a company’s IT security program can make a huge difference in adapting to this changing environment that no one pictured when making their 2020 New Year’s resolutions.
How could companies have been better prepared for this? Very few had this particular scenario in mind, but many do have a business continuity plan (BCP). This is an essential part of enterprise governance, and it’s based on solid risk management principles. In COBIT 2019, the BCP (DSS04) is described as: “Establish and maintain a plan to enable the business and IT to respond to incidents and disruptions in order to continue operations of critical business processes and required IT services and maintain availability of information at a level acceptable to the enterprise.” The purpose is: “Adapt rapidly, continue business operations and maintain availability of resources and information at a level acceptable to the enterprise in the event of a significant disruption (e.g., threats, opportunities, demands).”
This means each company should identify which processes are critical for their business, how IT supports them and what needs to be done in case something happens. Different scenarios should be taken into consideration, including measures that should be taken in case the primary site is not operational or connectivity is lost. The IT solution should be resilient and support the company’s needs. Resilience is the ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognized effect. This is part of a healthy governance framework.
Companies are looking more and more at the cloud as a safe haven for their data. SaaS (software as a service), PaaS (platform as a service) and IaaS (infrastructure as a service) can be adapted to suit everyone’s needs, either as a primary or secondary solution (enhancing the on-premise deployment). Cloud service providers offer resilience and availability, with the benefits of lowering your CAPEX and cost for highly skilled IT staff. But this needs to be done within your company’s governance principles (due care/due diligence), according to the enterprise risk appetite.
Figure 1—Governance of Enterprise IT (GEIT)
What is enterprise governance? Kotter’s definition: “Enterprise governance is a set of responsibilities and practices exercised by the board of directors and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”
CGEIT is a terrific governance credential for managers and practitioners who utilize the learnings to assess and build the right governance systems. CGEIT teaches you that governance drives the IT security function, and this supports the business. It creates a mindset for the certification-holder that is embedded in the program he or she is running, through policy, procedures, standards and guidelines. CGEIT presents the different principles that form frameworks like COBIT, ITIL, PMBOK, ISO 27xx, COSO, TOGAF, Zachman, SABSA, Lean Six Sigma etc., and lets you pick the components that can be customized to your environment, for the governance program you have, which needs to be constantly improved and innovated. The frameworks provide you with essential knowledge of global best practices that can help organizations navigate hard times, like the ones faced today.
No organization was fully prepared for 2020 and COVID-19, but those with strong governance at the center of their IT security program are well-positioned to benefit from their resilience and adaptability.