SlideShare a Scribd company logo

Value-centric approach to governance, risk & compliance

InnoTech
InnoTech

Presentation by Aaron Weller for InnoTech Oregon 2011.

TechnologyBusinessEconomy & Finance
1 of 27
a value centric approach to governance risk & compliance Aaron Weller, CGEIT CEO, Concise Consulting aaron.weller@conciseconsulting.com @GotPrivacy
Last Slide First 1. IT departments too often focus on delivering something rather than delivering value 2. Risk and Compliance often distract from Governance rather than complementing it 3. Good Governance models exist. Wheel invention skills are not required. 4. Governance is important but not urgent. Find ways to make it urgent. 5. Measure things. Ideally, useful things. 2
The Information Paradox • More and more businesses see IT as absolutely vital to their continued success, and ability to operate. • More and more money is being invested in IT (albeit a temporary blip last couple of years). • Yet…a large proportion of IT investments fail to deliver what was expected. • Q: What is missing? 3
A: Focus on VALUE How often does the question get asked “Are we maximizing the value of our IT- enabled business investments such that: – We are getting optimal benefits – At an affordable cost – With an acceptable level of risk …over the full economic life cycle of the investment? 4
Our Track Record • 62 % of organizations experienced IT projects that failed to meet their schedules • 49% had budget overruns • 47% had higher-than-expected maintenance costs • 41% failed to deliver expected business value and ROI • 25%+ of all software and services projects are canceled before completion • Up to 80% of budgets are consumed fixing self-inflicted problems Remember that every piece of technology you run today was part of an implementation project at some time! 5
Compliance Risk Governance 6
Key Takeaway Governance, Risk and Compliance should not be 3 separate activities. They should be 3 aspects of the same activity. Governance of Enterprise IT directs the IT organization to achieve business objectives, manage risks to those objectives and achieve compliance with laws and regulations. 7
IT change (typically) < business change • The large majority of IT change results in even more significant change in the business that it supports. • Governance is as much about understanding how IT can help to achieve overall business goals, as optimizing what IT does. • There is nothing so useless as doing something well which does not need to be done. 8
What does your organization want from IT? 1. Utility Provider - primary purpose is to provide common infrastructure and information management services. 2. Process Optimizer – has two primary purposes; provide a common infrastructure and information management, as well as help optimize business processes and enable business-unit-specific objectives. 3. Revenue Enabler – has three primary purposes; common information management services, business process optimization, as well as enable customer-facing products and services. Source: www.itpi.org 9
Enabling Broader IT Strategy Services Required Services Tomorrow Required Today Services Offered Today • Identify Gaps • Prioritize business requirements • Develop plans to migrate from current state to desired state • Track and communicated progress in terms of business value 10
Steps to Governance • Creating the right environment for Governance – Guiding principles – Framework for accountability – Measuring results • Implementing a lifecycle approach – Aligning with the ‘rhythm of the business’ – A journey, not a destination 11
Know what this is? 12
One View of IT Governance ic t D Valu teg en eli e tra nm S ig ve ry Al IT IT Governance ent Perf sureme Perf sureme Perf sureme Perf sureme Mea Mea Mea Mea Domains agem Risk orm orm orm orm anc anc anc anc Man e e e e Resource nt nt nt nt Management Source: ISACA Board Briefing on IT Governance 13
Another View – 6 Principles 1. Responsibility: Individuals and groups understand and accept their responsibilities 2. Strategy: Business strategy takes into account current and future capabilities of IT 3. Acquisition: IT acquisitions are made for valid reasons with balance between short and long term goals 4. Performance: IT is fit for purpose in supporting the organization. 5. Conformance: IT conforms with all mandatory legislation and regulations. 6. Human Behavior: IT policies, practices and decisions demonstrate respect for human behavior. Source: ISO 38500 - Corporate Governance of IT 14
Key Governance Questions Source: ValIT v2.0 (based on The Information Paradox) 15
Two key governance outcomes 1. Delivering IT value to the business 2. Mitigating IT-related risks 16
Another View of GRC Respons- ibilities Principles Objectives Controls Test Plans 17
Quick note on Risk Assessments Best Practices are intended as the default for use by people who don’t have the time or skill to perform a proper risk assessment. Gene Schultz
Why Use Metrics? There are two possible outcomes: if the result confirms your hypothesis, then you've made a measurement. If the result is contrary to your hypothesis, then you've made a discovery. Enrico Fermi 19
Measure the right things 20
CMM For Metrics Focus Sample Metrics What gets reported Optimization • Real time alerts and reporting based on baselines Efficiency and trends • Effort to respond to each incident • Baselines set Baseline • Reports based on trending and baselines • Type detected Trending • Severity • Resolution Time • # of policies documented Activity • # detected per week/month/year 21
What should be measured? • Key Compliance Indicators • Key Risk Indicators • Key Governance Indicators 1. Activity level? 2. Baseline level? 3. Efficiency level? 22
Good governance works A survey on IT governance conducted by ISACA and PwC found a positive statistical correlation between the maturity of IT governance practices and the outcomes delivered by IT. – When IT governance practices are more advanced, IT outcomes are better – Similarly, a lower state of advancement of IT governance practices correlates with poorer IT outcomes 23
But can be challenging to achieve Only 38 percent of executives/senior management can describe their enterprise’s IT governance process. This is largely because in most cases, IT governance has not been designed; it has just developed ‘piecemeal’ in response to specific issues. [IT Governance, Weil and Ross] Only 40% of approved projects have realistic benefit statements. <10% of enterprises ensure that benefits are realized post- project. <5% of enterprises hold project stakeholders responsible for achieving planned benefits. [META Group] In many enterprises, less than 8 percent of the IT budget is actually spent on initiatives that bring value to the enterprise. [Butler Group] 24
“Two roads diverged in a wood, and I … I took the one less traveled by, and that has made all the difference.” 25
Last Slide Last 1. IT departments too often focus on delivering something rather than delivering value 2. Risk and Compliance often distract from Governance rather than complementing it 3. Good Governance models exist. Wheel invention skills are not required. 4. Governance is important but not urgent. Find ways to make it urgent. 5. Measure things. Ideally, useful things. 26
Complex Problems? Concise Solutions. aaron.weller@conciseconsulting.com @GotPrivacy

