Infonomics
Plain language about Digital Leadership and Governance of Information Technology for Executives and Directors
Plain language about Digital Leadership and Governance of Information Technology for Executives and Directors
Hello and welcome to The Infonomics Letter for
November 2011.
The agenda for The Infonomics Letter is always
dynamic. I maintain an
ever-growing long list of topics that I would like to discuss, all
pertaining more or less directly to effective governance of IT.
Topics emerge from many sources, but the majority come from
every-day press around the world.
One that warrants attention is the demise, unsurprising to many,
of the massive IT project at the UK National Health Service. Linked to
this is the very interesting campaign (which Infonomics overtly
supports) launched by the
E-Health Insider for appointment of
Chief
Clinical Information Officers to provide clinical leadership on IT
projects and use of information in UK National Health Service
organisations.
Another is the announcement by the CIO at
Australia’s Department of Defence that the department will be changing
tack from massive projects to small ones – typically costing around only
a million dollars.
But these topics have all been pushed to the
background again by emergence of yet another well written, hard hitting
report on failures of IT in government in Australia.
In
A State of IT Project Failure!, we look at the observations and
findings arising from a review of ten major IT projects in my home state
of Victoria. If there is a problem with the report, it is that it once
again confirms the same types of problems that have occurred many times
before, and recommends improvements that have been recommended many
times before. What it
doesn’t do is provide a new way for the lessons learned to be applied –
indeed when one considers the responses from the most responsible
agency, one wonders if there is any desire within the Victorian public
service to actually do a better job with IT.
Presuming that there is an appetite somewhere
for significant improvement, I take the discussion further – postulating
that, as the report clearly defines a need for government agencies to
improve their governance of IT, there is a need for an enabling agency
that, instead of interfering in the IT decisions, helps agencies to put
in place arrangements that assure them of good decisions on an ongoing
basis.
It’s a great pleasure to let my readers know
also that this topic is of considerable interest to my friends at
Affairs of State.
There will be a short article in the forthcoming edition of
Letter from Melbourne, summarising some of the key issues from the
new Victorian Ombudsman’s report.
I sincerely hope that you find this edition
useful and look forward to your feedback.
Hello and welcome to The Infonomics Letter for
October 2011. Life is becoming
very interesting in the space around governance of IT.
The fact that we need to improve control is becoming more and
more tangible, but so too is the evidence that we are making some
inroads.
There is a perception, seemingly wide spread
in the market, that many company directors are reluctant to ask
questions about information technology.
As regular readers know, this journal and other Infonomics
products, aim to help more directors deal with IT on their terms.
This month, Technology in the
Boardroom: Directors’ Attitude – Again! exploits a conversation I
kicked off on LinkedIn during August to reflect diverse views on the
topic. Perhaps most telling in the discussion is that fact that 85% of
the people who participated are, according to their LinkedIn profiles,
expert in information technology.
One wonders where the non-technology directors were, and how to
engage them in the conversation, which aims to help them be more
effective in their roles.
Since the last edition, much of my time was
spent in the UK and Europe. While
there were a couple of disappointments, mostly the trip was a huge
success. I’ll explain more
in Mission to Europe.
During September, the UK Government
announced the demise of the National Health Service National Program
for IT. Launched in 2002,
the program was intended to
standardise the IT environment across the entire NHS in England.
After nine years, and 12 billion pounds, it has apparently
produced no tangible benefits, and while failing to even deliver many of
the promised systems, has
probably held back other IT advances
in health care. Earlier
this year, anticipating the demise of the whole program, I spent a
little while browsing
audit
reviews of the project from the past few years.
It struck me that the evidence pointing to the program’s failure
has been there for a long time.
Indeed, when sharing coffee with a friend in London just a month
ago, I learned that consultants engaged to start the project had been
denied permission to meet with the “clients” – the people who run the
various health trusts for at least six months.
An astute director would have realised right
then that the program would fail!
