The IT Governance Challenge, In Washington Or Johannesburg

The IT Governance Challenge, In Washington Or JohannesburgA recent piece reporting on government IT security and the challenges of improving it could be taken as a domestic piece reporting on US federal government security issues. Only the ".za" country code in the URL provides the tipoff: These particular IT security problems are hitting home in South Africa.

Indeed, except for the names of specific agencies and departments, the details in the article would also be at home in federal or state IT policy struggles. At the heart of the problem, the author suggests, is failure of administrators to roll out a framework for IT governance and security.

At least another year will pass before a comprehensive framework is in place. And meanwhile, in another all-too-familiar phrase, "one good hack will expose the entire nation."

South Africa, to be sure, has some specific problems of its own. Corruption is widespread, and effective IT governance is seen as necessary to cut back on official malfeasance. And the country's State IT Agency (SITA) has suffered from persisting instability at the top. The agency has had a change of CEO every year for the past decade, but it takes a couple of years to establish stability.

As South Africa's current experience demonstrates, the problems of building effective IT governance and IT security are global. And while governments face some unique considerations, the challenges are much the same at all organizations.

"Frameworks" sound easy – just string together a few nice buzz phrases together and you will have a document that sounds for all the world like a framework. But actually putting together a framework that will work, and then implementing it, can be a long, hard uphill slog. The human tendency to push problems off on someone else is universal. So are the excuses for delays.

The only way to finish the framework-building task is to start it, then keep at it until it is done.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."