Saturday, August 25, 2007
Books for IT Managers
Books about IT, but not a specific technology:
* Becomming a Technical Leader: An Organic Problem Solving Aproach
* Rapid Development
* Code Complete
* The Practice of System and Network Administration
* Peopleware
* The Pragmatic Programmer
Books about Lean and the Toyota Production System
* Lean Software Development
* Lean Thinking
* Product Development for the Lean Enterprise: Why Toyota’s System Is Four Times More Productive and How You Can Implement It
Books about Human Relationships
* Crucial Conversations
* Getting to Yes
* Influence: Science and Practice
Books about organization/time management
* Getting Things Done
* Organizing from the Inside Out
Thursday, August 23, 2007
Monday, August 20, 2007
Cobit
COBIT
Overview
COBIT was first released in 1996. Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.” Managers, auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.
COBIT has 34 high level processes that cover 318 control objectives categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support and Monitoring. COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT’s defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company’s IT infrastructure. It also helps them corroborate their audit findings.
COBIT product family
The complete COBIT package is a set consisting of six publications:
- Executive Summary
- Framework
- Control Objectives
- Audit Guidelines
- Implementation Tool Set
- Management Guidelines
A brief overview of each of the above components is provided below.
Executive Summary
Sound business decisions are based on timely, relevant and concise information. Specifically designed for time-pressed senior executives and managers, the COBIT Executive Summary consists of an Executive Overview which provides a thorough awareness and understanding of COBIT's key concepts and principles. Also included is a synopsis of the Framework, which provides a more detailed understanding of these concepts and principles, while identifying COBIT's four domains (Planning and Organization, Acquisition and Implementation, Delivery and Support, Monitoring) and 34 IT processes
Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process
framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts.
They are strongly focused more on control, less on execution. These practices will help optimise IT-enabled investments, ensure
service delivery and provide a measure against which to judge when things do go wrong.
For IT to be successful in delivering against business requirements, management should put an internal control system or framework
in place. The COBIT control framework contributes to these needs by:
• Making a link to the business requirements
• Organising IT activities into a generally accepted process model
• Identifying the major IT resources to be leveraged
• Defining the management control objectives to be considered
Thus, COBIT supports IT governance (figure 2) by providing a framework to ensure that:
• IT is aligned with the business
• IT enables the business and maximises benefits
• IT resources are used responsibly
• IT risks are managed appropriately
The COBIT products have been organised
into three levels (figure 3) designed to
support:
• Executive management and boards
• Business and IT management
• Governance, assurance, control and
security professionals
Briefly, the COBIT products include:
• Board Briefing on IT Governance,
2nd Edition—Helps executives understand
why IT governance is important, what its
issues are and what their responsibility is
for managing it
• Management guidelines/maturity models—
Help assign responsibility, measure
performance, and benchmark and address
gaps in capability
• Frameworks—Organise IT governance
objectives and good practices by IT
domains and processes, and links them to
business requirements
• Control objectives— Provide a complete
set of high-level requirements to be
considered by management for effective
control of each IT process
• IT Governance Implementation Guide:
Using COBIT ® and Val IT TM, 2nd Edition—
Provides a generic road map for
implementing IT governance using the
COBIT and Val ITTM resources
• COBIT® Control Practices: Guidance to
Achieve Control Objectives for Successful
IT Governance, 2nd Edition—Provides guidance on why controls are worth
implementing and how to implement them
• IT Assurance Guide: Using COBIT ®—Provides guidance on how COBIT can be used to support a variety of assurance activities
together with suggested testing steps for all the IT processes and control objectives
The COBIT content diagram depicted in figure 3 presents the primary audiences, their questions on IT governance and the generally
applicable products that provide responses. There are also derived products for specific purposes, for domains such as security or for
specific enterprises.
Framework
A successful organization is built on a solid framework of data and information. The Framework explains how IT processes deliver the information that the business needs to achieve its objectives. This delivery is controlled through 34 high-level control objectives, one for each IT process, contained in the four domains. The Framework identifies which of the seven information criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability), as well as which IT resources (people, applications, information and infrastructure) are important for the IT processes to fully support the business process.
To govern IT effectively, it is important to appreciate the activities and
risks within IT that need to be managed. They are usually ordered into
the responsibility domains of plan, build, run and monitor. Within the
COBIT framework, these domains, as shown in figure 8, are called:
• Plan and Organise (
(AI) and service delivery (DS)
• Acquire and Implement (AI)—Provides the solutions and passes
them to be turned into services
• Deliver and Support (DS)—Receives the solutions and makes them
usable for end users
• Monitor and Evaluate (ME)—Monitors all processes to ensure that
the direction provided is followed
Control Objectives
The key to maintaining profitability in a technologically changing environment is how well you maintain control. COBIT's Control Objectives provides the critical insight needed to delineate a clear policy and good practice for IT controls. Included are the statements of desired results or purposes to be achieved by implementing the 214 specific, detailed control objectives throughout the 34 IT processes.
