10 hours 8 minutes
Welcome back to our siege. It course certified in the governments of enterprise. I t I'm Kelly Hander Hand I am your instructor for this weekend. Every single weeks you're may, baby, you and me.
So I want to welcome you back. And if there's anybody that's in the course knew for the first time, of course. Welcome you for in thank you for joining us. We've been covering information on enterprise I, t and Enterprise. I t governance specifically and really talking about the roles of what does,
Uh what do the chief officers involved in i t the chief
information officer? What is really governance within an enterprise of the I t environment? And we spend a lot of time talking about the necessity of governance, the benefit of governance, what governance is and what it does for us.
And, you know, one of the terms that we keep coming back to is value delivery,
making sure that for every investment we make, we're delivering value to the organization. We're gonna build on that today as well. Now, where we left off in our last class was on Ah, project management.
But this isn't a project management course. and it certainly is not. Um, there are elements of project management that are necessary within the enterprise. Right? As we move on and we look at undertaking expenditures and making investments, many of thes expenditures must be managed as a project.
And the more skillful I am at project management,
the better able I am to deliver value. And when we talk about managing projects, we're talking about coming in on time. We're talking about coming in on budget within the schedule, but then also being able to demonstrate that, you know, I think if you ask 50% of people what
I think if you asked 100 people what they what I t does,
I think 50% of them will not give you an accurate answer, right? I mean, I know they're important. They do stuff with computers, but what does that really involve? Most people don't understand it. So what our job to do as faras governance is is were to be the cheerleader off the information technology team. And we're here
to help users
help managers help all the entities within our enterprise, understand what I t is what we do and what is the significance of our function.
Many times we delivered the value with not necessarily anybody knowing it. I mean, I deliver value every day that we don't have an information security compromise, right? I mean, that's delivering value for the organization.
Unfortunately, nobody comes in mile this clap and everyday way to go another day without a breach. That's just not been my experience.
But you can bet when there is a breach, somebody's coming in my office, right? So what we need is we need somebody that can vocalize, but also somebody that can quantify and explained the value of i t. And that's certainly where we're headed with this course
and with our role in, um, I t Governance.
All right, So we left off and we were talking about Project management, and I've already said we know that many things have to happen and be manages a project, pull them off successfully. So we looked at the, um,
the various stages of project management,
and Laura had pronounced, Ah, it's either Laura or Lance. But one of you guys had mentioned that, Yeah, we're looking at doing this in the traditional waterfall environment, and that's one of The things that we just continue to see is with certification exams. We continue to see an emphasis on
ah, the waterfall method, which has been the way traditionally for years and years and years.
But as we move to more and more types of software development and particularly projects where the requirements are changing frequently, yeah, we do see more agile right, And that's really Ah, what we look to and what we see in the industry is we see more agile
and sometimes it takes certification test a while to catch up.
Sometimes it's just a matter of, um,
knowing that agile isn't for everyone and that we continue on with the methodology that, for instance, PM eyes done for years, you know. The other thing is that PM I provides us a framework that has specifically been designed to operate well within other frameworks.
So, for instance, the Project Management Institutes framework for project management
goes very well with Kobe. It it goes very well with ice, So 27,001 it goes very well with the cloud capabilities matrix controls. So when you have thes frameworks that are tried and true, they've been around for a long time,
and they go hand in hand
with the elements that are already in place. They tend to stick around for a while. And if you've worked with agile, um, you know, agile kin
Ah, you get a little bit more away from separation of Judy. She tend to have more of a collaborative environment, which is great for exchange of ideas, but it's not necessarily great for security,
frequently changing requirements. You know, um,
that's not an ideal environment when your environment is frequently changing, right? I mean, I know that's a little bit redundant, but what I'm trying to stress is that agile certainly has its benefits. But it's not the only style of project management. And so, um, I feel kind of like Mark Twain where,
ah, the waterfall method, the news of my death has been exaggerated,
and I think that's probably true. I think that really waterfall is not dead, and I do see organizations that have used agile coming back toe waterfall.
All right, so there's my justification for using the waterfall. That's my story, and I'm sticking to it so as you. And by the way, let me just mentioned not everybody's familiar. I'm assuming with the waterfall method, and I'll just mention that the waterfall method
is a very traditional means for software development projects and really project management of any type.
And the reason it's called the waterfall method. It's a very step oriented. Here's step one. You work on Step one, you complete step one. You move to step to you, complete step to you move to step three so it's very much step oriented. There's not a lot of back and forth,
and the idea is down here. If you get a change in requirements, you have to go all the way back up to the beginning and begin again.
So it's not a very flexible environment. You also have to think about the time that when you define your requirements at the beginning, if you have lots of faces, by the time you finish that project, you're gonna be pretty far removed from your requirements. So whether or not you're gonna be able to really
perform well in that type of environments gonna be driven by
the type of project urine, all right. So we talked with project management and went through the phases way talk about what a project is. Absolutely.
We talked about the reason we undertake projects. We look at the role of the project manager. Yes, yes, yes. But really I just wanted to go back and review the phases of project management because we had initiation. Where we authorize the project. We plan
where we get our baselines.
We execute where we do the work of the project. Make our delivery, bols. And we do monitoring, controlling we look at planned versus actual.