Recommended

Business Outsourcing to Asia
Business Outsourcing to AsiaBusiness Outsourcing to Asia
Business Outsourcing to AsiaConferencias FIST
 
Class 2003 05 22
Class 2003 05 22Class 2003 05 22
Class 2003 05 22FNian
 
Comprehending Information Technology Governance
Comprehending Information Technology GovernanceComprehending Information Technology Governance
Comprehending Information Technology GovernanceGoutama Bachtiar
 
What is IT Governance?
What is IT Governance?What is IT Governance?
What is IT Governance?Mansoor Adenwala
 
Brighttalk brining it all together - final
Brighttalk brining it all together - finalBrighttalk brining it all together - final
Brighttalk brining it all together - finalAndrew White
 
Chief Inofrmation / Technology Summit
Chief Inofrmation / Technology SummitChief Inofrmation / Technology Summit
Chief Inofrmation / Technology Summitguested3c50
 
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF aqel aqel
 
Brighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - finalBrighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - finalAndrew White
 

Recommended

Business Outsourcing to Asia
Business Outsourcing to AsiaBusiness Outsourcing to Asia
Business Outsourcing to AsiaConferencias FIST
 
Class 2003 05 22
Class 2003 05 22Class 2003 05 22
Class 2003 05 22FNian
 
Comprehending Information Technology Governance
Comprehending Information Technology GovernanceComprehending Information Technology Governance
Comprehending Information Technology GovernanceGoutama Bachtiar
 
What is IT Governance?
What is IT Governance?What is IT Governance?
What is IT Governance?Mansoor Adenwala
 
Brighttalk brining it all together - final
Brighttalk brining it all together - finalBrighttalk brining it all together - final
Brighttalk brining it all together - finalAndrew White
 
Chief Inofrmation / Technology Summit
Chief Inofrmation / Technology SummitChief Inofrmation / Technology Summit
Chief Inofrmation / Technology Summitguested3c50
 
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF aqel aqel
 
Brighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - finalBrighttalk converged infrastructure and it operations management - final
Brighttalk converged infrastructure and it operations management - finalAndrew White
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made EasyJerry Bishop
 