Audit Guidelines
To achieve your desired goals and objectives you must constantly and consistently audit your procedures. Audit Guidelines outline and suggest actual activities to be performed corresponding to each of the 34 high-level IT control objectives, while substantiating the risk of control objectives not being met. Audit Guidelines are an invaluable tool for information systems auditors in providing management assurance and/or advice for improvement.
Implementation Tool Set
An Implementation Tool Set, which contains Management Awareness and IT Control Diagnostics, and Implementation Guide, FAQs, case studies from organizations currently using COBIT, and slide presentations that can be used to introduce COBIT into organizations. The new Tool Set is designed to facilitate the implementation of COBIT, relate lessons learned from organizations that quickly and successfully applied COBIT in their work environments, and lead management to ask about each COBIT process: Is this domain important for our business objectives? Is it well performed? Who does it and who is accountable? Are the processes and control formalized?
Management Guidelines
To ensure a successful enterprise, you must effectively manage the union between business processes and information systems. The new Management Guidelines are composed of Maturity Models, to help determine the stages and expectation levels of control and compare them against industry norms; Critical Success Factors, to identify the most important actions for achieving control over the IT processes; Key Goal Indicators, to define target levels of performance; and Key Performance Indicators, to measure whether an IT control process is meeting its objective. These Management Guidelines will help answer the questions of immediate concern to all those who have a stake in enterprise success.
COBIT structure
COBIT covers four domains:
- Plan and Organize
- Acquire and Implement
- Deliver and Support
- Monitor and Evaluate
Plan and Organization
The Planning and Organization domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT. The following table lists the high level control objectives for the Planning and Organization domain.
HIGH LEVEL CONTROL OBJECTIVES
Plan and Organize
| PO1 | Define a Strategic IT Plan and direction |
| PO2 | Define the Information Architecture |
| PO3 | Determine Technological Direction |
| PO4 | Define the IT Processes, Organization and Relationships |
| PO5 | Manage the IT Investment |
| PO6 | Communicate Management Aims and Direction |
| PO7 | Manage IT Human Resources |
| PO8 | Ensure Compliance with External Requirements |
| PO9 | Assess and Manage IT Risks |
| PO10 | Manage Projects |
| PO11 | Manage Quality |
Acquire and Implement
The Acquire and Implement domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components. The following table lists the high level control objectives for the Acquisition and Implementation domain.
HIGH LEVEL CONTROL OBJECTIVES
Acquire and Implement
| AI1 | Identify Automated Solutions |
| AI2 | Acquire and Maintain Application Software |
| AI3 | Acquire and Maintain Technology Infrastructure |
| AI4 | Enable Operation and Use |
| AI5 | Procure IT Resources |
| AI6 | Manage Changes |
| AI7 | Install and Accredit Solutions and Changes |
Delivery and Support
The Delivery and Support domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. The following table lists the high level control objectives for the Delivery and Support domain.
HIGH LEVEL CONTROL OBJECTIVES
Deliver and Support
| DS1 | Define and Manage Service Levels |
| DS2 | Manage Third-party Services |
| DS3 | Manage Performance and Capacity |
| DS4 | Ensure Continuous Service |
| DS5 | Ensure Systems Security |
| DS6 | Identify and Allocate Costs |
| DS7 | Educate and Train Users |
| DS8 | Manage Service Desk and Incidents |
| DS9 | Manage the Configuration |
| DS10 | Manage Problems |
| DS11 | Manage Data |
| DS12 | Manage the Physical Environment |
| DS13 | Manage Operations |
Monitor and Evaluate
The Monitoring and Evaluation domain deals with a company’s strategy in assessing the needs of the company and whether or not the current IT system still meets the objectives for which it was designed and the controls necessary to comply with regulatory requirements. Monitoring also covers the issue of an independent assessment of the effectiveness of IT system in its ability to meet business objectives and the company’s control processes by internal and external auditors. The following table lists the high level control objectives for the Monitoring domain.
HIGH LEVEL CONTROL OBJECTIVES
Monitor and Evaluate
| ME1 | Monitor and Evaluate IT Processes |
| ME2 | Monitor and Evaluate Internal Control |
| ME3 | Ensure Regulatory Compliance |
| ME4 | Provide IT Governance |
Friday, August 17, 2007
An Introduction to IT Governance
From relative obscurity a few years ago, several factors have come together to make the concept of formal IT governance a good idea for virtually every company, both public and private. Key motivators include the need to comply with a growing list of regulations related to financial and technological accountability, and pressure from shareholders and customers. Here’s a quick primer on the basics of IT governance:
What is IT governance?Simply put, it’s putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.