And then excuse me. And then we bring the project to an orderly close. All right, hopefully within accepted deliver verbal and a happy customer and we're on our way. May not always be the case, but that's certainly what we're shooting for.
You have to forgive me. Just a minute. I'm conducting some mixology here.
I am a Southern girl. So I am in the ice tea drinker. And if I don't have ice tea made, I make my own. So I brew my tea and put my sweetener in my lemon altogether. And now I have a concoction. I promise you, that's all I'm mixing here. Just wanted to address that in case Ah
halfs in the room or anybody else that
What's to suggest pure ice tea?
All right, so great. We are ready to pick up and move alone. We've talked about Project Management. I do remember one thing from last week or last class about the question about portfolio management, and I told you the answer and it was the correct answer. But I wanted to double check it, just to be sure.
So the primary
portfolio management identity activity is governance of projects. Remember, we said portfolios, air made up of projects and programs. So when you're working in portfolio management, your governing, your projects and your programs, right, they really all come together
to make up your organizational portfolio. So that's important. And I just wanted to make sure that anybody that was following along with whole at home
got the correct answer.
excuse me, and we are moving on then to Chapter three, and we're covering the information that we need to be covering at a good pace. So I think we're doing a great job. And I hope you guys, you know, any kind any time I'm on schedule, I'm concerned any time I'm on schedule or ahead of schedule.
I always want to make sure
that students in the class or getting a chance to ask questions or make sure that I'm going at an okay pace and that we're not leaving anybody behind. And it's kind of hard for me to tell when I'm just staring into a computer. Normally, when I teach a class and the entire classes kind of looking at me like that,
I know I've gone too quickly over a topic.
But I'm gonna count on you guys to stop me through the chat room. I've got an eye on Chad as well as all sorts of other things here in the studio. So I will be aware of the fact if you have questions, if I don't get to it right away, hold tight because, um, I'll wait for, you know, a logical break.
Okay? I feel like we've already had class. I've said a mouthful already.
Ah, we are ready, though, to begin with chapter three and chapter three again goes back to what we've been talking about realizing the benefits of what we do in I t. And again, this is the part of I t governance that really
Let's folks know what our value is to the organization, so we'll talk about value. Governance will talk about investment management, making sure we make wise investments, making sure that we can get a good return on investment. And that that we examine how we invest.
Ah, well, look at portfolio management, which I just talked about a second ago and being managing your projects in your programs together. Ah, the business case. And then, of course, we'll review with sample questions like we always
like we always do.
I am finding myself catching a three a in three at three p him set of yawns here. So I'm gonna get a little coffee and we'll get rolling.
All right. So when we look at benefits realization as faras the exam goes, want to make sure that all of our i t en abled investments. So those investments that we're making on the behalf of I t are managed and that their optimized right,
we want to make sure that we're getting the maximum value
for our money. And those are the things that speak to chief financial officers and chief executive officers. Is our our investments paying off and we've already said security doesn't necessarily profit us. Um and I t doesn't necessarily look to profit us. It's not
that I go out and spend $20,000 on PCs
and all of a sudden you know, the next day I have $60,000 sitting around in my pocket.
But we know that we have to look for increases in production. We have to go look at new value that we can deliver to our customers. We have to think about
security. Ah, lack of loss in many instances can be as good as a profit. So ultimately what we want to do is we want to make sure that we're maximizing and that we have tangible performance measurements that are evaluated on a regular basis to make sure that we're on track.
We're not just finding out
afterwards that it worked or it didn't and that we're taking that progress and we're communicating the progress we're making people. So this is really kind of what it's about, right? It's about making sure that we're delivering value in making sure that that value is recognized simply because if we are
continuing to bring value,
then all of a sudden were seen as more than a necessary evil. And I don't know if you guys have ever worked in an organization. We're hearing that a lot less. But, you know, I've heard on multiple times. I t. Or more specifically, information security is a necessary evil, and the reason for that is many times see,
the security team is locking things down, making things difficult security for the sake of security.
And although that's rarely true, it's still the perception of our users. And until the users change their perception and until the users are able to see the benefit in I t. And in the technology that we bring to the organization, then we're going to continue tohave resistance.
All right, so 16% of the exam revolves around benefits. Realization. Alright, So fulfill our responsibilities. Delivering values, absolutely making sure we can meet that we meet our commitments. Sure. Measurable business value
individually and collectively. So for each i t investment, I'm able to demonstrate value, but also I t. As a whole.
Okay, also, you know, see if this sounds like project management to you. The required capabilities the requirements are delivered on time schedule within budget cost and that I, t and other assets continue to contribute to the business value.
So when we do undertaken, I t Endeavor
Project management and good project management specifically is what's going to keep us focused. It's gonna make sure that we perform the work and Onley the work that's necessary to meet the needs of the project. So, um, that's where we're headed in this chapter.
All right? Like we said, we always get task statements and the idea behind the task statements Ah, is that these were the things that a siege it would be expected to do out in the field. Okay, So
maintain and manage I t investments throughout the economic life cycle. So the idea there is from cradle to grave, and we know some resource is or some investments have a very high up front cost.
You know where we look at capital expenditures or they may have a high total cost of ownership is we're paying continuously. So you know, some of the things will talk about as well talk about moving from capital expenditures, toe operational expenditures. That's one of the drivers for the cloud today
is I don't have to invest all this money up front.