MENA IT Governance, Risk &amp; Compliance 2010
MENA IT Governance, Risk &amp; Compliance 2010MENA IT Governance, Risk &amp; Compliance 2010
MENA IT Governance, Risk &amp; Compliance 2010Sudhakar_s
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing worldPECB
 
The 7 enablers and constraints of itsm 2011 v1 final
The 7 enablers and constraints of itsm 2011 v1 finalThe 7 enablers and constraints of itsm 2011 v1 final
The 7 enablers and constraints of itsm 2011 v1 finalTroy DuMoulin
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
Rapid Response Community
Rapid Response Community Rapid Response Community
Rapid Response Community Timothy Theberge
 
Cobit 5 for Information Security
Cobit 5 for Information SecurityCobit 5 for Information Security
Cobit 5 for Information SecuritySeto Joseles
 
MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCERudy Shoushany
 
Major Incident - make your NOC Rock
Major Incident - make your NOC RockMajor Incident - make your NOC Rock
Major Incident - make your NOC RockBob Fishman
 
IT Governances
IT GovernancesIT Governances
IT GovernancesJerald Burget
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineGraeme Parker
 
Six IT decisions should not be taken by IT people
Six IT decisions should not be taken by IT peopleSix IT decisions should not be taken by IT people
Six IT decisions should not be taken by IT peopleTanaya Bose
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
It governance
It governanceIt governance
It governanceMahetab Khan
 
Brighttalk high scale low touch and other bedtime stories - final
Brighttalk high scale low touch and other bedtime stories - finalBrighttalk high scale low touch and other bedtime stories - final
Brighttalk high scale low touch and other bedtime stories - finalAndrew White
 
Theory of Change Research
Theory of Change ResearchTheory of Change Research
Theory of Change ResearchFresh Lifelines For Youth
 
Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systemsRamsés Gallego
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008ssusera19f45
 
IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014ArmeniaFED
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information SystemsSampath
 
It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013James Sutter
 

More Related Content

What's hot

IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made EasyJerry Bishop
 
MENA IT Governance, Risk &amp; Compliance 2010
MENA IT Governance, Risk &amp; Compliance 2010MENA IT Governance, Risk &amp; Compliance 2010
MENA IT Governance, Risk &amp; Compliance 2010Sudhakar_s
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing worldPECB
 
The 7 enablers and constraints of itsm 2011 v1 final
The 7 enablers and constraints of itsm 2011 v1 finalThe 7 enablers and constraints of itsm 2011 v1 final
The 7 enablers and constraints of itsm 2011 v1 finalTroy DuMoulin
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
Cobit 5 for Information Security
Cobit 5 for Information SecurityCobit 5 for Information Security
Cobit 5 for Information SecuritySeto Joseles
 
MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCERudy Shoushany
 
Major Incident - make your NOC Rock
Major Incident - make your NOC RockMajor Incident - make your NOC Rock
Major Incident - make your NOC RockBob Fishman
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineGraeme Parker
 
Six IT decisions should not be taken by IT people
Six IT decisions should not be taken by IT peopleSix IT decisions should not be taken by IT people
Six IT decisions should not be taken by IT peopleTanaya Bose
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
Brighttalk high scale low touch and other bedtime stories - final
Brighttalk high scale low touch and other bedtime stories - finalBrighttalk high scale low touch and other bedtime stories - final
Brighttalk high scale low touch and other bedtime stories - finalAndrew White
 

What's hot (16)

IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made Easy
 
MENA IT Governance, Risk &amp; Compliance 2010
MENA IT Governance, Risk &amp; Compliance 2010MENA IT Governance, Risk &amp; Compliance 2010
MENA IT Governance, Risk &amp; Compliance 2010
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world
 
The 7 enablers and constraints of itsm 2011 v1 final
The 7 enablers and constraints of itsm 2011 v1 finalThe 7 enablers and constraints of itsm 2011 v1 final
The 7 enablers and constraints of itsm 2011 v1 final
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
Rapid Response Community
Rapid Response Community Rapid Response Community
Rapid Response Community
 
Cobit 5 for Information Security
Cobit 5 for Information SecurityCobit 5 for Information Security
Cobit 5 for Information Security
 
MAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCEMAKING SENSE OF IT GOVERNANCE
MAKING SENSE OF IT GOVERNANCE
 
Major Incident - make your NOC Rock
Major Incident - make your NOC RockMajor Incident - make your NOC Rock
Major Incident - make your NOC Rock
 
IT Governances
IT GovernancesIT Governances
IT Governances
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated Discipline
 
Six IT decisions should not be taken by IT people
Six IT decisions should not be taken by IT peopleSix IT decisions should not be taken by IT people
Six IT decisions should not be taken by IT people
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
It governance
It governanceIt governance
It governance
 
Brighttalk high scale low touch and other bedtime stories - final
Brighttalk high scale low touch and other bedtime stories - finalBrighttalk high scale low touch and other bedtime stories - final
Brighttalk high scale low touch and other bedtime stories - final
 
Theory of Change Research
Theory of Change ResearchTheory of Change Research
Theory of Change Research
 

Similar to Value-centric approach to governance, risk & compliance

Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systemsRamsés Gallego
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008ssusera19f45
 
IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014ArmeniaFED
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information SystemsSampath
 
It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013James Sutter
 
It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013Jim Sutter
 
Executive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceExecutive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceKuda Musundire CA (Z), RPA
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Livingstone Advisory
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 
Your Leadership Brand - The CIO as Business Strategist driving innovation. CI...
Your Leadership Brand - The CIO as Business Strategist driving innovation. CI...Your Leadership Brand - The CIO as Business Strategist driving innovation. CI...
Your Leadership Brand - The CIO as Business Strategist driving innovation. CI...Livingstone Advisory
 
Critical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance ImplementationsCritical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance ImplementationsRachid Meziani, PhD, CGEIT, PMP
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefVisal Thach
 
It Governance in time of Covid-19
It Governance in time of Covid-19It Governance in time of Covid-19
It Governance in time of Covid-19Rudy Shoushany
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Gaiani (CarnCorpAudit)
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Downaccenture
 

Similar to Value-centric approach to governance, risk & compliance (20)

Strategic governance performance_management_systems
Strategic governance performance_management_systemsStrategic governance performance_management_systems
Strategic governance performance_management_systems
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008
 
IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
Management Information Systems
Management Information SystemsManagement Information Systems
Management Information Systems
 
It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013
 
It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013It Governance OC CIO Nov,2013
It Governance OC CIO Nov,2013
 
Agility mgt v2md
Agility mgt v2mdAgility mgt v2md
Agility mgt v2md
 
Executive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceExecutive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and Governance
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
IT Governance - COBIT Perspective
IT Governance - COBIT PerspectiveIT Governance - COBIT Perspective
IT Governance - COBIT Perspective
 
Your Leadership Brand - The CIO as Business Strategist driving innovation. CI...
Your Leadership Brand - The CIO as Business Strategist driving innovation. CI...Your Leadership Brand - The CIO as Business Strategist driving innovation. CI...
Your Leadership Brand - The CIO as Business Strategist driving innovation. CI...
 
Critical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance ImplementationsCritical Success Factors (CSFs) for Effective IT Governance Implementations
Critical Success Factors (CSFs) for Effective IT Governance Implementations
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-brief
 
It Governance in time of Covid-19
It Governance in time of Covid-19It Governance in time of Covid-19
It Governance in time of Covid-19
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Down
 

More from InnoTech

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"InnoTech
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is MaturingInnoTech
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?InnoTech
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostInnoTech
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering StormInnoTech
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the fieldInnoTech
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implicationsInnoTech
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged InfrastructureInnoTech
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365InnoTech
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studiesInnoTech
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential InnoTech
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?InnoTech
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...InnoTech
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeInnoTech
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacyInnoTech
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio InnoTech
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumInnoTech
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2InnoTech
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionInnoTech
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentationInnoTech
 

More from InnoTech (20)

"So you want to raise funding and build a team?"
"So you want to raise funding and build a team?""So you want to raise funding and build a team?"
"So you want to raise funding and build a team?"
 
Artificial Intelligence is Maturing
Artificial Intelligence is MaturingArtificial Intelligence is Maturing
Artificial Intelligence is Maturing
 
What is AI without Data?
What is AI without Data?What is AI without Data?
What is AI without Data?
 