Hello and welcome to The Infonomics Letter for
September 2011. Those who
are paying attention will realise that there has been a gap: the August
Letter did not materialise.
Sometimes when operating as a one-man-band, circumstances crop up that
just make it impossible to deliver everything, and when that happens,
the freebies have to make way.
The Australian team that originally developed
ISO 38500 is preparing a submission relating to its future work.
Your thoughts will help guide that submission. Please give us a
few moments now to respond on twelve points in the
Survey on Governance Standards.
There is a little more information at right, and more again in
the introduction to the survey.
This month, we begin with
Governance and Management: Further
Perspective. Regular
readers will remember that in the last edition I expressed
disappointment about the draft of the COBIT 5 framework.
COBIT 5 is a product of ISACA, an international membership
organisation for IT professionals.
ISACA was an early influencer in governance of IT and its COBIT
framework is frequently referenced as a guide on governance and
management of IT. In its
latest incarnation, we had been led to believe that COBIT would align to
and integrate ISO 38500. The
outcome is disappointing, as explained in the
July edition. Since then
there has been a great deal of debate around the subject on various
internet discussion groups.
I have used some of that discussion to frame
Governance and Management: Further Perspective, in a further
effort to explain just how the concepts of governance and management are
related.
Inexorably, Information Technology is becoming
a topic of boardroom discussion.
However, some of the discussion is not about the organisation’s
use of IT – rather it focuses on the board’s own use of IT.
The topic became newsworthy recently when the legal specialists
at ANZ Bank asked its board to not use iPads, due to concerns about the
handling of notes directors might make on the device when using it to
read board papers and participate in the work of the board.
Technology in the Boardroom: A Governance Perspective aims to
answer some of the questions originally raised by a journalist exploring
the issue for a future edition of the Company Director magazine.
Finally, I will be in London for the latter
part of September, attending a meeting of the international working
group on standards for governance of IT.
In
Thanks for the Help, I recognise those who are helping me get
there.
Hello and
welcome to The Infonomics Letter.
Last month, I mentioned the release of the
COBIT 5 Exposure Draft. A brief scan had indicated
some definite influence from ISO 38500. That, coupled
with recognition of ISO 38500 in the COBIT 5 plans announced in 2010 had
left me hopeful that COBIT 5 would provide a real breakthrough in
practical guidance on how organisations might establish a comprehensive
and effective system for governance and management of IT.
This month, having ground through COBIT 5: The
Framework Exposure Draft, I am disappointed.
My concern is that COBIT 5 still does not
align to the definition of governance provided in ISO 38500.
If anything, it goes further down the wrong path of entrenching
management activities under the heading “Governance”.
I’ve tried to express my concerns in a coherent manner in Shattered
Dream.
Offsetting the disappointment is the
continuing growth of market interest in ISO 38500.
Building on this year’s already highly successful forays into the Middle
East, Latin America and Malaysia, we are now able to announce seven new
events across Europe. In addition to being a reseller of Waltzing with
the Elephant, IT Governance Limited will promote the ISO 38500
Foundation class. Two new partners for Infonomics are
also promoting opportunities for their clients and the broader market to
learn about the ISO 38500 approach to governance of IT:
PMOworks is promoting a series of
four events in European cities including its home of Dublin. The
company specialises in developing, implementing and supporting PMO
operations, helping organizations improve business processes and
reduce project risk and overall costs.
Falk
Janotta Unternehmensmanagement is based in Wurzburg, Germany.
The company provides a wide range of services to assist
organisations achieve success in their use of IT. Company
Principal Falk Janotta participated in one of the first Europe
classes on ISO 38500, and is now facilitating access to knowledge
about the standard for his diverse and expansive network.
See Infonomics Education Program for further
detail.
Would you like to obtain some independent
advice on your concerns or efforts around governance of IT?
Do you have a strategy, a project or some other situation where
you are not fully comfortable? Perhaps the Infonomics
Access Service will be of assistance to you.
