The missing link in IT governance
While IT governance is garnering more attention from enterprises, a critical factor in its success - people - is still being overlooked.
This is according to Jonathan Le Roux, audit, forensic and risk specialist at CQS Technology.
Le Roux, who consults and trains businesses on risk management and governance, says without buy-in from end-users, IT governance, risk and compliance initiatives may fall flat.
"What tends to happen is that most governance interventions focus on the technology, with limited focus on the end-users who will implement the technology. Those using it from day to day get overlooked - and this is where the strategy falls short."
Le Roux says people are not necessarily 'the weakest link' in risk mitigation programmes, but they can present an open door to the company's assets. The next-generation workforce, in particular, may be vulnerable, because they have grown up with technology and social media, and may be too trusting of it, he says. They may also expect access to certain mobile and social technologies that the enterprise does not want them to have access to, in order to avoid risk.
To secure buy-in and co-operation from these end-users requires a focused communication campaign and open dialogue, so that they understand the importance of the governance, risk and compliance measures, he says.
"How it is communicated to the people is the missing bit. In general, the message gets cascaded down the organisation rapidly, with no choice for users but to comply. There is no opportunity for people who will be affected by the change to participate in dialogue around the change. But where dialogue is created, it buys greater understanding and acceptance of this change," says Le Roux.
Fostering this dialogue requires more than a brief training session, he says, adding that the most effective way to grow understanding and support for any change initiative is an ongoing communication campaign, targeted at individuals, and presented in a way they can identify with. "You might choose a theme and support it with a Web site, regular e-mailed newsletters and training programmes, for example."
Le Roux will address the upcoming ITWeb IT Governance, Risk and Compliance conference. For more information about this event, click here.