Fine-tuning the complexities of IT governance

Saurabh-Kumar, CEO, In2IT Technologies.
Saurabh-Kumar, CEO, In2IT Technologies.

When it comes to governance, risk and compliance (GRC), it seems the world is constantly playing catch-up.

According to Forrester's report, 'GRC Vision 2017-2011: Customers Demands Escalate as Regulators Falter', regulators are unable to catch up with the speed of technology and adoption, while the hyperadoption of new technologies and business models is putting customers at risk.

Although many organisations have been paying attention to the GRC requirements and vendors have been touting their GRC-focused wares, the reality is that it is nowhere near ready.

Regardless of the investments into enterprise risk management, compliance and ethics, cybersecurity, health and safety, third-party risk et al, organisations aren't in a position to deal with the governance impact of digital disruption today, much less in the next five to ten years. GRC is the proverbial thorn in the elephant's foot, and it's going to take more than a mouse to get it out.

IT governance has to speed up and catch up. Regulators need the right tools, time and funding. Rules require relevance, and organisations need to mitigate risk. The Forrester report highlighted three trends that are influencing governance: regulators falling out of the race, customer pressure improving corporate behaviour, and the rising value of intangible assets causing risk to rocket.

These trends are influencing governance uptake and adoption, with some pretending it isn't there, others battling to find a way through the minefield without substantial investment, and many moving in a vaguely appropriate direction while missing some of the boxes that need to be ticked.

The reality is, however, that in spite of regulatory failings and a lack of oversight, organisations can't afford to ignore the GRC investment. Not anymore.

Perhaps in the past, some companies would have been able to veer past GRC compliance. Lack of insight and transparency would have gone unnoticed. The reality today is different. Any digital footprint can be tracked and inevitably bad practice and poor behaviour tend to rise to the surface with the potential to destroy a brand. Disagree? KPMG and McKinsey are living proof of a slowly dying reputation.

The advice from Forrester is simple - 'GRC efforts have to be more strategic, guiding how the entire organisation operates.'

Saurabh Kumar, CEO, In2IT Technologies agrees with this. "Organisations need to make sure they implement processes and policies to properly monitor and measure IT governance within the business".

This is particularly relevant in light of the cybersecurity threat and the cascade of crime that's unrelentingly determined and incredibly inventive. The PwC 2018 Global Economic crime and Fraud Survey found that technology has so embedded itself into every process across the business that there's the risk that the criminal uses the company's own technology against it. Digital opens up tasty new attack vectors, and companies aren't on track when it comes to protection and preparation.

Any digital footprint can be tracked and inevitably bad practice and poor behaviour tend to rise to the surface with the potential to destroy a brand.

In South Africa, King IV provides IT governance regulations that outline the risk of non-compliance. It isn't a smack on the wrist; it's designed to give the organisation the tools it needs to ensure that data is kept confidential and secure. It's also what every organisation should already be doing as they prepare for the regulatory requirements outlined in the Protection of Personal Information (PoPI) Act. In addition to mitigating brand damage, governance also potentially provides the organisation with increased visibility, reduced risk, and improved operational capabilities.

What it doesn't do is lower the price tag. Yes, a security breach is incredibly expensive and reputational damage is costly to repair, but implementing the tools, technology and systems that are required for seamless governance, and that are capable of keeping up with the times, isn't cheap.

Cost is a challenge, but perhaps not as much as the potential collapse of the entire organisation. The findings of the Forrester research, 'Cultivate Culture for Sustained GRC Performance' sum it up neatly: "In post-mortem reviews of recent history's biggest corporate failures, experts have largely blamed deficient GRC cultures."

In the end, governance isn't a choice. What you do to embed it and ensure it's relevant, is.

IT governance in SA today: three questions

Brainstorm: What are some of the most important boxes to check when it comes to IT governance?

Hannes van der Merwe, product manager at Itec SA: Local compliance laws such as FICA, FAIS, SOX, PCI, NCA, PoPI and CPA requirements implies that IT needs to steer and govern its business with the appropriate technology solutions that enforce IT governance, without the processes deterring good business efficiency and productivity.

Derek Weeks, vice president, Sonatype: To ensure compliance, appropriate safeguards must be initiated across the entire software lifecycle. By embracing DevSecOps principles, governance and compliance 'guardrails' are embedded early and throughout the software development lifecycle. This means that the app economy can continue to grow within regulated environments, with the proper management and in a secure, compliant, yet competitive manner.

Brainstorm: Should RegTech - the tools, processes and technologies designed to support the organisation's compliance with IT governance challenges - be incorporated as part of best practice and are they of value?

Simeon Tassev, MD and QSA, Galix: RegTech allows the company to log data, analyse and assist with audits, thereby enabling quick incident management, response and security monitoring. Organisations should definitely incorporate RegTech as part of their best practices and it should also be in line with all security maturity models. Companies need to be able to measure the processes, procedures and policies they have in place.

Neil Patrick, director, GRC & Security CoE EMEA South, SAP: Thomson Reuters tracks regulatory change, and changes a bank has to deal with every day has increased from ten in 2004 to 185 in a day - that is one every 12 minutes. The legal team in any organisation has to have a way of managing this external onslaught. These tools are of value, and in my opinion, should be incorporated as best practices for these reasons. Regulatory compliance is something you have to do, so you may as well do it well and reduce the cost.

