IT Governance 3.0 The Next Evolution of IT Governance Brian Ellis Terri Barnes, PgMP September 18, 2018

TOPICS 3 7 12 17 18 IT Governance Baseline Emerging Influences AGENDA TOPICS 3 IT Governance Baseline 7 Emerging Influences 12 Evolving Trends 17 Governance Drivers 18 What Can You Do? Here’s what we’re covering tonight

IT governance baseline A Common Definition “IT Governance consists of the leadership and organizational structures and processes that ensure that IT sustains and extends the organization’s strategies and objectives.” -IT Governance Institute Two major topics Demand governance: Doing the right things Supply-side governance: Doing things right

IT governance baseline Demand Governance Focused on establishing business investment decision and oversight processes: How should IT be used in the business? What are the guiding principles? Who will make which decisions? Who is accountable? Which investments will we make? What are the priorities? How will we track and measure benefits and success?

IT governance baseline Supply-Side Governance Focused on delivery, execution, and compliance: IT management Security IT operations IT controls

IT governance baseline Multiple IT Governance Frameworks Calder-Moir COBIT AgilePath

Emerging influences $ Driving Change in IT Governance Digital transformation Cloud computing BYOD: bring your own device The Internet of Things (IoT)

Digital transformation Increasing Demand and Complexity for IT Governance Then: Now: $

Cloud computing Extending the Boundaries of Governance Growth of cloud computing often happens without a strategy Business user buys Salesforce.com subscriptions Employee stores files on Box.com IT staff rents compute from Rackspace or Amazon Web Services Having a cloud adoption strategy is key Allows for safe deployment of cloud solutions Protects sensitive data in transit Enables stewardship of IT and business assets

BYOD: Bring your own device A Sea of Infinite Variables Benefits Increased productivity and innovation BYOD devices are typically more cutting-edge and are replaced more often Increased employee satisfaction Employee choice, eliminating multiple devices Potential cost reduction BYOD devices are generally self-administered and self-supported Challenges Balancing security and control with productivity and choice Managing data stored on devices End node problem

IOT: The internet of things Exploding the Scale of Governance Top Concerns for IT Professionals Scale of security vulnerabilities Data privacy Identity and access management Attacks against connected devices Compliance Ownership of data/technology outside IT Source: Information Systems Audit and Control Association (ISACA)

Evolving trends in it governance The Future of IT Governance Data-centric over system-centric Stewardship over controls Identity management over password management Safe Harbor

Data over systems Recognizing Value of Digital Assets THEN NOW IT assets internal to corporate infrastructures Controlled access to systems and applications achieved governance objectives Little regulatory guidance Data was an afterthought: Not viewed as an asset Access outside applications was rare NOW Many IT assets outside corporate infrastructures: Cloud, BYOD, IoT Data must be protected at rest and in transit Increasingly stringent regulatory requirements: Increases pressure on internal IT departments, but: Provides evaluation criteria for external providers Data is central to business strategy: Access via API Decision support Stewardship “Data is the new oil”

Stewardship over controls Recognizing the Value of Digital Assets Stewardship: Safe and Useful Enabling Protective Optimal use of digital assets Controls: Safe, but Not Useful Limiting Controlling Little consideration of useful value

Identity over passwords More Passwords = Less Security Passwords are inherently unsecure: Easy to be captured or found: Phishing Keystroke-capture malware People still…write them on Post-It notes Rarely unique for each application Password expiration makes it worse Identity is superior to passwords: Based on internal knowledge: Name of first pet? Father’s middle name? Make/model of first car? Private keys/tokens are generated every session Biometrics: Fingerprints Face recognition

Safe Harbor Data Stewardship Across Boundaries USA Patriot Act Mandates direct access by US government to cloud data belonging to non-Americans living outside the US—even if data is in a non-US location Applies to any company conducting “systematic business” in the US Circumvents local governmental authority International Safe Harbor Privacy Principles (EU) Seven principles for protection of personal data Allows exchange of personal data between EU and US for certified US companies Declared invalid in October 2015 by European Court of Justice Replaced by General Data Protection Regulation (GDPR)

Drivers of it governance The “Why” of IT Governance Alignment: IT and business strategy Enablement: Business capabilities Stewardship: Data and systems Personal information Financial accountability Sensitive corporate information: trade secrets Value Ensuring IT delivers value to the organization

“The user’s going to pick dancing pigs over security every time.” Bruce Schneier, ITGI

What can you do? Getting Ready for IT Governance 3.0 Assess your current IT governance landscape Doing the right things? Doing things the right way? Doing things well? Achieving objectives, goals, benefits? Clarify business landscape Business strategy: growth, acquisition, expansion Business objectives Articulate the value of good IT governance Alignment Enablement Stewardship

Thank you