I think theSTARS case is wonderful as an opener for an IT Governance class. Why? Because there is no governance at STARS, at least nothing explicit. If we use our “Right Things, Done Right” mantra, we can illustrate the point. On the “Right Things” side, Khan is inheriting an IT organization that has no identifiable mission or charter. Senior management doesn’t recognize the critical role that IT could play in its organization. The implicit charter is probably something like, “Give the business what it needs to get the job done.” That simply isn’t good enough leadership. On the “Done Right” side, you have pointed out the deficiencies of the IT effort (its not even a real organization). No organizational structure, runaway customers, out-of-control contractors, no technical standards, no project portfolio management etc. The only good news for Khan is that the only way for this organization to go is up!
The key point for this class is to recognize that both things are necessary for true governance. IT organizations, as a generalization, have tended to focus on the process of doing things extremely well and very efficiently. This is important but it is only half of the game. IT leadership and company leadership must work together to ensure that IT is doing things that provide value to the company and manage risk. This is a political (small p) process and not one that is comfortable to most IT people. Hence many CIO’s fail because, while they run their IT shops well, they are not focused on contributing to the company’s goals.
Throughout this course and the program, keep the “Right Things, Done Right” model in mind. Many CISA and CISSP questions will give you three answers that urgently need doing and one that seems so obvious that it can be assumed and ask you which is MOST important. Don’t fall for the trap! The correct answer is usually the one about making sure that the organization is doing the right thing and that must always come first.