IT Governance: Aligning Technology to Business Goals
Many institutions have increased technology spending to enhance defenses against cyber threats and comply with evolving regulations. But the return on such expenditures is not always clear if strategies and objectives are poorly defined. Embracing IT governance allows your institution to ensure IT, compliance and cybersecurity strategies—as well as associated technology—are aligned to your goals for optimal effectiveness.
This blog answers common questions about how a risk-based approach to IT governance benefits financial institutions, including the distinct advantages of an advisory services model for IT governance.
What is IT governance?
Gartner defines IT governance as “processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.” IT governance serves as the foundation on which IT systems should function and includes management of the risk surrounding these systems from a regulatory and business perspective. In short, the primary outcomes of adopting IT governance include mitigating IT- and cybersecurity-related risk and ensuring technology investments support an organization’s goals.
Why does an organization need IT governance?
Many banks and credit unions strictly approach IT and cybersecurity issues as technical problems, increasing their spending year-over-year on security programs and technology. For financial institutions that view these issues through a technical lens, the solution often involves buying more technology.
According to research from Celent, spending among institutions is growing globally, with banks allocating significant sums toward meeting compliance requirements, strengthening IT security and investing in new technology. The intended results of such spending include increased security, compliance and growth. But budgetary investments alone do not always generate those outcomes.
IT and cybersecurity are business problems—not just technical issues—and should align with an institution’s goals in order to achieve greater effectiveness. As an integral component of a holistic approach to IT, security and compliance, IT governance ensures that an institution’s technology and business objectives support its larger strategies.
Why take a risk-based approach to IT governance?
As institutions struggle to determine how much to invest in cybersecurity protection, shifting to a more financially and business-driven approach becomes critical to better manage risk and resources.
An institution’s cybersecurity investment should depend on its individual objectives, risk assessment and risk appetite—or a representation of how much risk an institution is willing to accept. For this approach to be meaningful, it must include a measurable scale for risk and an underlying governance process that enables decision-making around risk. As referenced in the AIO Booklet IT governance is critical to an institution’s success, and a lack of governance negatively affects cybersecurity readiness and contributes to an inefficient use of resources.
To create a business context around IT and cybersecurity, an institution must first understand how cybersecurity risk relates to its business model. Every institution has a risk appetite and a risk tolerance, which heavily affects the institution’s budget and desired business objectives.
Each area has specific risk factors and underlying supporting technologies with associated risks. Failure to view cybersecurity in the broader context of business impact creates a disconnect within the risk assessment and the ability to determine how possible threats play into the institution’s overall strategy and risk appetite.
How does IT governance strengthen an institution’s cybersecurity posture?
Leveraging IT governance minimizes the risk of complex and burdensome security layers. While institutions should implement layers of security, taking a holistic view and reviewing an institution’s security posture through the lens of IT governance ensures security layers are well designed and do not create friction in business processes.
A risk-based approach to IT governance also mitigates an institution’s risk of falling into a false sense of security. Some institutions implement security controls or complete a risk assessment and feel they have put in enough effort to remain secure. But in today’s evolving threat landscape, a risk-based approach to cybersecurity is critical, as it establishes an ongoing process with minimal room for complacency.
How does IT governance help institutions navigate the regulatory landscape?
Since compliance is commonly viewed as a checklist item, some institutions implement security controls just to check each box. It’s important to remember that compliance doesn’t necessarily equate to security or promoting business objectives. A strategic, risk-based approach to compliance is critical to ensure an institution is set up for success.
And while compliance is critical for every institution, specific tactics to achieve compliance will differ based on institutional factors, such as budget and risk appetite. Institutions have varying budgets and amounts of capital at their disposal, which can dictate compliance initiatives. Most regulations can be addressed using more than one methodology or control, prompting regulators to shift from a checklist approach to a true risk management approach.
Although regulatory compliance guidance provides a framework and model for governance, allowing this guidance to drive cybersecurity decisions will generally lead to gaps in coverage and a misallocation of resources. To develop an effective compliance program, keep your institution’s available resources, risk appetite and strategic goals in mind.
What are the benefits of an advisory services model for IT governance?
Advisory services are utilized across various industries and entail an industry expert working with an organization to provide recommendations surrounding IT governance. Working with a seasoned provider affords an institution access to a team of professionals with diversified backgrounds and perspectives—without committing internal resources like the time and effort to recruit and retain technical staff or the salary and benefits package for an in-house CISO or CIO.
An advisory services partner regularly works with institutions of all sizes and in different markets, keeping them on top of industry trends and increasing their knowledge of regulators’ expectations. With advisory services, institutions have access to experienced individuals who will conduct board training sessions and raise IT and cybersecurity awareness among senior leaders.
Further, IT governance consultants in the financial services industry regularly read and analyze FFIEC guidance and revise guidance libraries and other policy templates to help institutions meet regulatory and business needs. The right advisory partner for IT governance will understand how technology, cybersecurity and financial services intersect, guiding an institution to achieve its specific business objectives.
Want to learn more about IT governance?
Since financial services operate on the rails of IT, institutions must consider technology in their planning. By adopting IT governance, an institution will ensure its IT, cybersecurity and compliance strategies align with current technology and business objectives. Visit our website to learn more about optimizing your IT and security strategies and planning for future needs.
Steven Ward leads the Strategic Business Consulting Team for CSI Advisory Services. In his role, he sees and analyzes the alignment of IT with business strategy and security needs for financial institutions across the nation. An experienced financial services executive, Steven brings his expertise to CSI clients and regularly speaks on information security, cybersecurity, IT and IT audit and business and IT strategy topics.