So does that mean the cloud saves us money?
Not necessarily. And many organisations air finding that they're actually spending mawr
through cloud services. Then they are hosting their in house Dad, and their in house resource is. But the deal is it's a lot easier to pay operational expenses in chokes than it is to make that capital investment.
You know, I recently bought a new car. It was new to me. It's not a new car, but, um,
you know, I went there and in the car that I wanted was 20 grand, something like that and whether it had the money in the bank. I'm not pulling 20 grand out of my account and setting it on the table. That is painful. There was $20,000 there, Poof. No, it's go.
And I understand. You know that that $20,000 gonna be paid one way or another. It just feels so much better when it's just 400 bucks at a time. You know what I mean? So many instances operational expenditure is what we choose,
You know? Not to mention the fact that if I take $20,000 out of my account. Now, I may not be able to meet my other expenses,
so we pay for things in chunks. So we have to decide, You know, if our investments are really saving us money, not just up front,
but over the long haul.
Um, we need to also look at establishing business ownership and accountability. I'll tell you when you want to start things when you really want to,
um, see, success hold people accountable.
And, you know, I teach a lot of information security. And one of the things that I talk about is how many organizations I go into that don't enforce policy.
You know, they've got a policy that you have to swipe into the building.
But I walk in and I see half the people that are there aren't swiping it.
Because the policy isn't being enforced. And if you want to see people start following policy, start enforcing that policy, people will follow it.
So when you establish accountability, people take things more seriously. Probably heard that phrase. I've got a little skin in the game, right, which means I have something at stake. I'm accountable. So making sure that we have accountability for the investments.
Make sure that before we implement that we have expected objective expected objectives
and we will have a plan for measuring those objectives. Right? What type of measurements will we conduct? How frequently will we measure? What are our expectations? What is our process? If we're not meeting our expectations, what do we do?
All right. Ah. Then we look at establishing outcome and performance measures to assess from report on. Yes, absolutely. We have to also determine what type of report with the contents of the report with the format of the report. So we have to address reporting as well.
and then last but not least, make sure that we have prioritization. We want to make sure that we prioritise Ah, so that we know where to spend our money when we have a limited budget, which we always do. Ah. Then we have to make the most of it,
um, and various ways that we can do that. But usually it's gonna involve feedback from the other owners of business units. It's gonna be about the business when we determine you know what our priorities should be because always we remember
that our customer is the business as a whole, and they're the ones that make
All right, so
lack of benefits realization And this is one of the things that I was talking about early is the fact that a lot of people don't understand the value of I t.
So a gardener survey found that 20% of all I t expenditures wasted
wasted 20% off all money spent on I t. Is wasted
a total value and annual value of $600 billion. Holy smokes. That's a lot.
Can you imagine if, within your organization 20% of investments were just outright failures, they were wastes. Well, that's what we're saying here with the slide right And what that comes from is no accountability, no management, no monitoring and controlling
no research up front, poorly defined requirements,
right? I mean, there's a Realtor problem here, and there's a riel lack of tracking this information and accountability alright. Also, an IBM survey Fortune 1000 companies, on average, Chief information officers
ah believe 40% of all I t spending brought no return to their organizations.
What's going on? What's wrong here. Well, you know, when we look at this and all of a sudden we're seeing organization saying we need to take our resource is and go to the cloud And what's happening is yeah, a lot of I t people, we're losing jobs because we're not in the data centers,
you know, in the company's anymore. The data centers are in the cloud.
Well, part of the reason for that is we're not justifying our benefits and we're not earning our benefits. We're not earning our keep so to speak. And I know a lot of times that's beyond
well, it's It is beyond the technical department. But this is where our chief information officers this is where our senior executives really have to be taken to task. I mean, when Cee Io's themselves say, yeah, you know, about 40% of what we do is meaningless.
That's a horrible, horrible statistic,
and we've gotta move towards change.
So absolutely, you know, these air riel problems, just one other. This is from the Standish Group on Lee. 35% of all I T projects succeeded, while 65% were either challenged, meaning they were not a clear success or they failed.
Something's clearly going wrong.
Now there are a lot of different answers, and I'm sure there's plenty of blame to spread around. There's always plenty of blame to spread around, but the bottom line is we need greater accountability from our information technology organization. Is ah whole our team starting at the very top
with our C i o
all the way down to our techs out in the field. We need to be very mindful of the expenditures that we take in. We need to be very process driven, and we need to shift towards more of a value based delivery model because we're not there clearly
looking at the stats we've been looking at.
All right, So what is this value delivery we speak of?
Well, you know what? In the context of government
minimizing losses and being able to prove the value,
it's one thing to say we're valuable. Show me the bottom line. Show me profits and losses. Show me return on investment. Show me the facts. Show me empirical data.
So with that value delivery, that's that's what our focus is gonna be. So
value delivery. Well, what is going to be value, then how are we going to define value while I Sacha defines value as the relative worth or importance of an investment?
Okay, relatively speaking. What is it worth? How important is it? Tow us as a whole? But here's what's interesting as perceived
by key stakeholders. So there we go back to the idea of perception is reality,
right? If I perceived there's value, there is value,
Really. I mean, think about money.
