- Cisco bug lets anyone login to network as admin with a blank password
- Intel ships new Spectre patches: Kaby Lake and Coffee Lake now, Sandy Bridge next
- As NDB kicks in, be careful of overcompensating for past security inaction
- On the eve of game-changing NDB scheme, 59 percent of businesses still don’t understand it
- Google reveals kernel, Windows 10 security bypasses fixed in February’s Patch Tuesday
Why best practice is risky
A well-governed organisation implies that it operates within an appropriate framework of structured controls, policies and processes, all driven by best practice. But is this really what is needed in a time of disruption and change?
Governance frameworks exist for almost every aspect of an organisation to ensure it operates as intended, and in support of its overall mission.
Entire industries thrive on the evolution, implementation and maintenance of these governance frameworks, which underpin the development of published standards.
Mature governance frameworks embody so-called ‘best practice’, which implies the adoption of these frameworks will help the organisation achieve its goals with a higher degree of reliability.
Indeed, the Oxford dictionary defines ‘best practice’ as: “Commercial or professional procedures that are accepted or prescribed as being correct or most effective”.
Selecting, adapting, designing and integrating the various governance frameworks across the organisation is no trivial task, and is especially important for organisations with an enterprise-wide dependency on IT.
In an environment that is not changing very rapidly, or has a very high cost of failure, such as commercial aviation, accepted ‘best practice’ generally makes sense and with good reason.
If followed, best practice maximises the likelihood of the intended results being achieved. After all, the ‘recipe’ has been shown to work, and is often backed by evidence that reinforces adherence to the relevant standard yields results. Reinventing the wheel is a potentially risky and expensive process.
But does best practice + disruption = worst outcome?
Accepted ‘best practice’ may no longer be up to the task in the face of fundamental technological or marketplace disruption. If your organisation is dealing with a rapidly changing, innovative and disruptive competitor, rote adherence to such standards may be anything than ‘best’ for you.
On the flip side, if your organisation is the one doing the disrupting through innovative technologies, processes or business models, you have more likely than not broken ranks with those still constrained by the prevailing governance models based on demonstrated best practice.
But if your organisation is rusted onto ‘best practice’, how can it adapt to the change to ensure survival? Through IEDs, enterprise IT, disruption and governance.
For many organisations, and irrespective of whether it is in-house, outsourced or in the cloud, IT underpins the operation of most (if not all) aspects of the organisation. In such instances, any assumptions about the interplay between IT and enterprise governance need to be carefully considered in a disrupted environment.
But just believing the organisation can head off on its merry way, leaving the CIO to take care of IT governance as well as delivering on the value from investments made in IT-enabled change, should be seriously questioned.
The case of the £1.5 billion capital shortfall announced by the UK’s Co-operative Bank in June 2013, which arose from a failed attempt to replace the Banking Group’s IT platform, offers valuable insights into the role of governance, disruption, the expectations of IT and in particular, the role of the CIO.
The bank’s response was to commission an independent review by Sir Christopher Kelly entitled ‘Failings in management and governance’.
For any CIO dealing with major technology transformation, there are few lessons to take away from this:
- Such initiatives should not be treated primarily as IT projects;
- You need to ensure the responsibilities for key deliverables by executives other than the CIO are clearly and explicitly stated
- The abdication of responsibility to the CIO by the board is a warning for future potential problems.
As an IT leader, what’s your approach to steering the organisation’s strategy in optimising ‘best practice’ when faced with disruption?