IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 1

All Businesses will be digital businesses .. the hyperbole

March 20th, 2014 · No Comments

I love technology and feel there is immense opportunity to shaping the world with it. Businesses that are serving only digital markets, and others are transforming how they do business with digital (technology). Now that this disclaimer is in the universe …

The immense cacaphony of noise that “All businesses will be digital businesses” needs to be contemplated seriously. I have heard this a number of times and in a number of places, and want to make a point on this … as it relates to strategy.

All businesses are NOT digital. There are those that serve digital markets, and those that leverage digital to enhance their business. The IT backbone, services portfolio, and associated components are fundamentally necessary and mission critical without a doubt. The blurring of the lines though can negatively influence the strategy of the business.

Saying “All businesses are digital” is akin to saying “All businesses are facilities & environmental”. Everyone would 100% agree facilities (building, power, air quality, etc..) are mission critical but we would not say that IS the business. Similarly, technology fits a similar role.

I fear the blurring of this line will ineffectively shift internal resources and shift strategy in a manner counter to the business needs. Other fears? Other risks? What is the power of culture and percetion on a group and company – “Culture eats strategy for breakfast “, Peter Drucker.

Thoughts and counters are welcome. This is an early impression and needs deeper consideration on how businesses can effect their long term goal.

Thoughtfully,

James

 

→ No CommentsTags: Uncategorized

Does competency matter as a CIO / CISO? Inspired by Target breach

March 14th, 2014 · No Comments

As the news cycle continues regarding the Target breach of 40ish million credit cards and 70ish million customer data records, a point came up that seemed relevant. Perhaps it was that I was just working with a global organization implementing a more integrated and responsive security program, and the concept of RACI and competency was on top of mind… either way the question should be asked.

What skills and competencies should Boards of Directors and Audit Committees seek, expect, and ensure exists with their data and technology leaders?

Those at the engineering level, coding level, and such have very specific skills and knowledge is mandatory to perform. At the leadership level though, the progression to these positions crosses the whole spectrum (salesperson at Target for CIO) to technical individual having risen through the ranks (Google).

As an architect, operator, implementer, and overseeing Americas audits of security management systems I have a unique view on designing, implementing, and certifying. I am seeing businesses expect at least the following present, documented, and improved regularly (improvement is a requirement of this space, at an annual cycle):

  1. Tenure and experience with the disciplines or deep awareness of products
  2. Familiarity with the legal, internal, external, and business requirements across all regions & products
  3. Depth of competency for the industry of the business
  4. Depth of competency for the technology by the business and for the business (here is an area organizations have trouble with since the velocity of change and tech adoption for some businesses is faster than others)
  5. #4 is increasingly interesting and requires a strong training and position sharing organizational structure, or comfort with rotation of personnel as skills match tasks (i.e., CISO over an org that is relying upon deep abstracted services is vastly different than one running in house 20 data centers)

What you are finding internally:

  1. Are you being supported to document what competencies you need to build (at EY we spend literally weeks on this topic with each person)?
  2. How often, if ever, have you rotated out of jobs to fit better with the 'new' operating structure?

There are many more, but the point being … Attacks happen; Technology changes in exciting; Business models shift rapidly, and even the operating environments/partners are reinvented in all successful organizations. Therefore the leadership and teams supporting their execution must also swiftly respond to such demands, while maintaining the continuity of confidentiality, integrity, and availability of services.

Thoughts?

James

 

→ No CommentsTags: Uncategorized

A different approach and RSA Tuesday update

March 5th, 2014 · No Comments

A fresh post in a long while ..

So, after writing for clients and my research being all consuming this past year I am re-focusing time in my day to share observations and thoughts. Why? Quite simply I learn more when I write; share, and get feedback then living in an echo chamber. How will this benefit the world/you.. simple, you will share in the knowledge I gain from sweat and toil and learn through the same iteration cycle as I.

Also, I am trying to aim for a high iteration format instead of the long form of old. Meaning, shorter (I hope) posts that are succinct on ideas without the typical pre/post writings that are common in most write-ups. My ask, please share, challenge, and seek to understand my perspective – as I will do for you.

Onward then …

Today is RSA day and 2 themes that are evident and of most importance based on several large client discussions; analyst discussions; and a few researchers I had the privilelege of speaking with today:

  1. Communicating the WHY is of paramount importance today (WHY are we spending security budgets on X assets? WHY are our practices for managing enablement between development, operations, and security out of sync? Etc..)
  2. Passive Resistance (my phrase, but after a day of hearing about NSA, RSA, Crypto architects disowning responsibility for operational deployment, and “enable” privacy, security this is where I landed) is the idea of persons and organizations being asked to respond to these threats in a manner that impings their capabilities. There are many problems with this stated position, but I shall leave that for another day and your own pondering

Businesses must address #1 and be extremely cautious with #2, and #2 will be a heavy discussion during my RSA session on Thursday for all that are present. If you are unable to attend, I will as usual post my work and research in note form online. Looking forward to learning and expanding my thinking with you.

Best,

James

// PCI & Controls site

 

→ No CommentsTags: Uncategorized

Weekly recap of Tweets, Links, and Ideas

October 8th, 2012 · No Comments

→ No CommentsTags: Technology Strategy Orchestration

Weekly recap of Tweets, Links, and Ideas

October 1st, 2012 · No Comments

→ No CommentsTags: Technology Strategy Orchestration

Weekly recap of Tweets, Links, and Ideas

September 24th, 2012 · No Comments

→ No CommentsTags: Technology Strategy Orchestration

Weekly recap of Tweets, Links, and Ideas

September 17th, 2012 · No Comments

→ No CommentsTags: Technology Strategy Orchestration

Weekly recap of Tweets, Links, and Ideas

September 10th, 2012 · No Comments

→ No CommentsTags: Technology Strategy Orchestration

Weekly recap of Tweets, Links, and Ideas

September 3rd, 2012 · No Comments

→ No CommentsTags: Technology Strategy Orchestration

Weekly recap of Tweets, Links, and Ideas

August 27th, 2012 · No Comments

→ No CommentsTags: Technology Strategy Orchestration