All money. Is he? If you look at a dollar bills, just a piece of paper that's green and white with a picture of a president on it, what makes that valuable where we perceive that it's valuable, right? So
when we look at value, it's it
it perception's reality,
a so perceived by whom key stakeholders will who are key stakeholders. Well, board of directors are stockholders are employees, right? We have a lot of folks, our customers that have a stake in the success or failure of our business,
and we want to make sure that this values expressed as total life cycle, not just up front. We want to be able to show that this continues to bring value to the organization.
we want to make sure that we address risks, particularly in relation to value. Absolutely.
Excuse me, and we want to make sure that we take into consideration the value of money over time. We talked a little bit about NPV and how NPV takes into the account inflation and interest. And how
you know what a dollar's worth today is not what a dollar is gonna be worth in 10 years or five years. So
all of that's gonna be part of this section.
Now, Kobe it in one of the key factors that Kobe it focuses on value creation,
value creation, the main governance objective.
So if we go toe I Sacca who, of course, eyes behind Kobe it and say, What is the main purpose of governance? Value creation,
value creation? Why air any of us doing what we do? Why do you goto work
for those of you that have ever started? Your old company?
If you know you even in your job, why are you in your job? We're in our job because we offer something to the organization. And when we stop offering something to the organization. We're no longer creating value will likely be replaced. So it's all about creation of value.
Now, this creation of value Ming profit doesn't mean money. Of course not. It can.
Money is certainly one of our first things we think about with value. But also, you know, we think about things like community goodwill customer. Um ah, recognition.
What's the phrase? Customer confidence. We think about our reputation in the industry. Certainly that's value also. Okay. So
achieved with three underlying objectives for value
risk optimization and then resource optimization.
So with risks, of course, we want to minimize negative risks, maximize our opportunities and with resource optimization, make the most of our people
and of our material resource is and operate efficiently.
All right. So
Ah, like I said, we've talked about value value creation, benefits realization again, another objective of governance, new benefits for the enterprise,
maintenance and extension of the benefits that air there. So benefits that are already happening, we continue and eliminating those things that are wasteful,
right? If it's not creating value or benefits for the organization, we stop dumping money into it.
let us go ahead and pick up with value governance.
so value governance practices what we do as we govern? Ah, you know, Enterprise, I t. And making sure that our focus is on value delivery.
And I know that just sounds like a given to me. Of course, we want to deliver value. Of course, that's our focus, but so often you can't see the forest for the trees. So often we're tied up into the day today operational activities of an organization that we forget to step back and think about our larger term goals.
We forget the step back and see
what we're doing in terms of the business. And I've seen many projects get way off track caught up in the details and losing, you know, losing the requirements for, you know, individual units of work.
And it's very easy to lose sight. Our eye on the prize is value to the organization. We're all better suited when the organizations operating out of state of value,
make sure that our value management practices are embedded.
So when we talk about embedded, and that's certainly not just in I t right, we talk about value governance. That doesn't say value I t. Governments, though that will be. Our focus is we move forward. But as an organization, we incorporate value.
Now, how does that happen? You know what is necessary to take our current mindset
and to translate that mindset into, you know, a new focus on value, you know, and I see this all the time. How do I change my organization from an organization that's been lax with security in the past
to one that's now very security conscious? And I'm curious what you guys think about this. How do I change
the focus of our organization? How doe I wake us up out of the slumber we've been in and have us all working towards value delivery in all that we do, or when we look at it in terms of security? How doe I taken environment that's lax with security
and all of a sudden, change it
so that we're security minded as an organization. How would I go about doing that? The way we make those changes is they have to come from the top.
They absolutely have to come from the top changes or top down there, not bottom up. So as a technician.
If I have a very strong ah focus on security and I get it, I understand the threats and the vulnerabilities that were subjected to every day, and I want to change the way we do in the organization. I can't do it myself.
However, if I'm a senior officer within the organization, or many of you may have seen this, if you have a change like, for instance, if you're says oh leaves and you get a new says Oh, you will see very quickly changes or philosophy shift within the organization
because when senior management has a shift in philosophy,
it trickles down pretty fast pretty quickly. So if we want this focus on value delivery, it has to come from the top. This is an element of enterprise governance, so we have to start with our people and, you know, upon hiring,
we make sure that we understand and we communicate
the focus of our organization. It starts from Day one and we train our people for quality, and we hold our folks accountable for quality and value delivery. But this isn't something that's just going to catch on like wildfire and Lance. That's exactly right.
we gotta hold people accountable.
And I'm not one of those people that comes in and does a hatchet job and fires everybody. And when I say accountability, that's not even when I'm talking about. But we need to start as people's, you know, talking about values, part of folks, job descriptions. When we do assessments,
we need to look at the value individuals
bring to the organization
and the value that what they do produces for us. And when we look at raises and assessments, Ah, we look at promotions. Those elements have to be considered. Those should be the drivers for raises and promotions and assessments, right?
We have to hold folks accountable for the work we do.
And I'll tell you, you walk in organizations. Um and I'm thinking of a specific organization toward um and I probably should not say that, so I'm not going to say that, But you know, in some organisations you have a culture
that's embedded deep within the organization would be incredibly hard to change.
You know you have an organization of the same people have been there year after year, promotions air based on how long you've been their salaries based on how long you've been there, nothing's going to change. It's too hard to make changes.