Courageous Leadership - When it Matters Most
Courageous Leadership - When it Matters MostCourageous Leadership - When it Matters Most
Courageous Leadership - When it Matters Most
 
The Gathering Storm
The Gathering StormThe Gathering Storm
The Gathering Storm
 
Sql Server tips from the field
Sql Server tips from the fieldSql Server tips from the field
Sql Server tips from the field
 
Quantum Computing and its security implications
Quantum Computing and its security implicationsQuantum Computing and its security implications
Quantum Computing and its security implications
 
Converged Infrastructure
Converged InfrastructureConverged Infrastructure
Converged Infrastructure
 
Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365Making the most out of collaboration with Office 365
Making the most out of collaboration with Office 365
 
Blockchain use cases and case studies
Blockchain use cases and case studiesBlockchain use cases and case studies
Blockchain use cases and case studies
 
Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential Blockchain: Exploring the Fundamentals and Promising Potential
Blockchain: Exploring the Fundamentals and Promising Potential
 
Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?Business leaders are engaging labor differently - Is your IT ready?
Business leaders are engaging labor differently - Is your IT ready?
 
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
AI 3.0: Is it Finally Time for Artificial Intelligence and Sensor Networks to...
 
Using Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to LifeUsing Business Intelligence to Bring Your Data to Life
Using Business Intelligence to Bring Your Data to Life
 
User requirements is a fallacy
User requirements is a fallacyUser requirements is a fallacy
User requirements is a fallacy
 
What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio What I Wish I Knew Before I Signed that Contract - San Antonio
What I Wish I Knew Before I Signed that Contract - San Antonio
 
Disaster Recovery Plan - Quorum
Disaster Recovery Plan - QuorumDisaster Recovery Plan - Quorum
Disaster Recovery Plan - Quorum
 
Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2Share point saturday access services 2015 final 2
Share point saturday access services 2015 final 2
 
Sp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner sessionSp tech festdallas - office 365 groups - planner session
Sp tech festdallas - office 365 groups - planner session
 
Power apps presentation
Power apps presentationPower apps presentation
Power apps presentation
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