Hello, and welcome to The Infonomics Letter
for June 2011. It’s the end
of the financial year in Australia, and many of us are very focused on
ensuring that our financial affairs and tax obligations are in order.
But while financial compliance does indeed
stand as a dose of reality, it’s far from the only dose of reality that
we encounter in this information era.
For the owners of some 4,800 web sites, the dose of reality
delivered during the past month can hardly be more emphatic.
Following numerous examples of information security breaches over
the past few months, the risk of information security breach and the
risk of cloud computing intersected when hackers destroyed four servers
and all associated backups at an Australian company known as
Distribute.IT.
In the Blink of an Eye discusses the governance issues that
emerge from this event.
The Distribute.IT case is a clear instance of
the risks in cloud computing being realised.
We discussed those risks just two months ago in a story we called
“Rocks
Hiding in Clouds”. The
story was quoted in the June 2011 edition of Company Director, as part
of Domini Stuart’s article “Seeing through the clouds”.
A Few More Words on Clouds adds further perspective.
A different form of information security
breach was reported during June by the Australian Institute of Company
Directors, when a notebook computer was stolen.
Comments in the press and in online forums raise some interesting
issues. We discuss some of
these in
A Testing Embarrassment.
Several state governments in Australia have
tried to establish a Shared Services approach to IT.
Most have failed, with South Australia now added to the list,
while the new government in New South Wales has announced it will embark
on its own shared services journey.
We discuss the concept in
Albert Einstein Observed.
The Information Systems Audit and Control
Association (ISACA) has released an exposure draft of its forthcoming
COBIT 5 framework. This is a
significant work, which has been influenced by the international
standard for governance of IT.
Some preliminary details are discussed in
COBIT 5 Exposure.
May and June saw me journey to Argentina, El
Salvador and Malaysia to explain the ISO 38500 approach to governance of
IT. Fortunately, the travel
was all done before ash from the Chilean volcano messed things up.
In
Tale of Five Nations, we compare governance capability in the
five nations I have visited so far in 2011.
Welcome to the Infonomics Letter for May 2011.
This journal straddles a remarkable dichotomy.
On the one hand, we spend a great deal of time looking over our
shoulder at the lessons to learn from the things that go wrong with
information technology. On the other hand, we look forward with
unbridled excitement to our intensively IT-enabled future.
The split personality exists for one purpose –
only by learning lessons from past mistakes do we develop the capability
to move forward into our future.
Last month I introduced The Infonomics Dream:
At Infonomics, we dream of a worldwide boost in well-being and
wealth, driven by a sustained improvement in innovative and highly
successful use of information technology, underpinned by business
leadership and effective governance.
During my recent briefings in the Middle East,
and over the coming weeks as I travel through Latin America, I emphasise
that dreams do not come without hard work, persistence and
determination. In these sessions, we use the US Space
Program to illustrate the point – that great achievement comes through
incremental development, that there are transition points where
generations of technology give way to new developments, and where
failure is subject to the most intensive and rigorous analysis in a
determined effort is made to avoid repeating the same mistakes.
But aside from the hard work, the thing that
drove the US Space Program, and I believe still drives it, is a dream.
A vision of a future different and better, but still indelibly
linked to what we have today.
I am indeed fortunate to know a man who has a
dream. I met Chris Ogden in London in 1987.
We worked helping deploy technology innovation through the
British banking system. Since then, Chris has
suffered the misfortune of developing a rare degenerative nerve disease.
But far from retiring and allowing this disease to limit his
capacity, Chris has developed a new vision. I am
proud to share with you, my friends in more than 55 nations around our
world, the vision developed by Chris Ogden and his colleagues, for
innovative use of information technology in advancing the fight against
not only his specific condition, but the myriad of conditions that are
collectively known as “Rare Diseases”.
I hope that the vision Chris paints can serve
as inspiration to us all, to seek and exploit opportunities to use
information technology in innovative ways, to enable change, and to
generate beneficial outcomes.
