Week 05:IT Strategy

Very interesting and diverse set of comments this week.  Did you notice how quickly the nice orderly world of ISACA  (basic and admin controls, enterprise architecture, strategy and steering teams and RACI  charts) became chaotic? There is an important point here, its called POLITICS.  Not the nation-state kind, nor necessarily the back stabbing kind.  The best definition I know of politics is “Who gets what, when, where, why and how.”   You can go into any organization, find its IT strategy, find a steering team and apparently they are doing the right things.  But, until you understand who the committee members are, what interests they represent, which groups have more power than others, you will not really know what is going on.  The Weill and Rose article should open your eyes to some of the possibilities.

The thing I want you to take away from this discussion is that implementing an IT strategy is also a political exercise.  Yes, having a great plan based on an excellent enterprise architecture is important, but you need to get it accepted throughout the organization.  This means you need to communicate and get buy in from anyone who is in a position to slow you up or shut you down.  You need to get all the other players to understand, buy in, and support you when things go wrong. This will involve a lot of skills that IT people are not usually known for.  There are likely to be difficult negotiations, private lobbying, dramatic speeches, and lots of grass roots communicating.  Good CIO’s have these skills and have probably used them to define a comfortable status quo with the rest of the organization.   Technological change may necessitate upending that status quo.  This is when you need real leadership.

Rich

I’m at the ISC2  Congress this week and this morning I went to a panel discussion with this name.  Much of what was said was related to our course so I thought I would share some notes:

1. For IT and security leadership a key success factor is building relationships with business leaders before critical questions come to the fore.
2. Heavy use of risk-acceptance forms is a sign of a failure of security to develop the needed relationships with the business.
3. Security architecture should be an important part of a company’s Enterprise Architecture.
4. To sell senior executives you need to speak in the business terms and have data.  This CISO suggests that you really need a robust honey-pot environment so that you can collect data on what would happen without security’s efforts.
5. Framing issues in business terms involves knowing the business processes and impacts of security threats.  Starbucks security architect talked about not framing stolen identity authentications but rather fraudulent sales.  He also noted that the rational decision of the business was to not implement a solution that cost more than the total of the fraudulent sales.
6. CISO from health care suggested that you always need to respond to the business with a qualified yes, not a no.  As in, “Yes, we can do that, but it will cost $x and would take precedence over these other n projects.  Does that make sense?”
7. First 90 days after a major incident is a critical time period.  Security can get whatever they want, but how should they use such a time period.  First, of course, is to correct the problem, identify and close the holes that allowed it.  Beyond that, the security team should have a strategy ready to go for how to improve the company’s security position long term and act on it.  Many firms buy various point solutions while they have budget approval.  Panel thought this was a bad idea. These panelists suggested that it would be better to engage the organization and change behaviors.  The healthcare CISO noted that after their breach they implemented their entire 5 year plan in a month with senior management support.
8. Final note on building relationships with the business.  You must bring something to the table.  Having a well reasoned position on some business process issue will earn you credits.  Its good to bank as many credits as you can because someday you will need the business to trust you.  Without enough credits, they won’t.

Readings

1. Describe the five IT questions that Weill & Ross (see Figure 3-4) see all organizations making?
2. How do the Weill & Ross questions line up to the McKinsey questions? What’s changed in the last 15 years?
3. What is the difference between EA and IT strategy?  Do you need both?
4. What is the difference between and IT Strategy committee and an IT Steering Committee?
5. What archetypes do you see in your company? How well do they work?

 

Steve Praino Presentation

Steve Praino of Dow Chemical spoke to an earlier section of this class on IT Strategy.  Please watch the video and post your takeaways in response to this post.

Rich