An IT Governance Institute survey of C-level executives indicates that security and compliance issues have moved to the bottom of the pile, as far as IT is concerned.
The study, which was published on Wednesday, is the result of about 700 interviews with CEOs and CIOs in 22 countries. According to their responses, staffing and ROI issues rank at the top, while IT transparency issues and outsourcing concerns are in the middle of the pack.
According to the accompanying report published by the institute, these results may be a surprising, but could “reflect the results of the recent significant efforts put into IT security projects and compliance programmes (e.g. Sarbanes-Oxley in the U.S.).”
In other words, enterprises have already expended money and effort in creating IT solutions and may be satisfied that they are addressing security and compliance concerns. Another explanation may be the group that was targeted by the survey, said Michael Cangemi, editor-in-chief of IS Control Journal and a past president of the Information Systems and Control Association.
“Those guys are more worried about the business, they’re more worried about return on investment. That’s why staffing comes up (as a top priority): they probably can’t find the people,” he said. That’s what most business leaders are concerned about; making money.”
But governance and compliance issues should be ubiquitous within any organization, said Barry Saunders, an audit associate in the Auditor General’s office in Winnipeg and chair of the Winnipeg chapter of ISACA.
“Governance is something that needs to come from the top. Somebody on the board needs to say, ‘This is the way it has to be done,’ and it has to filter all the way down to the janitor, basically,” he said.
He added that, ideally, governance should come from a specialist on the board of directors and be filtered through the CEO and down through the organization. “The board has to be the one that drives it,” he said.
The lack of knowledgeable board members was what led to the corporate meltdowns and accounting scandals of recent years, he said.
Saunders added that he wasn’t surprised security is low on the list of C-level concerns because, paradoxically, it has become such a buzzword in recent years. The main issue isn’t deploying security solutions, he said, but the need to keep staff vigilant.
“Most people are more accepting of security. They’re no longer writing their passwords and putting them on their terminals,” said Saunders. “Part of that’s an educational process. It has to part of any security program. You can have all the best controls in the world, but if people aren’t following them, the more trouble you’re going to get into.”
Cangemi said that the bottom line may be the highest priority for a CEO, but security is always part of an organization’s agenda. “If the CIO needs the money for security, he gets it now,” he said.
The ITGI report also highlighted a lack of support for outsourcing among C-level executives. Forty-five per cent of U.S. respondents said they no longer see IT outsourcing as the most beneficial resolution to IT problems.
Outsourcing as a cost-saving exercise has lost its luster in recent years, said Cangemi. “The selling point is that it reduces your total cost . . . but I think outsourcing has been oversold on the basis that it will save money in all types of functions. It doesn’t really work that way,” he said.
Removing functions like HR from the organization through outsourcing may have dipped in popularity, said Saunders, but consulting firms are still reaping the benefits from organizations that require compliance expertise. That remains one area where enterprises would prefer to rely on outside help.