Hello and welcome to The Infonomics Letter for November 2011.
The agenda for The Infonomics Letter is always dynamic. I maintain an ever-growing long list of topics that I would like to discuss, all pertaining more or less directly to effective governance of IT. Topics emerge from many sources, but the majority come from every-day press around the world. One that warrants attention is the demise, unsurprising to many, of the massive IT project at the UK National Health Service. Linked to this is the very interesting campaign (which Infonomics overtly supports) launched by the E-Health Insider for appointment of Chief Clinical Information Officers to provide clinical leadership on IT projects and use of information in UK National Health Service organisations.
Another is the announcement by the CIO at Australia’s Department of Defence that the department will be changing tack from massive projects to small ones – typically costing around only a million dollars.
But these topics have all been pushed to the background again by emergence of yet another well written, hard hitting report on failures of IT in government in Australia. In A State of IT Project Failure!, we look at the observations and findings arising from a review of ten major IT projects in my home state of Victoria. If there is a problem with the report, it is that it once again confirms the same types of problems that have occurred many times before, and recommends improvements that have been recommended many times before. What it doesn’t do is provide a new way for the lessons learned to be applied – indeed when one considers the responses from the most responsible agency, one wonders if there is any desire within the Victorian public service to actually do a better job with IT.
Presuming that there is an appetite somewhere for significant improvement, I take the discussion further – postulating that, as the report clearly defines a need for government agencies to improve their governance of IT, there is a need for an enabling agency that, instead of interfering in the IT decisions, helps agencies to put in place arrangements that assure them of good decisions on an ongoing basis.
It’s a great pleasure to let my readers know also that this topic is of considerable interest to my friends at Affairs of State. There will be a short article in the forthcoming edition of Letter from Melbourne, summarising some of the key issues from the new Victorian Ombudsman’s report.
I sincerely hope that you find this edition useful and look forward to your feedback.
Hello and welcome to The Infonomics Letter for October 2011. Life is becoming very interesting in the space around governance of IT. The fact that we need to improve control is becoming more and more tangible, but so too is the evidence that we are making some inroads.
There is a perception, seemingly wide spread in the market, that many company directors are reluctant to ask questions about information technology. As regular readers know, this journal and other Infonomics products, aim to help more directors deal with IT on their terms. This month, Technology in the Boardroom: Directors’ Attitude – Again! exploits a conversation I kicked off on LinkedIn during August to reflect diverse views on the topic. Perhaps most telling in the discussion is that fact that 85% of the people who participated are, according to their LinkedIn profiles, expert in information technology. One wonders where the non-technology directors were, and how to engage them in the conversation, which aims to help them be more effective in their roles.
Since the last edition, much of my time was spent in the UK and Europe. While there were a couple of disappointments, mostly the trip was a huge success. I’ll explain more in Mission to Europe.
During September, the UK Government announced the demise of the National Health Service National Program for IT. Launched in 2002, the program was intended to standardise the IT environment across the entire NHS in England. After nine years, and 12 billion pounds, it has apparently produced no tangible benefits, and while failing to even deliver many of the promised systems, has probably held back other IT advances in health care. Earlier this year, anticipating the demise of the whole program, I spent a little while browsing audit reviews of the project from the past few years. It struck me that the evidence pointing to the program’s failure has been there for a long time. Indeed, when sharing coffee with a friend in London just a month ago, I learned that consultants engaged to start the project had been denied permission to meet with the “clients” – the people who run the various health trusts for at least six months.
An astute director would have realised right then that the program would fail!Lessons about consequences of poor governance of IT continue. They are too numerous to explore in detail. Recent items include the global failure of Blackberry services and the extraordinary case of a person who reported a privacy breach and was promptly hit with a visit from the police and lawyers.
Hello and welcome to The Infonomics Letter for September 2011. Those who are paying attention will realise that there has been a gap: the August Letter did not materialise. Sometimes when operating as a one-man-band, circumstances crop up that just make it impossible to deliver everything, and when that happens, the freebies have to make way.
The Australian team that originally developed ISO 38500 is preparing a submission relating to its future work. Your thoughts will help guide that submission. Please give us a few moments now to respond on twelve points in the Survey on Governance Standards. There is a little more information at right, and more again in the introduction to the survey.
This month, we begin with Governance and Management: Further Perspective. Regular readers will remember that in the last edition I expressed disappointment about the draft of the COBIT 5 framework. COBIT 5 is a product of ISACA, an international membership organisation for IT professionals. ISACA was an early influencer in governance of IT and its COBIT framework is frequently referenced as a guide on governance and management of IT. In its latest incarnation, we had been led to believe that COBIT would align to and integrate ISO 38500. The outcome is disappointing, as explained in the July edition. Since then there has been a great deal of debate around the subject on various internet discussion groups. I have used some of that discussion to frame Governance and Management: Further Perspective, in a further effort to explain just how the concepts of governance and management are related.
