how to talk about it - information assurance | isaca presentations/bruno... · bruno horta soares...
TRANSCRIPT
How to talk about IT
Governance with your boss in
the elevator?
Bruno Horta Soares
GOVaaS – Governance Advisors, as-a-Service
Before you do things right, you have to do the right things. Why good
communication between business and IT areas is so important to help
organizations delivering value and how to put everyone speaking the
same language using COBIT 5 related materials. Reality check and
lessons learned from projects and initiatives developed to improve IT
savviness at small medium enterprises in a “small medium country” like
Portugal.
2
“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”
Donald Rumsfeld
“The essence of systems theory is that a system need to be viewed holistically –not merely as a sum of its parts – to be accurately understood”
von Bertalanffy, L.; General System Theory: Foundation, Development, Applications
Non-linear thinking
“The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding 50 million euro, and/or an annual balance sheet total not exceeding 43 million euro.”
Source: Extract of Article 2 of the Annex of Recommendation 2003/361/EC
SMEs: Always the same old story
The rosetta stone
“Meeting point talk”
Frameworks provide a structure
for a system
“Basement talk”
Standards agreed, repeatable
way of doing something
“Vanilla Sky talk”
Models schematic description of a
system
11
“Solutions that focus
on specifics will be
outdated rapidly; a
principle-based
approach is
required”World Economic Forum
COBIT® 5 provides a
comprehensive business
framework that assists
enterprises to achieve their goals
and deliver value through
effective governance and
management of enterprise IT.
Adopt ad adapt COBIT® 5
X“I do not know if you had the
opportunity to analyze the budget
regarding ISO / IEC 27001
certification… is not urgent... but we
are always afraid of an attack that
will end our business”
Tip#1 There is always two sides
of the story
“My security guy is 5
stars, have lots of
certifications and is
very concerned ... It’s a
shame I don’t
understand anything
he says or what he
does!”The boss
Stakeholders drivers
Benefits
Realisation
Resource
Optimization
Risk
Oprimisation
s
Necessidades dos Stakeholders
Business Goals
IT Related Goals
Enablers Goals
Influence
Cascade to
Cascade to
Cascade to
COBIT 5 Principle 1: Meeting Stakeholder Needs
Tip#1 There is always two sides
of the story
“We know that continuity and
availability is critical to our business
and we are setting Information,
infrastructure and applications’
securuty as one of our critical goals.
We’llidentify relevant enablers to
support this goal and I would
appreciate your sponsorship to our
Security Program.”
Tip#1 There is always two sides
of the story
X“I’m so sorry for all the inconvenient
the incident caused! We are already
doing an audit and we are almost
sure it was an outsourcer’s
responsibility. I promise it will not
happen again!”
Tip#2 Remember, there are no
technical problems
“Why the system
failed? Who’s the
responbible? I’m taking
care of the business,
you have to take care
of the IT!”The boss
Governing Body
Management
Operations and Execution
Owners and Stakeholders
Delegate
Set Direction
Instruct and align
Accountable
Monitor
Report
COBIT 5 Principle 2: Covering the Enterprise End-to-end
Tip#2 Remember, there are no
technical problems
"The analysis of the incident allowed
us to conclude that it’s necessary a
better involvement of the entire
organization in IT related decisions.
We would suggest the creation of a
IT Steering Committee to get all
areas involved and to increase our
IT savvinness. "
Tip#2 Remember, there are no
technical problems
X"We are so happy for our recent
achievements. We received two
awards related with ITIL and
ISO20000 certification and our
KPIs are all green. We are
100% focused on providing our
best support to our internal
clients, that’s why those new
projects are a little bit delayed!"
Tip #3 Speak the same language
“Why are we paying
every year so much
money to be certified
and our business
executives keep saying
you are not answering
their needs!”The boss
Performance
Drivers
Complience
COBIT 5 Principle 3: Applying a Single Integrated Framework
Tip #3 Speak the same language
"We just finished a service delivery
continuous improvement initiative.