And I certainly wouldn't be talking about the government because that would not be Oh, wait, We don't have a government right now to
yeah, you know, you see these in certain clicks. In certain government agencies, you can walk in the door in, almost tell and there are some government agencies and it goes back to the leader
and the folks on the team that our leaders as well, where people care about what they do, they're committed and they work hard. So, you know, I I spent some time in various government agencies, and there were agencies where it was a pleasure for me to work in, and we worked hard together as a team,
and there were other divisions or agencies. I couldn't get out quickly enough,
and that's the truth in the private sector as well. I'm not just trying to say I generally don't like to pass up an opportunity to criticise the government shutdown, but, you know, I had that opportunity. I had to take it.
establishing a governance framework when we adhere to a specific framework.
accountability. All of those elements are part of the frameworks that we have available to us. And we talked about ice. 0 27,001 is a framework. You know, we could talk about Lean six Sigma Kobe Val. I t. Those frameworks. So
with executive commitment, if we want to shift the focus of our organization,
we conduce. So let's bring in a new strategy and new approach and let's train our people and let's instead of making investments of Hey, we need a new
thermal flux capacitor whatever it is that we need right now. Today, let's start thinking strategically, let's start thinking down the road and I don't know if you've ever worked in an organization where you were just constantly putting out fires.
I've certainly been there to think most people have been in an organization, and hopefully you're not there now.
But I think everybody's been organization like that,
And if you're an organization that's constantly putting out fires, you have no strategic vision.
You are focusing on problem problem problem instead of process, process, process. It's a totally different way of thinking about things. Unless concerned about a system with malware on it unless concern fixing that system. I'm more concerned with analyzing the process
and figure out how metal ware got on the system in the first place
because I can re image this system and get rid of the malware. But if the process doesn't change, that malware is back again and again and again, right? So when we start talking about strategic directions, we're looking down the line and we're not making investments in something today
that's gonna be gone tomorrow. A friend of mine's working for an organization, and they just made,
um, a huge investment in some storage technology data storage technology. Well, that a storage is kind of dead, right? I mean, most in most, most of us are storing data in the cloud or shifting to that, why would I make a huge investments on,
you know, storage appliances when that's probably not the way things were going to continue to go?
Um, actually, they made an acquisition of a company that specializes in storage. So it was just an interesting decision to make, because that's not strategic thinking. We've got to think down the line
and then improving the value management. That means that we're on it, right. We make this investment, but we don't keep throwing good money after bad. At some point in time, we can determine this is a lost cause or it's worth continuing to invest money in.
You know, we talked about, um,
earlier how how we have to prioritize our investments. Some investments need to be cut loose after a certain period of time. When we have that assurance that it's it's just not gonna happen, always makes me think of Ah,
I like to go to Vegas a little bit like to go to Atlantic City to like to gamble a little bit. I'm not saying how much,
but, you know, um, you see people there that said it the same slot machine just put dollar after dollar after dollar in it
and you ask them why? And they say, I'm do I'm due to win, right? And that's not true. The fact that you've already put $500 in that machine doesn't make you any more likely to win, But it's that attitude you know, that I'm in it in it for a penny in it. For a pound
pound for it. I forget what that saying is, but you get the point, right. And at some point in time, we have to manage those assets, and we have to make changes and adjustments so that we continue to maximize the value.
All right, um, I t focus. So when we're talking about governance of i t. And this is just a phrase we continue to go back to, and I just want encourage you even, you know, though, I know there's some things that seem redundant
when you see something come up again and again and again in the course, you know, that that's gonna be a topic that's just gonna be hammered on the exam. So once again, we come back to strategic alignment again. We talk about strategy and strategic vision. Strategic goals.
We're thinking long
term, right? We're not looking today. We're not looking. Tomorrow we're thinking 3 to 5 years out.
So are we linking what the I T department is doing with where the business wants to go,
right. There's no point me being in a leader in I t. Technology. If my business philosophy is one of being very conservative, right, I have to make sure that our I t understands the business,
that doesn't just happen accidentally. That's got to be a really communication between senior management and between the governing bodies. So linking what we do in I t. And being able to map out, that's one of the things about Kobe. It that I like a lot is for every
that's broken down. Or let me just say this for every I t objective. It can be mapped back upto a business go
so that when we're implementing Kobe, it properly every element of work, everything that we're doing within can be traced to a goal of the business. And that's the whole purpose of it is. Let's make sure that we're not using technology and investing in technology for the sake of technology.
So, Kobe, it's really good about that because you start out with your enterprise goals and math them lower and lower and lower and lower,
and you see how I t is gonna help us accomplish those goals. All right. And then, of course, we've talked about value delivery over and over in the last you know, 20 minutes or so, so making sure and again you keep hearing this idea about the delivery cycle because we have to show
that our investments continue
to deliver value.
Um, we've talked about that. Um, what there was there was an idea. I wanted to say,
at any rate, we have to We just want to make sure that what we're doing has good long term than benefits. It's not a flash in the pan, right? It's something that continues to deliver value over time.
All right. I think that Ah, let me just mention this one last thing. So once again, just a ZA review
executive. See, Iot, senior officers need a commitment to establishing a government governance framework. That's how this is gonna happen. We're gonna have to choose a framework on which to base the governance of our organization.
We don't just luck into being value focused.