Muggie van Staden, MD, Obsidian Systems: RegTech has risen out of obscurity because of the new regulations. Simple in concept, but more complex in execution, this technology will rely heavily on your skills, your big data platforms and AI integration to provide real-time information to prevent anti-fraud measures. There is still a lot of work to be done in this area and we should be watching this trend closely.

Brainstorm: How does King IV impact on IT governance now that it has been introduced and what should the organisation be doing to address this?

Vernon Fryer, head of NEC XON's Cyber Defence Operations Centre: King IV is particularly effective and important right now with regulations such as GDPR in Europe and PoPI here at home, since applying the IT governance framework as proposed in King IV ensures you comply with those regulations too and can demonstrate compliance. King IV is not mandatory. But it demonstrates that organisations conduct themselves ethically. It governs how people behave and it governs how people spend budgets on IT infrastructure to align it with business strategies.

Hannes van der Merwe, product manager, Itec SA:Businesses need to define their risk tolerance profile and aligned contingency plans. The strategy starts with what level of risk the business can afford vs cost of measures needed to mitigate the risk and resilience. The correct approach to risk is essential to ethical governance and aligning with the principles set out in the King IV Report in any business vertical, especially IT.

Cryptocurrency speaking

There's governance and then there's governance around cryptocurrencies, a realm that's hard to pin down, define and regulate.

Cryptocurrencies are elusive and mercurial. They're the dark and strangely fascinating crowd that stand in the corner of the room, attracting attention from the bold, but worrying the wary. The landscape of crypto and ICO and currency has undergone plenty of change and equally ignited plenty of concern. Some governments want to regulate it, some have banned it, others are letting it play out to see what will happen. In South Africa, SARS has already started sharpening its teeth, asking citizens to pay tax on their cryptocurrency earnings, while experts are suggesting that regulation would be a good step to protect both citizen and government pocket. The question is, how does crypto impact on IT governance? And should the business even care?

"The challenge with IT governance and cryptocurrencies lies in the fact that accountability for exchanging money for services isn't there yet," says Simeon Tassey, MD and Qualified Security Assessor, Galix. "Companies are accepting payment of cryptocurrencies, but there is no transparency because the payment itself is completely anonymous. Businesses need to know who they are paying for a service and ensure that this is auditable and accountable."

For Tassey, it is imperative that the organisation implement strict rules and processes when it comes to accepting cryptocurrency, and when it comes to ensuring that employees don't use company property to mine cryptocurrencies. Therein lies another minefield for the organisation - watch out for the entrepreneurial employee who doesn't mind racking up business time on the crypto mine. This may sound a dramatic imagining, but already employees have been caught using company servers to mine for Bitcoin. In the United States, a City employee for the Department of Education was fined $611 for using a work computed to mine Bitcoin, and in Australia, a staff member of the Australian Broadcasting Corporation was helping themselves to free server time. In fact, the list of companies catching people in the act in just 2018 includes the Bureau of Meteorology, ABC, Department of Education (NY) and the Federal Reserve System. This isn't a one-time deal, but a genuine concern.

"Cryptocurrencies are new and exciting, but frightening at the same time," says Neil Patrick, director, GRC & Security, CoE EMEA South Africa, SAP. "The exchange rate is unstable, so this is a red flag risk, and there is the reputational impact as the cryptocurrencies are associated with organised crime and money laundering. That said, the inner workings of transfers of cryptocurrencies are by all accounts secure, reliable, repeatable and generally stable. They are also independent of banking institutions, which is both liberating and cheaper."

Battle for stability

Cryptocurrencies have already started to form part of how some organisations conduct business digitally. It's inevitable. Some retail platforms already offer the shopper the option to pay in Bitcoin or Ethereum, two of the most well-known cryptocurrencies on the market. What's interesting is that some of these retail platforms are based in South Africa. That said, the amount of physical hardware required to maintain the blockchain technology to provide Bitcoin resilience, for example, is significant and, if centralised, will likely limit throughput. Patrick recommends that organisations start an exploratory project on cryptocurrencies to fully understand the technology, the risks, and the probable benefits.

"The popular rise of cryptocurrencies is slightly newer than the release of the latest King Report, so there's no specific inclusion for them," says Vernon Fryer, head of NEC XON's Cyber Defence Operations Centre. "However, while cryptocurrencies still form part of how some organisations conduct business digitally, not many have investigated it in any depth. But the purpose of IT governance is to ensure that technologies are, or IT is, aligned with business strategies, so if an organisation has a cryptocurrency capability, they would still follow the IT governance framework, but obviously dealing with a different type of service. Cryptocurrency would, therefore, fall under normal online banking at this stage."

Regardless of the methodology chosen to govern cryptocurrencies or the routes taken to secure the business position towards them, there has to be some movement from the organisation. Every business is vulnerable to abuse, to the risk and is equally capable of taking advantage of the potential. What that potential is or what that risk may be has yet to play out as governments and cryptocurrencies continue to battle for stability.

This article was first published in the July 2018 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.

See also