How can we help him realise his dream?
Welcome to the bumper April 2011 Infonomics
Letter.
At
Infonomics, we dream of a worldwide boost in well-being and wealth,
driven by a sustained improvement in innovative and highly successful
use of information technology, underpinned by business leadership and
effective governance.
This dream is central to the Infonomics
mission of improving the effectiveness, efficiency and acceptability of
IT use by organisations worldwide, through improving their governance of
IT.
During April, it was my privilege to share
this dream in the United Arab Emirates and Oman, as a guest of EXCEED IT
Services and Training. We
spoke about ISO 38500 and improving governance of IT to substantial
audiences in three cities, and conducted two ISO 38500 Foundation
Classes through which we can share some insight into the calibre of the
region’s governance of IT.
See
Middle East Developments.
It can be very hard to make serious time to
read serious books. The trip
to the Middle East gave me an opportunity to get started on
Geekonomics and gain new insight into some of the reasons we have so
much trouble with Information Technology.
Last month’s discussion on governing
information security generated significant feedback and some additional
activity that will develop during coming months.
Meanwhile, security incidents keep emerging.
See More on Information
Security.
As if security breaches are not enough, April
also saw some of the risk in Cloud Computing being made crystal-clear.
Cloud computing may be exciting development, but the cloud is not
without risk, as discussed in
Rocks Hiding in Clouds.
Although it is titled “Governance of
Information Technology”, ISO 38500 makes it plain that its focus is on
the use of IT, and that the success of organisations using IT is
dependent on the way they go about integrating it into their strategy,
their execution of strategy and their operational management.
For several years, Infonomics has been at the forefront of
argument that IT cannot be treated as an independent issue, and that its
governance must be an integral part of governing the ongoing development
and operations of the organisation, with business leaders taking
responsibility and being accountable for the effective use of IT in
developing business strategy, building business capability, and running
the ongoing business. In
Gartner’s Eureka Moment we
discuss how the well-known IT research and advisory company has also
discovered this message.
Welcome to the Infonomics Letter for March
2011.
Some time in 1978, I attended a conference
where several companies were demonstrating software on one of the
workhorse computers of the time – a DEC PDP-11.
Out of curiosity, I went to one system console and logged on.
I didn’t need to ask anybody the password – most PDP-11’s running
that operating system used the password originally set at the factory
and nobody at the factory saw any need for different passwords.
When the first PC was released, it didn’t even have the means to
identify different users – let alone keep them separate with different
passwords.
In 1987, newly arrived in London, I picked up
my ATM card and proceeded to an ATM to reset the PIN.
I was horrified that, having entered my old and new PINs, the ATM
then checked that I had entered my new PIN correctly – by displaying it
back in big digits on the screen.
Thankfully nobody was watching.
Of course banks have learned a lot since then, and they would
never show a customer PIN today.
But while banks have learned a few things about information
security, one wonders about the greater community.
In a previous edition of this Letter I’ve commented on website
operators that, having demanded we set up an individual account with a
secure password, then kindly send us a clear text email putting all that
identity information out where it can be seen by any errant teenager
with the most primitive hacking tools.
One mailing list I use very nicely reminds me every month of my
user id and password. You
can bet that I keep that one quarantined with a fake name!
Recently I wrote about the appalling lack of
access control in mobile phone shops run by Vodafone Hutchison Australia
(January
edition, More red faces).
Now I find that another phone company demands a strong password
for access to customer accounts online, and then requires the customer
to quote part of that password when accessing the call centre – with the
whole password visible to the call centre operator.
Don’t they understand information security?
Public disquiet about information security
breaches and weak safeguards used by many organisations is now driving
strong regulatory and legislative action.
The probable high cost of information security in the future may
be in part a consequence of organisations failing to take early and
decisive steps to direct and control their information security.
But while legislation may oblige organisations to pay attention
to information security, it can’t define how to do the job.