Inexorably, Information Technology is becoming a topic of boardroom discussion. However, some of the discussion is not about the organisation’s use of IT – rather it focuses on the board’s own use of IT. The topic became newsworthy recently when the legal specialists at ANZ Bank asked its board to not use iPads, due to concerns about the handling of notes directors might make on the device when using it to read board papers and participate in the work of the board. Technology in the Boardroom: A Governance Perspective aims to answer some of the questions originally raised by a journalist exploring the issue for a future edition of the Company Director magazine.
Finally, I will be in London for the latter part of September, attending a meeting of the international working group on standards for governance of IT. In Thanks for the Help, I recognise those who are helping me get there.
Sorry - there was no August edition - there were too many other
Sorry - there was no August edition - there were too many other things happening!
Hello and welcome to The Infonomics Letter.
Last month, I mentioned the release of the COBIT 5 Exposure Draft. A brief scan had indicated some definite influence from ISO 38500. That, coupled with recognition of ISO 38500 in the COBIT 5 plans announced in 2010 had left me hopeful that COBIT 5 would provide a real breakthrough in practical guidance on how organisations might establish a comprehensive and effective system for governance and management of IT.
This month, having ground through COBIT 5: The Framework Exposure Draft, I am disappointed.
My concern is that COBIT 5 still does not align to the definition of governance provided in ISO 38500. If anything, it goes further down the wrong path of entrenching management activities under the heading “Governance”. I’ve tried to express my concerns in a coherent manner in Shattered Dream.
Offsetting the disappointment is the continuing growth of market interest in ISO 38500. Building on this year’s already highly successful forays into the Middle East, Latin America and Malaysia, we are now able to announce seven new events across Europe. In addition to being a reseller of Waltzing with the Elephant, IT Governance Limited will promote the ISO 38500 Foundation class. Two new partners for Infonomics are also promoting opportunities for their clients and the broader market to learn about the ISO 38500 approach to governance of IT:
PMOworks is promoting a series of four events in European cities including its home of Dublin. The company specialises in developing, implementing and supporting PMO operations, helping organizations improve business processes and reduce project risk and overall costs.
Falk Janotta Unternehmensmanagement is based in Wurzburg, Germany. The company provides a wide range of services to assist organisations achieve success in their use of IT. Company Principal Falk Janotta participated in one of the first Europe classes on ISO 38500, and is now facilitating access to knowledge about the standard for his diverse and expansive network.
See Infonomics Education Program for further detail.
Would you like to obtain some independent advice on your concerns or efforts around governance of IT? Do you have a strategy, a project or some other situation where you are not fully comfortable? Perhaps the Infonomics Access Service will be of assistance to you.
Hello, and welcome to The Infonomics Letter for June 2011. It’s the end of the financial year in Australia, and many of us are very focused on ensuring that our financial affairs and tax obligations are in order.
But while financial compliance does indeed stand as a dose of reality, it’s far from the only dose of reality that we encounter in this information era. For the owners of some 4,800 web sites, the dose of reality delivered during the past month can hardly be more emphatic. Following numerous examples of information security breaches over the past few months, the risk of information security breach and the risk of cloud computing intersected when hackers destroyed four servers and all associated backups at an Australian company known as Distribute.IT. In the Blink of an Eye discusses the governance issues that emerge from this event.
The Distribute.IT case is a clear instance of the risks in cloud computing being realised. We discussed those risks just two months ago in a story we called “Rocks Hiding in Clouds”. The story was quoted in the June 2011 edition of Company Director, as part of Domini Stuart’s article “Seeing through the clouds”. A Few More Words on Clouds adds further perspective.
A different form of information security breach was reported during June by the Australian Institute of Company Directors, when a notebook computer was stolen. Comments in the press and in online forums raise some interesting issues. We discuss some of these in A Testing Embarrassment.
Several state governments in Australia have tried to establish a Shared Services approach to IT. Most have failed, with South Australia now added to the list, while the new government in New South Wales has announced it will embark on its own shared services journey. We discuss the concept in Albert Einstein Observed.
The Information Systems Audit and Control Association (ISACA) has released an exposure draft of its forthcoming COBIT 5 framework. This is a significant work, which has been influenced by the international standard for governance of IT. Some preliminary details are discussed in COBIT 5 Exposure.
May and June saw me journey to Argentina, El Salvador and Malaysia to explain the ISO 38500 approach to governance of IT. Fortunately, the travel was all done before ash from the Chilean volcano messed things up. In Tale of Five Nations, we compare governance capability in the five nations I have visited so far in 2011.
Welcome to the Infonomics Letter for May 2011.