Is it something every organization needs?
Every organization—large and small, public and private—needs a way to ensure that the IT function sustains the organization’s strategies and objectives. The level of sophistication you apply to IT governance, however, may vary according to size, industry or applicable regulations. In general, the larger and more regulated the organization, the more detailed the IT governance structure should be.
What are the drivers that motivate organizations to implement IT governance infrastructures?
Organizations today are subject to many regulations governing data retention, confidential information, financial accountability and recovery from disasters. While none of these regulations requires an IT governance framework, many have found it to be an excellent way to ensure regulatory compliance. By implementing IT governance, you’ll have the internal controls you need to meet the core guidelines of many of these regulations, such as the Sarbanes-Oxley Act of 2002.
What’s the business case? That is, how can I convince top management that we need to do this?
Make sure the right people are selling the concept; if IT is selling it, you’re in trouble. It’s much more effective if a cross-functional team consisting of IT and line-of-business managers makes the case to the board of directors that effective IT management is an important part of the company’s success. The team must be able to explain that the company needs a road map—something to tell decision-makers where the company is, where it needs to be and how best to get there. And of course, talk about the benefits—greater efficiency and accountability, along with reduced risk. Be careful, however, when talking about ROI: A lot of the cost of implementing an IT governance framework can be chalked up to what management should be doing anyway. Simply put, companies have to accept the cost, but they don’t like to hear that.
What are the major focus areas that make up IT governance?
According to the IT Governance Institute, there are five areas of focus:
Strategic alignment: Linking business and IT so they work well together. Typically, the lightning rod is the planning process, and true alignment can occur only when the corporate side of the business communicates effectively with line-of-business leaders and IT leaders about costs, reporting and impacts.
Value delivery: Making sure that the IT department does what’s necessary to deliver the benefits promised at the beginning of a project or investment. The best way to get a handle on everything is by developing a process to ensure that certain functions are accelerated when the value proposition is growing, and eliminating functions when the value decreases.
Resource management: One way to manage resources more effectively is to organize your staff more efficiently—for example, by skills instead of by line of business. This allows organizations to deploy employees to various lines of business on a demand basis.
Risk management: Instituting a formal risk framework that puts some rigor around how IT measures, accepts and manages risk, as well as reporting on what IT is managing in terms of risk.
Performance measures: Putting structure around measuring business performance. One popular method involves instituting an IT Balanced Scorecard, which examines where IT makes a contribution in terms of achieving business goals, being a responsible user of resources and developing people. It uses both qualitative and quantitative measures to get those answers.
It doesn’t make sense to reinvent the wheel by starting from scratch, so don’t even try. Start with a framework; there are many to choose from, but using at least one means everything has already been organized and bulletproofed by industry experts worldwide. These frameworks even offer implementation guides. And most companies use a framework: According to a survey by PricewaterhouseCoopers in conjunction with the IT Governance Institute, 95 percent of companies use one of the major IT governance frameworks, while only a few create their own.
Here is a quick rundown on the choices:
CoBIT: This framework, from the Information Systems Audit and Control Association (ISACA), is probably the most popular. Basically, it’s a set of guidelines and supporting toolset for IT governance that is accepted worldwide. It’s used by auditors and companies as a way to integrate technology to implement controls and meet specific business objectives. The latest version, released in May 2007, is CoBIT 4.1. CoBIT is well-suited to organizations focused on risk management and mitigation.
ITIL: The Information Technology Infrastructure Library(ITIL) from the government of the United Kingdom runs a close second to CoBIT. It offers eight sets of management procedures in eight books: service delivery, service support, service management, ICT infrastructure management, software asset management, business perspective, security management and application management. ITIL is a good fit for organizations concerned about operations.
COSO: This model for evaluating internal controls is from the Committee of Sponsoring Organizations of the Treadway Commission. It includes guidelines on many functions, including human resource management, inbound and outbound logistics, external resources, information technology, risk, legal affairs, the enterprise, marketing and sales, operations, all financial functions, procurement and reporting. This is a more business-general framework that is less IT-specific than the others.
CMMI: The Capability Maturity Model Integration method, created by a group from government, industry and Carnegie-Mellon’s Software Engineering Institute, is a process improvement approach that contains 22 process areas. It is divided into appraisal, evaluation and structure. CMMI is particularly well-suited to organizations that need help with application development, lifecycle issues and improving the delivery of products throughout the lifecycle.
There are a lot of framework choices. How do I choose?