And when we use an existing framework were not reinventing the wheel we're looking toe. Other organizations were looking what organizations in our industry have done and the framework that they have built upon, you know, and again, frameworks could be universal. You don't have tohave
this framework for this type of business.
You look to the framework that's gonna be that best within your organization.
You know, some organizations are, uh, you six Sigma Orlean or, you know, manage projects with PM I. That's a framework PC I DSS framework for payment card industry. Some of them work together, but the bottom line is we have to establish a governance framework.
So the roles of our senior executives or to figure out which framework is best going to meet our needs
that will then will build our strategic view on which will dictate what our investments are, thus improving value management. So that's where we're continuing to go.
okay, that's a good place for a break. I think we'll take, uh, let's take about seven minutes. Let's be back at 3 53 Excuse me, and we're gonna pick up with, um,
we'll pick up the next slide. I got click happy and went the wrong way. But let's take about seven minutes.
We'll start back up at 3 53
All right, Welcome back. Welcome back. Ah, we have been discussing the importance of value, and we gave I saca's definition of value, and we talked about value creation, and we said that's really the main objective of governance
is to liver value to our stakeholders.
I mentioned Kobe it and the importance of being able to map out enterprise goals all the way down to I t goals and objectives. Um, we talked about strategic alignment value delivery, and that left us at
if I'm not mistaken. Ah, so we said that there were three elements of value delivery. We said strategic alignment than value delivery. And then we of three elements of enterprise I t and strategic alignment with the business objectives,
delivering value to the stakeholders
and then optimizing resource is resource management.
And I always think of, um, you know, when we talk about our I t. Resource is
first of all, the most important resource that we have, that's our people. So when we're looking at optimizing our people and what are people do making sure that we have efficient use of time making sure that, um, we don't have,
you know that we have the right people in the right places at the right time, and that's essential.
That's part of optimizing our resource is and making sure that we have folks where we need and we're not wasting time our employees time making sure that we're not wasting the organization's money, that we're not overstaffed, that we're not understaffed.
One of the things that I hear a ton in training,
you know, there's some times of the year where my job's very slow. My job is a very slow. In January and February, I travel all over the country teaching. I teach in a lot of military bases a lot of government facilities. Um, I teach it private organizations, so I teach a lot.
I am busy. Nous busiest at the end of the fiscal year.
Anybody guess why might be really busy at the end of the fiscal year.
If you're not familiar with the idea behind that, if you don't spend it, you lose it from your budget next year.
So what? That tells me. And I'm not saying that's true in every organization. You know, some organizations you know are holding back for an emergency, and then if that emergency doesn't come, they take that training that they need. But that also lets me know other organizations whined up. Hey,
you know what? September 15th we got a lot of money left, we gotta find something to spend it on. Otherwise, we don't get that same amount of money next year, right? And I see that a lot. And again, it's not just government thing. It's It's private sector as well. And,
you know, again, just not efficient. Use of resource is that these folks have been entrusted with
money staff time. So on.
All right. Now,
when we're looking at our resource is in relation to technology, our applications Are we developing applications in house? Are we going to 1/3 party? Are we using software off the shelf? Are we choosing
the applications that bring the greatest value for the least expense right? That cost benefit analysis that's so important.
And we determined the degree of value we need from the application, and we look to provide that value with the lowest cost possible.
Our information. Are we protecting our information,
you know, and again, I'm from the security world, which of course, is huge 90 governance. But there's more tighty governance than just focusing on security. But if you want to talk about something that can bring an organization to its knees, you can talk about security preaches, right? You can talk about unveil you
because if you wanted, didn't liver unveil you to an organization
not protecting information properly and seeing these organizations week after week, month after month and new organization or agency has a compromise,
you know, just to name a few. The Office of Personnel Management. We saw Marriott recently. We've seen Target, Home Depot and, Ah, Equifax and Facebook and on and on and on and on. So if we're not managing our resource is our information properly
if we're not protecting our information properly,
but also if that information isn't there when we need it, or if it doesn't have the integrity that we need in order to value our data and get the information that we need, you know, if that have information is mission critical and it's not available when we need it. That's poor management. Imagine if a hospital,
you know, is unable to bring up patient records
quickly when that's necessary.
That's devastating, so, information, you know, information technology. The whole goal is to put the right information into the right hands at the right time, so being able to do that
All right, so ah, the infrastructure. So when we talk about an organizational infrastructure, we're talking about those elements that support the storage, the protection, the distribution off information within an environment
So we can talk about your network infrastructure, your physical
infrastructure. We can talk about your logical structure, like your directory structure, your group structure, how you handle access, control and so on.
But there's a lot to it, you know, in Project Management, we talked about the idea that you don't have to be an expert in i t. To manage an I t project and to manage it very well. But once we start coming up to the level off,
you know you're focusing on governance of I t.
You don't have to be right out of the field,
but usually I find it best. I love to hear it when a C I o. Came from humble beginnings down at the bottom of the change, I always feel like everybody should have to work, help desk once in their life. It gives you a totally new appreciation,
and I realized that's not how it works very frequently, but ultimately understanding these elements and all the variables. You know, sometimes I feel like we work in environments where they're unrealistic expectations. You know, um,
I don't know how many times I've said the phrase You can't make chicken soup out of chicken spit
and that's true, right? If we don't have the funds and we don't have the resource is if we don't have the infrastructure, well, that's now where we as siege. It's have the opportunity to change things and to provide support for i t in relation to the value that they provide.