Value-centric approach to governance, risk & compliance

  • 1. a value centric approach to governance risk & compliance Aaron Weller, CGEIT CEO, Concise Consulting aaron.weller@conciseconsulting.com @GotPrivacy
  • 2. Last Slide First 1. IT departments too often focus on delivering something rather than delivering value 2. Risk and Compliance often distract from Governance rather than complementing it 3. Good Governance models exist. Wheel invention skills are not required. 4. Governance is important but not urgent. Find ways to make it urgent. 5. Measure things. Ideally, useful things. 2
  • 3. The Information Paradox • More and more businesses see IT as absolutely vital to their continued success, and ability to operate. • More and more money is being invested in IT (albeit a temporary blip last couple of years). • Yet…a large proportion of IT investments fail to deliver what was expected. • Q: What is missing? 3
  • 4. A: Focus on VALUE How often does the question get asked “Are we maximizing the value of our IT- enabled business investments such that: – We are getting optimal benefits – At an affordable cost – With an acceptable level of risk …over the full economic life cycle of the investment? 4
  • 5. Our Track Record • 62 % of organizations experienced IT projects that failed to meet their schedules • 49% had budget overruns • 47% had higher-than-expected maintenance costs • 41% failed to deliver expected business value and ROI • 25%+ of all software and services projects are canceled before completion • Up to 80% of budgets are consumed fixing self-inflicted problems Remember that every piece of technology you run today was part of an implementation project at some time! 5
  • 6. Compliance Risk Governance 6
  • 7. Key Takeaway Governance, Risk and Compliance should not be 3 separate activities. They should be 3 aspects of the same activity. Governance of Enterprise IT directs the IT organization to achieve business objectives, manage risks to those objectives and achieve compliance with laws and regulations. 7
  • 8. IT change (typically) < business change • The large majority of IT change results in even more significant change in the business that it supports. • Governance is as much about understanding how IT can help to achieve overall business goals, as optimizing what IT does. • There is nothing so useless as doing something well which does not need to be done. 8
  • 9. What does your organization want from IT? 1. Utility Provider - primary purpose is to provide common infrastructure and information management services. 2. Process Optimizer – has two primary purposes; provide a common infrastructure and information management, as well as help optimize business processes and enable business-unit-specific objectives. 3. Revenue Enabler – has three primary purposes; common information management services, business process optimization, as well as enable customer-facing products and services. Source: www.itpi.org 9
  • 10. Enabling Broader IT Strategy Services Required Services Tomorrow Required Today Services Offered Today • Identify Gaps • Prioritize business requirements • Develop plans to migrate from current state to desired state • Track and communicated progress in terms of business value 10
  • 11. Steps to Governance • Creating the right environment for Governance – Guiding principles – Framework for accountability – Measuring results • Implementing a lifecycle approach – Aligning with the ‘rhythm of the business’ – A journey, not a destination 11
  • 12. Know what this is? 12
  • 13. One View of IT Governance ic t D Valu teg en eli e tra nm S ig ve ry Al IT IT Governance ent Perf sureme Perf sureme Perf sureme Perf sureme Mea Mea Mea Mea Domains agem Risk orm orm orm orm anc anc anc anc Man e e e e Resource nt nt nt nt Management Source: ISACA Board Briefing on IT Governance 13
  • 14. Another View – 6 Principles 1. Responsibility: Individuals and groups understand and accept their responsibilities 2. Strategy: Business strategy takes into account current and future capabilities of IT 3. Acquisition: IT acquisitions are made for valid reasons with balance between short and long term goals 4. Performance: IT is fit for purpose in supporting the organization. 5. Conformance: IT conforms with all mandatory legislation and regulations. 6. Human Behavior: IT policies, practices and decisions demonstrate respect for human behavior. Source: ISO 38500 - Corporate Governance of IT 14
  • 15. Key Governance Questions Source: ValIT v2.0 (based on The Information Paradox) 15
  • 16. Two key governance outcomes 1. Delivering IT value to the business 2. Mitigating IT-related risks 16
  • 17. Another View of GRC Respons- ibilities Principles Objectives Controls Test Plans 17
  • 18. Quick note on Risk Assessments Best Practices are intended as the default for use by people who don’t have the time or skill to perform a proper risk assessment. Gene Schultz
  • 19. Why Use Metrics? There are two possible outcomes: if the result confirms your hypothesis, then you've made a measurement. If the result is contrary to your hypothesis, then you've made a discovery. Enrico Fermi 19
  • 20. Measure the right things 20
  • 21. CMM For Metrics Focus Sample Metrics What gets reported Optimization • Real time alerts and reporting based on baselines Efficiency and trends • Effort to respond to each incident • Baselines set Baseline • Reports based on trending and baselines • Type detected Trending • Severity • Resolution Time • # of policies documented Activity • # detected per week/month/year 21
  • 22. What should be measured? • Key Compliance Indicators • Key Risk Indicators • Key Governance Indicators 1. Activity level? 2. Baseline level? 3. Efficiency level? 22
  • 23. Good governance works A survey on IT governance conducted by ISACA and PwC found a positive statistical correlation between the maturity of IT governance practices and the outcomes delivered by IT. – When IT governance practices are more advanced, IT outcomes are better – Similarly, a lower state of advancement of IT governance practices correlates with poorer IT outcomes 23
  • 24. But can be challenging to achieve Only 38 percent of executives/senior management can describe their enterprise’s IT governance process. This is largely because in most cases, IT governance has not been designed; it has just developed ‘piecemeal’ in response to specific issues. [IT Governance, Weil and Ross] Only 40% of approved projects have realistic benefit statements. <10% of enterprises ensure that benefits are realized post- project. <5% of enterprises hold project stakeholders responsible for achieving planned benefits. [META Group] In many enterprises, less than 8 percent of the IT budget is actually spent on initiatives that bring value to the enterprise. [Butler Group] 24
  • 25. “Two roads diverged in a wood, and I … I took the one less traveled by, and that has made all the difference.” 25
  • 26. Last Slide Last 1. IT departments too often focus on delivering something rather than delivering value 2. Risk and Compliance often distract from Governance rather than complementing it 3. Good Governance models exist. Wheel invention skills are not required. 4. Governance is important but not urgent. Find ways to make it urgent. 5. Measure things. Ideally, useful things. 26
  • 27. Complex Problems? Concise Solutions. aaron.weller@conciseconsulting.com @GotPrivacy