IT governance: Best Practices for CIOs

Best Practices for CIOs

IT governance: Best Practices for CIOs.

In a time of technology evolution and increased awareness of the value of data, companies need to be proactive in relation to their IT governance frameworks, writes Cleo Becker, Hitachi Data Systems Regional Counsel, Sub-Saharan Africa, Middle East, Turkey, and Israel.

The complexity surrounding how we manage information and related technology in the workplace can seem daunting. South African companies must grapple with a wide range of legislation, regulations and international standards (such as ISO and COBIT) and be intimately familiar with the types of data they store. In addition to this, companies must constantly monitor IT investment and expenditure to ensure that they obtain the best RoI on purchased assets.

The legal landscape
The various legislation, regulations, standards and codes require corporates to manage their data and technology assets responsibly. This includes: ensuring the constant availability, integrity and security of the data; monitoring IT expenditure and value generation; and the ability to locate, securely delete or modify the data upon request. King III also recommends that the CEO appoints an individual who is responsible for IT governance (usually a Chief Information Officer (CIO)) to manage this.

The onus is therefore on the corporate information holder to organise the data so that it can be accessed, updated and deleted as necessary. This is highlighted when the information holder needs to modify or delete data that is stored in multiple storage mediums i.e. tape libraries and disaster recovery systems. Failure to do so may expose companies to large fines and reputational damage.

While South Africa awaits the enactment of the Protection of Personal Information Act, all companies should be looking at complying with already established international best practices for data protection.

Organisation is the key
With the vast stores of information now available to companies, this is no small task and requires a deep understanding of all types of data, including structured, semi-structured and unstructured data like social streams, documents, spreadsheets and PDFs. Many companies struggle to achieve this required view of their data, leaving them open to a number of risks, including non-compliance with various legislation, data leaks and missed revenue opportunities. With the right technology, companies can create a platform with full visibility of the information within their IT environment.

Information leadership
While having the right technology in place to ensure the performance and sustainability of a company is critical, it is equally important to ensure that the company’s IT strategy is fully integrated and aligned to the company’s strategic and business processes. Companies also need clear policies and procedures in place, and the will to rigorously implement these.

Eight guiding principles for CIOs

  1. Strategy: Align the IT investment strategy with the strategy of the company;
  2. Consolidate: Bring your data together while maintaining security. If you have 20 different business units, all with their own systems and processes, it is extremely difficult to manage those systems. If you can bring all of that data into a consolidated system, where those business units still have access and security restrictions on that data so only they can see it, it is a lot easier to manage;
  3. Identify: understand what types of data your company is storing, how it’s being stored and where;
  4. Assess risk: Once you have full visibility of what types of data you have, you can assess it in the light of the applicable regulatory landscape and industry best practice. For example, tax legislation, banking and company legislation all require differing retention terms for different kinds of information. You will need to cement your understanding of these rules, through self-study or legal consultation;
  5. Create policies: Only after you understand the regulations that apply to your mix of data, can you then shape your own internal retention policies around it. This will involve bringing together business best practice with regulation requirements and your own business strategy. We recommend that you err on the side of caution where no legislation sets a definite time period for retention. This is where the leadership of the CIO really comes into play. Each business will have its own critical set of data, and the CIO is best placed to make this decision in collaboration with business leads;
  6. Access policies: Once you have retention policies in place, you can look at access to data, including who needs what access and when. Tight access policies can protect you against fraud and other leaks;
  7. Longevity: CIOs need to think about data outliving applications. If you have a requirement to store data for, say, 30 years, consider if the storage format is going to be applicable in ten years’ time. Ideally, adopt an openstandard like XML, so your retained data will be “future-proof” and useful for applications not yet developed; and
  8. Value: Some people see long-term data storage as a money pit, at least in the short term. However, in better understanding your corporate information, you can create efficiencies to achieve the return on investment you are looking for. This helps the CIO create the business case for going down this information management journey.The advent of big data has shown how companies can generate value from the analysis of information by creating or unlocking new revenue streams. Having an effective IT governance framework in place, where data can be readily identified and located, improves data quality for the purposes of data analytics.

By: Cleo Becker, Regional Counsel, Emerging Markets EMEA and Israel, Hitachi Data Systems

Editor of Tech IT Out. Former radio host of Former Editor of IT News Africa and ITF Gaming. All round techie, gamer and entrepreneur. For Editorial Enquiries Contact: or via +27788021400.