All right, risk management, risk management, risk management, risk management, you know, honestly, if somebody asks me what I do for a living, I think I'm just going to say I talk about risk management all day long because I do.
Because information security business management is just risk management.
Senior officers have toe understand risks, and a risk is made up of an asset, a threat and a vulnerability. We have to start by understanding the value of what we're protecting. What is the value of the organization? What is the value of our assets?
And some assets are hard to quantify,
You know, um, of course, reputation is hard to quantify, but if we talk about, like account numbers. There are formulas out there to determine. All right, you lose 100 million credit card numbers that has the potential to cause $200 million or
$500 million or whatever in losses. Most industries have kind of a means evaluating those types of assets. So we've got to realize what the's elements air worth. Because if we realize Rear dealing with potential loss of $500 million
well, then all of a sudden spending ah,
1.5 million on a network upgrade may be much easier to stomach than just looking at it as a IITTIE wants more money,
right? So really understand the value of the asset,
the threats that exist
and the vulnerabilities that we have within our organization.
Okay, corporate officers have to get it.
And when corporate officers don't get it, senior officials, senior managers don't get it. Um, one of the things that was very telling to me and this has been several years ago. This has been five or six years ago, but a major hardware company
home improvement company, very, you know, worldwide company
had a breach, and what was interesting about the operation. They lost millions of account numbers, millions of users information, I think, credit card information. But what was very telling was to follow up and look at some of the details of the breach. And what was interesting is they had hired,
um, third party assessor to come in and to provide recommendations or really to assess the organization. Not so much the recommendations, but to assess the vulnerabilities.
And ultimately, when the vulnerabilities were presented to the board,
many of the changes were dismissed by saying, Essentially, listen,
we just make hammers here. That's all we do. We make hammers. We want to sell more hammers to more people. We want to make better hammers. That's our focus. Well, that clearly shows
a poor understanding of risk, right? We're no longer in the days where we build a hammer and you give us a chicken for a hammer. We're paying money where tracking were paying with plastic money. We're playing with digit paying with digital currency. We're keeping records personally identifiable information,
right? We can no longer just think
that I tease over there, and here's our real business, right? That's not an understanding of risk.
part of due diligence is to research risk.
Look at compliance requirements. There are a lot of requirements for organizations based on their line of work. It's interesting because we don't have as many government laws and regulations in relation to privacies. We should o. R. As we could weaken, definitely
look to industry best practices because
if there's a loss, what we want to be able to demonstrate is that we use due care in due diligence, right, and as governing bodies. And as a representative of governance and the enterprise, I can be found liable for these compromises. So I want to show that I've used my due care and due diligence,
a transparency about risks to the enterprise.
You know, let's have these discussions
right. We need to all be on the same team. We need to have the same risk philosophy and once again embedding risk management into the organization. If you want to see the entire organization.
if you want to see the entire organization, get buy in with risk management quickly,
then change senior management's approach. Change senior management's philosophy and you get senior management on board
and you hold folks accountable and things will start to change.
All right. Performance management.
I don't know what else we can say about the importance of monitoring performance, measuring the success of our projects,
the success of our security controls monitoring our resource utilization,
uh, monitoring. Return on investment.
Um, service delivery. You know, those metrics that we can show? You know, this is where we were before here. Improvements based on new practices. And I t your braced on new technology,
um, balanced scorecards, you know, balanced scorecards, air helpful because they break down and allow
value to be assessed from different categories from a customer perspective, from financial perspective from, you know, business perspective as a whole. And then from the from an employee internal perspective and the ability for my internal
employees to grow.
So when you use those scorecards, you can really kind to see Okay, not everything. That's a help to employees going to help to the business and vice versa. So it gives us a way of kind of prioritizing, really examining the potential for value across those four categories
and then kind of look at each one from its own unique perspective. There lots of tools like that
But, you know,
that's part of my job as a C i o is toe understand those elements of value and to prioritize.
All right, we mentioned Val i t earlier,
and we said, Val, i t is going to set out practices. Ah, the goals and objectives of i t. But Val, I t is exactly what this class is about. No coincidence that the same organization that, um sponsors the siege it exam also
has developed thou I t
value of i t.
So this is another framework that weaken base our organization on so that we have a clearer path to value delivery
once again goals and objectives of I t investments by ultimately linking back to the enterprise
and is part of al i t. And I think I mentioned this earlier. If we want to become value driven and we want to know what performance metrics to be tracked, how do we present that information? How do we document it? You move towards a framework and these frameworks
will help you install and support
the structure that's necessary.
So when I become thou, I t compliant or I I bring this framework into my organization and we work towards becoming compliant with Val. I t
were directed in how to measure and monitor and optimize. So in the siege in exam, they do expect you to know a little bit about Val. I t a little bit about co bit and a little about that about each of the frameworks because ultimately, when we don't know the answer, that's OK,
but we have to know where to look.
So when I'm looking for these tools, look toe a framework. But then the question is, which framework is gonna best meet my needs? Okay, so here the focus is on realizing the business value where
cope it does that to do a degree. But if you had to sum up Kobe, Kobe's is about
justifying. I t objectives based on enterprise goals. Right? So you kind of want that understanding off what the framework does I So 27,001 is all about developing an information security management system in I S M. S and setting up the structure so that best practices can be followed.