Most companies go with CoBIT or ITIL, but others can also fit the bill. For operations, try ITIL. For application development and lifecycle issues, try CMMI. For risk, use CoBIT. CoBIT is also a great umbrella framework. But combining frameworks can also make sense, says Ron Saull, an IT Governance Institute trustee. You might want to use CoBIT as an overall framework; then use ITIL for your operations, CMMI for development and ISO 17799 for security. In fact, combining frameworks is fairly common; the PricewaterhouseCoopers study found that in 65 percent of cases, companies use CoBIT and ITIL together or with lesser-known frameworks. But most importantly, use a framework that fits your corporate culture and that your stakeholders are familiar with. If the company is using one of these frameworks and can leverage it to be its IT governance framework, all the better.
Can we do this alone, or should we get some outside help?
Sometimes it makes sense to get help, and implementing an IT governance framework is one of those times. Not only is internal expertise on IT governance hard to come by, but executives just don’t have the time. The best scenario is usually a combination of the two. Internally, someone really needs to own the process, but getting some help is essential.
What can go wrong if it’s not implemented effectively?
If the IT governance framework isn’t implemented properly, it can directly affect how IT is perceived at a high level. The last thing you want is for IT to be perceived as a cost center that doesn’t produce real value, says Marios Damianides, former international president of ISACA and the IT Governance Institute, and currently a partner for Ernst & Young. Lack of effective implementation also can cause continued issues with project overruns and poor value to cost measurements, not to mention stakeholder dissatisfaction.
What are some tips for making sure it goes smoothly and delivers positive results?
You’ve heard it all before, but here we go: Get executive buy-in. Dedicate a cross-functional team to the process, and get outside help if needed. Clearly delineate the roles and responsibilities of each department and stakeholder in clear terms. Take into account the corporate culture and adjust accordingly. Maintain continual communication during the process. Measure and monitor the progress of the implementation. And don’t consider this a “nice-to-have”—it’s a “need-to-have.”
9 Essential Competencies for Successful C-Level Executives
1. STRATEGIC ORIENTATION
Strategic Orientation is about the ability to think long- term and beyond one’s own area. It involves three key dimensions: business awareness, critical analysis and integration of information, and the ability to develop an action- oriented plan.
2. CUSTOMER IMPACT
Customer Impact is about serving and building value- added relationships with customers or clients, be they internal or external.
3. MARKET KNOWLEDGE
Market Knowledge is about understanding the market in which a business operates. This business context can include the competition, the suppliers, the customer base and the regulatory environment.
4. COMMERCIAL ORIENTATION
Commercial Orientation is about identifying and moving towards business opportunities, seizing chances to increase profit and revenue.
5. RESULTS ORIENTATION
Results Orientation is about being focused on improvement of business results.
6. CHANGE LEADERSHIP
Change Leadership is about transforming and aligning an organization through its people to drive for improvement in new and challenging directions. It is energizing a whole organization to want to change in the same direction.
7. COLLABORATION AND INFLUENCE
Collaboration and Influence are about working effectively with, and influencing those outside of, your functional area for positive impact on business performance.
8. PEOPLE AND ORGANIZATIONAL DEVELOPMENT
People and Organizational Development is about developing the long- term capabilities of others and the organization as a whole, and finding satisfaction in influencing or even transforming someone’s life or career.
9. TEAM LEADERSHIP
Team Leadership is about focusing, aligning and building effective groups both within one’s immediate organization and across functions.
From CIO to CEO
CIOs vs. CEOs
Examining the competency performance data based on interviews and 360-degree assessments of 25,000 executives in the Egon Zehnder database, we find five points:
1. Outstanding CIOs (those ranked in top 15th percentile) score highest in Results Orientation, Strategic Orientation, Change Leadership and Customer Focus.
2. Outstanding CIOs perform significantly better than average CIOs in all competencies except for People and Organizational Development, where they are equivalent.
3. People and Organizational Development scores are relatively low for all types of executives assessed, particularly CFOs.
4. Outstanding CIO scores slightly surpass good CEO scores on most competencies.
5. Outstanding CEOs —the most well-rounded strategic leaders —perform significantly better than outstanding CIOs only in Market Knowledge and External Customer Focus.
How to Improve Your Executive Quotient (EQ)
CIOs who want to devote more of their time and energy to driving business strategy and innovation should focus on developing and leveraging the three competencies most particular to the business strategist: Market Knowledge, Strategic Orientation and Commercial Orientation. (See the “Future-State CIO Model,” above, for more on how each competency maps to three aspects of the CIO role: Function Head, Transformational Leader and Business Strategist.) However, even to get a chance to be a business strategist, CIOs must be strong in foundational competencies such as Change Leadership, Collaboration and Influence, and Function Expertise. Without these, a CIO is unlikely to get a seat at the strategy table, and may in reality be a CIO only in title.