ISACA South Africa Annual Conference
The theme of the ISACA South Africa annual conference held in Johannesburg was ‘Gaining the edge, shaping the future’. The event included tracks covering (Cyber) Governance, IS Audit, Privacy & Security, Women Leaders in Technology and Cybersecurity.
This is a summary of the key takeaways from the sessions I attended.
Call to Action
Tichaona Zororo, president ISACA SA chapter set the scene with his ‘call to action’ opening. We are in a time of change. The rapid adoption of emerging ‘disruptive’ technologies driven by a more connected world coupled with the increasing amount of cyber threats and attacks are creating changes that are outpacing the capabilities of Governance, Cybersecurity and the assessment of IT Risk.
It is no longer Business As Usual. What we thought was the ‘future’ has already become the daily reality. We must change if we want to remain relevant. We must gain the edge by getting the right skills and capabilities.
“Organizations that are lagging on up-skilling their assurance and IT staff are running the risk of becoming redundant or losing their market share”.
A changing landscape
Carolynn Chalmers, Director Candor Governance presented ‘King IV and the Corporate Governance of IT – A changing landscape’ in which she presented the King IV report on corporate Governance in South Africa which once again placed IT governance on the board table. I personally believe that many other countries, ISACA chapters and organizations should take a look at South Africa. They have been through the IT Governance learning cycle that many countries, certainly European, are just going through. King IV represents ‘continual learning’, building on the experiences of King III and provides some critical success factors. My key takeaways from this:
- In South Africa IT Governance is a MUST DO, not a nice-to-have.
- Focus on OUTCOMES, not just a tick in the box. A shift from ‘doing’ to ‘achieving’.
- From Strategy definition to Strategy through setting Policy.
- More reporting. NOT just after the fact but report on the Value Creating Process, throughout the lifecycle, and OUTCOMES.
- Move towards ‘integrated thinking’. A Holistic approach.
- King IV is all about ‘Continual Improvement’ (Yes! ITIL practitioner now places CSI central, LEAN IT is becoming more popular with a focus on ‘Kaizan’ and continual change, DevOps also focuses on continual learning and experimentation).
- Single biggest risk = PEOPLE (Once again I make my call to ISACA to provide some more guidance around ‘Culture, Ethics and Behavior’, ITIL practitioner places Organizational Change Management as a core competence, DevOps also stresses the need to focus on Culture).
- What does King IV mean for ITSM? More reporting, but reports focused on value and OUTCOMES.
- Adequate and effective controls. With an emphasis on keep it simple, not bureaucratic controls but relevant.
Leveraging multiple best practice frameworks
Mark Thomas, President Escoute consulting presented ‘Avoid Frameworks Overload – leveraging multiple best practice frameworks in your governance eco system’. Using some real life business examples of how he talked to the board to understand and solve challenges and jointly arrived at COBIT 5. The business was talking COSO and BSC, IT was talking ITIL, Togaf. COBIT 5 became the middleware and got buy in from the Corporate Risk and Audit officers, IT and the business. COBIT 5 bridged the gap between IT Governance and IT Management and became the framework to manage the myriad of frameworks in use. Mark also stressed the number 1 killer in adopting frameworks…..’Culture, ethics and behavior’.
John Thorp and Peter Harrison presented ‘Why don’t we effectively realize the business benefits of our IT investments’. Much of what I heard made me groan as it I recognized many of the issues from an old blog. It surprised me that here at an ISACA event, not an ITSM event, people were furiously note taking about VALUE.
A key message they presented, endorsed the King IV presentation – the need for ‘integrated thinking’ with an aim towards value. I would dearly love it if ISACA, itSMF and BRMI would start doing some ‘integrated thinking’ or joint sessions, all of them talk about Value, all of them talk about end-to-end, all of them about integrated thinking or collaboration…….then why don’t we collaborate as these 3 orgs represent an end-to-end perspective!
Some other key messages:
- The failure rate of strategy initiatives is higher than the failure rate of IT projects
- It all comes down to the strength of the business case which requires effort from both business & IT. If you’re note prepared to put the effort in don’t do it
- Its all about balancing value vs risk, Portfolio management and Performance management are key.
- Value isn’t short term ROI….longer term, how IT is used and value realize.
- we need to manage value management as a major behavioral change program in its own right.
- The panel all agreed that ‘Culture, Ethics, Behavior’ is the KEY enabler. Mark declaring it the number 1 killer and John saying ‘we grossly underestimate Culture and the mindset change required’.
- Goals cascade is the backbone to COBIT together with understanding the Stakeholders and their needs.
- COBIT is NOT an IT model it is also for business. The key to COBIT is business benefits… the key to business benefits is the business!
- Stop saying ‘IT’ and the ‘Business’. We reinforce the ‘them and us’ culture through our language.
- Too many see COBIT as the solution and are looking for a problem to map it to. Start by asking business ‘what problems keep you awake at night’
- What I heard was BRM is critical. The BRMer should add COBIT to their toolkit
Realizing value in a digital world
John Thorp and Peter Harrison presented ‘Realizing Value in a Digital World, Re-Thinking Governance, Leadership and Management’. John and Peter revealed that we are in a time of constant, complex change. Digital transformation requires new ways of Governing, Leading and Managing. A large part of this transformation requires a shift in Attitude, behavior and culture from both Business & IT.
- We are in a place where we don’t know where we are going or how to get there.
- Digital IT is not putting ‘lipstick on the pig’ it is a real transformation.
- Digital IT is still seen as a technology thing. Still only 30% of IT projects are successful. They are NOT IT projects
- Unwillingness of business leaders to get engaged
- We don’t actively manage VALUE
- Digital organizations require a more agile and inclusive approach to Governance, Leadership and management.
Gary Hardy presented ‘Top 10 Management Mistakes – How COBIT Helps Prevent’
Gary presented the results of the survey ITWinners are conducting with APMG and IT Preneurs globally. I have mapped his results to our findings of more than 3000 organizations globally:
- Not appointing the right Stakeholders to IT Steering committees.
- Not appointing a Business owner to be accountable for IT enabled business changes.
- Assuming IT is only for the “IT Function”.
- Failing to appoint a senior business executive to drive management of Information Security.
- Failing to use a business case to monitor desired outcomes and benefits.
- Reacting only to audit findings.
- Defining business changes as “IT Projects” after the IT solution.
- Defining requirements as a solution description.
- Defining SLA’s in technical delivery terms.
- Assuming governance of IT is only related to risk and compliance.
An inspirational event
All in all It was an inspirational event. There was an excitement and a buzz and a recognition that ‘Digital transformation’ is a fact. The reality is here now. Its implications are that IT must raise its game in terms of attitude, skills and capabilities and drive for a true business and IT convergence.
One of my key conclusions is that ISACA, itSMF and BRMI events are all talking about value, business and IT convergence, end-to-end capabilities. Why don’t ISACA, itSMF and BRMI organize joint events to bring the end-to-end players together to explore solutions TOGETHER rather than separately in our own SILOS, reinforcing the ‘Them & Us’ Culture.
As one of the speakers in the congress succinctly quoted General Eric Shinseki “If you don’t like change, you’re going to like irrelevance even less”.
Photo credit – #isacazaconf tweet stream
Latest posts by Paul Wilkinson (see all)
- IT and the Business – A Worrying State of Affairs - June 28, 2017
- Model Behaviors in Cybersecurity…let’s just continue to ignore them! - June 22, 2017
- Attitude, Behavior, Culture – Not an Afterthought! - May 9, 2017