So, this month’s key topic explores how those who govern
organisations can direct and control their information security
arrangements. Enjoy!
Welcome to the Infonomics Letter for February
2011.
It’s just four weeks since I penned the last
Infonomics Letter. How remarkable have been the
events of these past four weeks? Through the power of
communications infrastructure we know as the Internet and applications
built on top of that infrastructure such as facebook, twitter and you
tube, we have seen in real time and at close quarters the remarkably
peaceful move to regime change in Egypt, the rather more traumatic but
nonetheless profound wave of change sweeping Libya, and the
heartbreaking devastation in Christchurch, New Zealand.
Just over ten years ago, I used dial up
internet access to download and watch a few seconds of grainy video
showing an airliner ploughing into the World Trade Centre.
Twenty two years ago, when the Berlin Wall fell, our access to
information was limited to the newspapers and television.
In half a working lifetime, or just a single generation, the way
in which we access news has changed immeasurably.
The enabler to this change has unquestionably
been the advent of high speed digital communications.
But the communications infrastructure alone is insufficient for us to
access the information we seek, or sometimes don’t even know exists.
In order to access the information we need the complementary
technologies for capturing, packaging and presenting it, and the
applications that manage its storage, accessibility and delivery, along
with myriad other functionality.
Thus one can argue that infrastructure itself
has no direct value. Its value can only be accessed
and realised when there are appropriate complementary technologies and
applications through which the latent value is made real.
These are the thoughts that underpin my
submission today, albeit at the last minute, to an inquiry by the
Australian Parliament’s Standing Committee on Infrastructure and
Communications into the role and potential of the National Broadband
Network. Essentially, I argue that the NBN itself
will deliver no tangible value – but that its massive latent value can
only be unlocked by appropriate development and deployment of
complementary technologies and applications. Driving
value from Australia’s NBN therefore demands effective governance
arrangements to encourage and focus investment in these resources. I’d
like to share that submission with you as this month’s Infonomics
Letter.
Welcome to the first Infonomics Letter for
2011. After a seven week break and a series of amazing weather events
across Australia and in other parts of the world, we are ready once
again to explore and promote good practice in governance of IT.
Working as an evangelist for new thinking
about anything can be an interesting task.
Being an evangelist for a new way of looking at governance of IT
involves challenging many established beliefs and methods of operation.
But while the road is long, arduous and, in the short term at
least, hardly viable from a financial perspective, it is gradually
unfolding with evidence of change.
Not so long ago, the mere suggestion that directors of
organizations should ask questions about IT would once have spurred
horrified denial that directors could ever understand the topic.
Yet now, at least one major bank in Australia has a board
committee to oversee its extensive agenda of IT change.
Recent events, several of which have been
discussed in The Infonomics Letter through 2010 are leaving no doubt
that business dependence on IT is now, in many cases, absolute.
Now, when significant problems occur with IT, it is almost
axiomatic that the top line of the organization’s leadership gets
involved, and this presents a context in which we can see that business
leaders need to know things about IT that may not in the past have
seemed relevant. Peter
Grant, a well-known Australian IT industry researcher and commentator
brought this into focus in a recent post to a LinkedIn discussion forum,
and the Infonomics response to his challenge is presented in
What Should Management Know?
Of course, the shift to a new year does not
stem the tide of case examples where a small dose of effective
governance might have avoided embarrassment and perhaps other
consequences. This month in
More Red Faces we explore the
stunning revelations of weak information security at Vodafone Hutchison
Australia, and postulate a governance approach based on ISO 38500 that
might have saved the company from being lashed to the whipping post
during the usually slow news period in mid-January.
The new government in Victoria is beginning to
flex its muscle, looking deeply into the unfulfilled promises of the
previous government’s major IT initiatives and asking “is it worth it”?
We foreshadow further scrutiny in
New Opportunity to Improve.
Finally, there’s news of how Infonomics
commentary now appears on Delimiter, major advances for Waltzing with
the Elephant, and the near term education program.