We improved the coordination
between internal and external IT
areas, we reviewed business areas'
needs, adjusted our SLAs to better
manage all stakeholders
expectations and enforced new
compliance controls."
Tip #3 Speak the same language
X"Our project management tool is
getting old. We are now studying
new solutions to replace it and as
soon we have the new technology
we believe that our IT related
projects will start to get in the way of
success."
Tip #4 Show him the big picture
“A friend of mine told
me about these new
servives in the cloud. I
think it's a great
opportunity to get rid of
IT costs and focus in
my core business.”The boss
ProcessesOrganisational
structuresCulture, ethicsand behaviour
Principles, policies and frameworks
InformationServices,
infrastructure and applications
People, skills and competencies
Enablers
Resources
COBIT 5 Principle 4: Enabling a Holistic Approach
Tip #4 Show him the big picture
“We analysed why do projects fail
and we believe that only by aligning
people, processes and technologies
it will be possible to deliver better IT
related projects. We’ll review the
project management methodology,
update our supporting tool,
implement a new PMO and train our
people!”
Tip #4 Show him the big picture
X“We have been implementing a
new IT governance framework
and set all associated
processes. As soon we finish it
we will send it for your
approval.”
Tip #5 There are unknowns
unknowns
“I’m already
responsible for the
corporate governance,
you can take care of IT
governance.”The boss
Evaluate
Plan Build
Governance
Management
Run Monitor
Direct Control
Stakeholderneeds
Feedback
COBIT 5 Principle 5: Separating Governance From Management
Plan Build
Operations
Run Monitor
Tip #5 There are unknowns
unknowns
"We are designing the new IT
Governance and Management
framework to focus in value creation
and we would like to discuss with
the Board it’s role and how IT can
contribute to benefits realization,
risk and resources optimization. It
would be very important to have
your direction so we can better
manage our IT."
Tip #5 There are unknowns
unknowns
Bruno Horta Soares, CISA®, CGEIT®,
CRISC™, PMP®
• Founder and Senior Advisor at GOVaaS – Governance
Advisors, as-a-Service
• Visiting professor and coordinator at ISCAC - Coimbra
Business School - Coimbra, Portugal
• Visiting professor at Instituto Superior Técnico (IST) -
Lisbon, Portugal
• Visiting professor at Universidade Portucalense (UPT) -
Porto, Portugal
• Visiting professor and coordinator at Universidade Europeia
| Laureate International Universities - Lisbon, Portugal
• Visiting professor at Unipê - Centro Universitário de João
Pessoa - Paraíba, Brasil
• Visiting professor at Universidade Católica Portuguesa -
Lisbon, Portugal
• Founder and President at ISACA Lisbon Chapter
• Member of ISACA Government and Regulatory Advocacy
Regional Subcommittee Area 3
• IT Governance coordinator at the Portuguese Institute of
Directors
• ISACA Knowledge Center Topic Leader - COBIT 5
• APMG individual accredited trainer for COBIT 5
Academic training
• 5 years degree in Management and Computer Science, from ISCTE and a post-degree in Project Management, from ISLA Campus Lisboa.
Professional certifications
• Certified in Project Management Professional (PMP), from Project Management Institute (PMI), Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) and COBIT 5 Foundation from ISACA, ITIL® version 3 Foundation, ISO/IEC 27001 Lead Auditor and Training for Trainers Certification (CAP). He’s also APMG individual accredited trainer for COBIT 5.
“More you know,
less you no”
Bruno Horta Soares, CISA®, CGEIT®,
CRISCTM, PMP®
Founder & Senior Advisor
GOVaaS - Governance Advisors, as-a-Service
Rua do Tamisa, BL 5.02.03 D 1.ºC
Parque das Nações
1990-518 Lisboa
Mobile: +351 962 103 153
www.govaas.com