1/3 of Companies Have No IT Governance Policy — Here’s How to Start

Written by Joe Kozlowicz on Thursday, August 9th 2018 — Categories: IT Operations, Security

A new report from Deloitte found that IT spending is on the rise, with executives taking a more hands-on role in procuring or ordering investment in technology and related staff. But while 57% of execs reported spending more on technology, 33% said they have little or no formal IT governance policies.

If it seems slightly foolish to spend significantly more on technology without certifying a business purpose and implementing controls over the lifespan of that technology — well, it is. The report does come with the caveat of polling only midmarket and private organizations. We would expect more public businesses to have formal IT governance in place. But that doesn’t excuse organizations of all sizes from measuring the effectiveness of IT in meeting business and compliance goals.

Get started with an overview of IT governance and what you should include in your policy.


What is IT governance?

An IT governance policy is a formal documented process to align business goals with IT infrastructure and operations. In other words, it is a long-term method to track your IT spending and practices alongside the business initiatives they are meant to achieve.

For example, did migrating to Office 365 save you OpEx as your staff no longer has to patch, update, monitor, and maintain Exchange servers or spend as much time administrating desktop applications? Did your new colocation deployment cut down on latency and improve end user experience? By switching to a compliant hosting provider did you pass a compliance audit?

Beyond giving clues for ROI or business effectiveness measurements, IT governance also provides the base for adherence to data protection, financial accountability, and data backup/recovery requirements that are imposed across a wide array of industries.

Almost every business is subject to government mandated data protection and compliance standards. A strong governance program includes guidelines and controls for data management, security, and more while also keeping track of investments in IT.


How should I get started with IT governance?

 There are several popular governance frameworks to start from, including COBIT, ITIL, COSO, CMMI, FAIR, ISO 27001, and SOC 1 and 2. Each of them focuses on different aspects of risk management, IT service strategy, system design, change management, continual improvements, and cybersecurity. For smaller organizations, only the “essential” pieces of a governance policy are necessary, as a full fledged program takes a significant amount of resources.

Evaluate each framework to see which fits alongside your goals for IT functionality and key performance indicators or other metrics. You should take the best pieces of each for risk and services/operations to gain a complete framework for your IT services.

Don't forget that IT governance can be a little different in the cloud.

Once you have completed the (sometimes difficult) process of implementing a governance or compliance standard — which might involve adjusting your daily practices as well as training employees or even adding new roles — you can have a third party auditor certify your adherence.

The end goal, beyond stronger security and streamlined IT operations, is the alignment of business and IT. The growth and efficiency of your entire organization is tied to the efficacy of IT.

While it can be a bumpy transition, implementing IT governance will ultimately help your IT department justify your budget and staff by proving its worth to the business. Ignoring governance can only lead to more sprawl, inefficiencies, and security concerns. If you’re one of the 33% of businesses without a strategy, now is the time to get started.