This journal straddles a remarkable dichotomy. On the one hand, we spend a great deal of time looking over our shoulder at the lessons to learn from the things that go wrong with information technology. On the other hand, we look forward with unbridled excitement to our intensively IT-enabled future.
The split personality exists for one purpose – only by learning lessons from past mistakes do we develop the capability to move forward into our future.
Last month I introduced The Infonomics Dream: At Infonomics, we dream of a worldwide boost in well-being and wealth, driven by a sustained improvement in innovative and highly successful use of information technology, underpinned by business leadership and effective governance.
During my recent briefings in the Middle East, and over the coming weeks as I travel through Latin America, I emphasise that dreams do not come without hard work, persistence and determination. In these sessions, we use the US Space Program to illustrate the point – that great achievement comes through incremental development, that there are transition points where generations of technology give way to new developments, and where failure is subject to the most intensive and rigorous analysis in a determined effort is made to avoid repeating the same mistakes.
But aside from the hard work, the thing that drove the US Space Program, and I believe still drives it, is a dream. A vision of a future different and better, but still indelibly linked to what we have today.
I am indeed fortunate to know a man who has a dream. I met Chris Ogden in London in 1987. We worked helping deploy technology innovation through the British banking system. Since then, Chris has suffered the misfortune of developing a rare degenerative nerve disease. But far from retiring and allowing this disease to limit his capacity, Chris has developed a new vision. I am proud to share with you, my friends in more than 55 nations around our world, the vision developed by Chris Ogden and his colleagues, for innovative use of information technology in advancing the fight against not only his specific condition, but the myriad of conditions that are collectively known as “Rare Diseases”.
I hope that the vision Chris paints can serve as inspiration to us all, to seek and exploit opportunities to use information technology in innovative ways, to enable change, and to generate beneficial outcomes.
How can we help him realise his dream?
Welcome to the bumper April 2011 Infonomics Letter.
At Infonomics, we dream of a worldwide boost in well-being and wealth, driven by a sustained improvement in innovative and highly successful use of information technology, underpinned by business leadership and effective governance.
This dream is central to the Infonomics mission of improving the effectiveness, efficiency and acceptability of IT use by organisations worldwide, through improving their governance of IT.
During April, it was my privilege to share this dream in the United Arab Emirates and Oman, as a guest of EXCEED IT Services and Training. We spoke about ISO 38500 and improving governance of IT to substantial audiences in three cities, and conducted two ISO 38500 Foundation Classes through which we can share some insight into the calibre of the region’s governance of IT. See Middle East Developments.
It can be very hard to make serious time to read serious books. The trip to the Middle East gave me an opportunity to get started on Geekonomics and gain new insight into some of the reasons we have so much trouble with Information Technology.
Last month’s discussion on governing information security generated significant feedback and some additional activity that will develop during coming months. Meanwhile, security incidents keep emerging. See More on Information Security.
As if security breaches are not enough, April also saw some of the risk in Cloud Computing being made crystal-clear. Cloud computing may be exciting development, but the cloud is not without risk, as discussed in Rocks Hiding in Clouds.
Although it is titled “Governance of Information Technology”, ISO 38500 makes it plain that its focus is on the use of IT, and that the success of organisations using IT is dependent on the way they go about integrating it into their strategy, their execution of strategy and their operational management. For several years, Infonomics has been at the forefront of argument that IT cannot be treated as an independent issue, and that its governance must be an integral part of governing the ongoing development and operations of the organisation, with business leaders taking responsibility and being accountable for the effective use of IT in developing business strategy, building business capability, and running the ongoing business. In Gartner’s Eureka Moment we discuss how the well-known IT research and advisory company has also discovered this message.Finally, are you one of the many who have helped Gabrielle Ford in her research on people who use ERP systems. The details are in ERP Fail: When Best Practices Meet Real Life. If you haven't already done so, and you are a user of any of the many ERP systems that have been introduced in the past few years, please set aside 20 minutes to complete her survey. Please pass on this request to others as well. Gabrielle needs as many responses as possible by May 4th!
Welcome to the Infonomics Letter for March 2011.
Some time in 1978, I attended a conference where several companies were demonstrating software on one of the workhorse computers of the time – a DEC PDP-11. Out of curiosity, I went to one system console and logged on. I didn’t need to ask anybody the password – most PDP-11’s running that operating system used the password originally set at the factory and nobody at the factory saw any need for different passwords. When the first PC was released, it didn’t even have the means to identify different users – let alone keep them separate with different passwords.
