IT governance is not binary. You cannot simply turn it on and magically have an effective system that keeps your business in compliance with all the regulations it's up against. The bitter realities of cost, complexity and culture make it easy for management to push back. The common belief is that what we're doing is good enough. In fact, I've heard many executives proclaim, "We can trust our employees to always do the right thing"...
and "Our auditors told us we're secure, so let's leave it at that." However valid these points may be, it doesn't mean management can simply ignore the issues at hand.
A successful IT governance strategy requires strong support from management. Being average -- or a failure -- is often the result of having disconnected management. So how can you, as a compliance manager, information security director or other professional responsible for IT governance strategy, get the message across to management that this is a business reality that can no longer be avoided? Here are five techniques that can help:
1. People will only buy into your ideas once they're convinced that you're on their side. It's your job as an IT governance professional to get management buy-in for what you're proposing. You can do that without having to prove ROI and calculate hard risk numbers by a) getting involved with the business and demonstrating concern for the business's success; b) establishing credibility by building trust over time; and c) showing value and the positive results of efforts and the money being spent.
2. When selling an IT governance strategy, it helps to understand how people work. What motivates management in your business? There are two basic motivating factors that drive management to either buy into something or dismiss it as a waste of time or money: a) the desire to gain something (i.e. achieve a certain level of security and compliance); and b) the fear of losing something (i.e. losing a competitive advantage, failing an important audit, etc.). It's up to you to know what these factors are so you can position IT governance appropriately.
A successful IT governance strategy requires strong support from management. Being average -- or a failure -- is often the result of having disconnected management.
3. Trying to do everything by the book and push your initiatives because it's a "best practice" or "the right thing to do" won't cut it. Furthermore, many people make the mistake of not convincing management that what they're proposing is better than the alternative. However, that's what you must do if you're going to get them on your side. Be prepared to answer the questions "What's the price of the problem?" and "Why?" Focus on the pain points in the context of your business.
4. Give things time to sink in. If you get pushback, that's okay. People resist change. When you present new ideas to management, do it casually so they can mull them over. Don't force it: Psychologists say that people need about 72 hours to absorb new ideas. I've found this be especially true when it comes to the more abstract and technical issues related to compliance and information security.
5. Most importantly, don't give up. IT governance requirements aren't going away so you've got time. Persistence with the right message to the right people will eventually pay off. No one ever said the IT governance role was a simple one in which you can achieve enormous feats very quickly.
President Gerald Ford once said, "Nothing in life is more important than the ability to communicate effectively." This applies directly to you as an IT governance professional. Make your points clear and in terms of the business. That way, ultimately, everyone wins.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored or co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.