In 1987, newly arrived in London, I picked up my ATM card and proceeded to an ATM to reset the PIN. I was horrified that, having entered my old and new PINs, the ATM then checked that I had entered my new PIN correctly – by displaying it back in big digits on the screen. Thankfully nobody was watching. Of course banks have learned a lot since then, and they would never show a customer PIN today. But while banks have learned a few things about information security, one wonders about the greater community. In a previous edition of this Letter I’ve commented on website operators that, having demanded we set up an individual account with a secure password, then kindly send us a clear text email putting all that identity information out where it can be seen by any errant teenager with the most primitive hacking tools. One mailing list I use very nicely reminds me every month of my user id and password. You can bet that I keep that one quarantined with a fake name!
Recently I wrote about the appalling lack of access control in mobile phone shops run by Vodafone Hutchison Australia (January edition, More red faces). Now I find that another phone company demands a strong password for access to customer accounts online, and then requires the customer to quote part of that password when accessing the call centre – with the whole password visible to the call centre operator. Don’t they understand information security?
Public disquiet about information security breaches and weak safeguards used by many organisations is now driving strong regulatory and legislative action. The probable high cost of information security in the future may be in part a consequence of organisations failing to take early and decisive steps to direct and control their information security. But while legislation may oblige organisations to pay attention to information security, it can’t define how to do the job. So, this month’s key topic explores how those who govern organisations can direct and control their information security arrangements. Enjoy!
Welcome to the Infonomics Letter for February 2011.
It’s just four weeks since I penned the last Infonomics Letter. How remarkable have been the events of these past four weeks? Through the power of communications infrastructure we know as the Internet and applications built on top of that infrastructure such as facebook, twitter and you tube, we have seen in real time and at close quarters the remarkably peaceful move to regime change in Egypt, the rather more traumatic but nonetheless profound wave of change sweeping Libya, and the heartbreaking devastation in Christchurch, New Zealand.
Just over ten years ago, I used dial up internet access to download and watch a few seconds of grainy video showing an airliner ploughing into the World Trade Centre. Twenty two years ago, when the Berlin Wall fell, our access to information was limited to the newspapers and television. In half a working lifetime, or just a single generation, the way in which we access news has changed immeasurably.
The enabler to this change has unquestionably been the advent of high speed digital communications. But the communications infrastructure alone is insufficient for us to access the information we seek, or sometimes don’t even know exists. In order to access the information we need the complementary technologies for capturing, packaging and presenting it, and the applications that manage its storage, accessibility and delivery, along with myriad other functionality.
Thus one can argue that infrastructure itself has no direct value. Its value can only be accessed and realised when there are appropriate complementary technologies and applications through which the latent value is made real.
These are the thoughts that underpin my submission today, albeit at the last minute, to an inquiry by the Australian Parliament’s Standing Committee on Infrastructure and Communications into the role and potential of the National Broadband Network. Essentially, I argue that the NBN itself will deliver no tangible value – but that its massive latent value can only be unlocked by appropriate development and deployment of complementary technologies and applications. Driving value from Australia’s NBN therefore demands effective governance arrangements to encourage and focus investment in these resources. I’d like to share that submission with you as this month’s Infonomics Letter.
Looking ahead and growing
Welcome to the first Infonomics Letter for 2011. After a seven week break and a series of amazing weather events across Australia and in other parts of the world, we are ready once again to explore and promote good practice in governance of IT.
Working as an evangelist for new thinking about anything can be an interesting task. Being an evangelist for a new way of looking at governance of IT involves challenging many established beliefs and methods of operation. But while the road is long, arduous and, in the short term at least, hardly viable from a financial perspective, it is gradually unfolding with evidence of change. Not so long ago, the mere suggestion that directors of organizations should ask questions about IT would once have spurred horrified denial that directors could ever understand the topic. Yet now, at least one major bank in Australia has a board committee to oversee its extensive agenda of IT change.
Recent events, several of which have been discussed in The Infonomics Letter through 2010 are leaving no doubt that business dependence on IT is now, in many cases, absolute. Now, when significant problems occur with IT, it is almost axiomatic that the top line of the organization’s leadership gets involved, and this presents a context in which we can see that business leaders need to know things about IT that may not in the past have seemed relevant. Peter Grant, a well-known Australian IT industry researcher and commentator brought this into focus in a recent post to a LinkedIn discussion forum, and the Infonomics response to his challenge is presented in What Should Management Know?
Of course, the shift to a new year does not stem the tide of case examples where a small dose of effective governance might have avoided embarrassment and perhaps other consequences. This month in More Red Faces we explore the stunning revelations of weak information security at Vodafone Hutchison Australia, and postulate a governance approach based on ISO 38500 that might have saved the company from being lashed to the whipping post during the usually slow news period in mid-January.
The new government in Victoria is beginning to flex its muscle, looking deeply into the unfulfilled promises of the previous government’s major IT initiatives and asking “is it worth it”? We foreshadow further scrutiny in New Opportunity to Improve.
Finally, there’s news of how Infonomics commentary now appears on Delimiter, major advances for Waltzing with the Elephant, and the near term education program.