So each one of these frameworks have a slightly different goal, slightly different objective,
and you want to make sure that you know that you will see questions
on the different frameworks.
All right, So vow, uh, I t framework in the principles that revolve around the framework. So we're again looking at value governance.
Um, we will look at I t enabled investments being managed as a portfolio of investments. Soas instead of just looking at this investment. Maybe one over here. We're looking at them collectively
as investments in I t. Right. That's how we manage our investments is we bring our investments together as a portfolio so that we can more efficiently analyse how they work together. Which ones do work which ones don't work.
So, portfolio management, Um, we also have to make sure that we analyzed the activities that are required to really bring that value. There's always action that's necessary. Are we performing the right actions
again? We've talked about managing our investments throughout the life cycle.
value, governance, portfolio management and investment management. Okay.
All right. So, six key value government practices. So this goes back to Val. I t right. And you'll have V g one through V g six. And what each of these elements do is, they dictate an area of practice
as part of Al i t.
All right, so v g one And there's no coincidence this is the first practice, the first principle that's necessary. We have to establish an informed and committed leadership.
Leadership has to be all in
right. We have tohave the senior officials of our organization onboard inward, indeed. So you know it's not enough to just have a security policy that talks about our commitment to protecting information of our customers.
We have toe have senior management that walks it and talks in
lines of reporting. So certainly, you know, we've talked about that accountability, and we've talked about the importance of monitoring. We also want to make sure that the lines for reporting are free of any sort of conflict of interest. So, for instance, I t audit
probably shouldn't be providing their results to the chief information officer
you know that's not a clear pathway. Probably should go to the chief operating officer,
right? You don't ever want an entity reporting
to the entity they're auditing or evaluating, so we have to make sure that we have clear separation of duties within our environment.
Um, you know, I'm not gonna read every one of thes, but we see the same things define value for the enterprise. So as part of our policy, we need to communicate. What means value? Tow us. What I value is an individual's probably gonna be very different than what you've out. You right,
same thing from organization to organization. And that's part of establishing that common approach, that common focus that common strategy and view. Right, Making sure senior management says, Look, this is what we're about as an organization.
These are our values.
This is what value means to us.
All right, v g two. So we're gonna assume senior management's in. They are all in. They get it there on board. What can senior management do moving forward? Well,
they need to establish the framework. And that's got to come from seeing your management right. They're the only ones with the authority and the capability of implementing a framework within the organization and making sure that the framework they've chosen fits with their definition of value. Right, So
different frameworks will bring different values.
All right, now, when we bring in a new framework. One of the things that we need to look at is we need to kind of identify the gaps between where we are and where we want to be. That's a gap analysis. So what we're going to start with is figuring out where we are. What is the quality
of where we are?
How are we in relation to the practices and where they should be? Right, water the controls we have in place? How are we addressing risks? Order our processes? How thorough, How methodical, How well defined your our processes.
So we start by looking at where we are. Where are we?
the next element we have to look at is what are the requirements that we have?
So we're looking at current state, and then we're looking at desired states those requirements or where we need to be.
Then Gap analysis says, Figure out what you have to do to close that gap. What do we need to do
and what processes will help us move from current state to desired state?
So senior management has to get on board with the policies and the procedures and understanding what we have to do current state to desired stay.
All right, then senior management has to, You know where we're essentially revamping the organization here. In a lot of instances, a lot of instances, you know, establish, implement, communicate roles, responsibilities and accountabilities
over and over and over. I'm in organizations where roles are not clearly defined. Responsibilities are not clearly defined. So what that means is there's a lot of finger pointing. There are a lot of elements that get missed because that's not my job. I'm not supposed to do that. I thought that was your job,
right? So when we used these roles and responsibilities and we clearly defined them, we go back to having our accountability.
We go back to having users take ownership and having that skin in the game, so to speak,
making sure that the work that's necessary gets done. Whatever that work. Maybe,
rarely do folks take on work that they don't think is their responsibility. And and maybe that's not not as accurate as I mean it to be. But ultimately our job is to do the work we're responsible to do that we've been assigned to do that's within our realm, right So if I'm gonna be asked to do work outside my realm, I need to know about it,
right? We just were clearly
defined, the work that's necessary and make sure that we don't have gaps
All right, Senior management governance has to establish the organizational structure, and I've seen organisations have to reestablish over and over and over again. I've worked with the company for many years, and over the course of the company,
I've seen departments take on different names time and time again.
You know, um, and a lot of times, the renaming of the department's is because
with the current name, it appears that there might be elements of conflict of interest or of reporting.
So, um, the organizational structure isn't necessarily clearly one or one with clearly defined roles and clearly defined reporting. So it's our job to establish the organizational structure that enforces separation of duties,
minimizes the opportunity for conflict of interest.
Uh, that's our job. That's our role.
All right. And then we come up to V. G three defined portfolio characteristics.
Okay, So what are the types of portfolios that we might have that we might use? Ah, what are the categories within those portfolios, right? And then we have to talk about. We have to establish good communication in relation to what we're collecting,
and we'll talk about portfolio management
in the next class. So I'm going through this kind of quickly. But it's a big discussion. Let's say all right, So senior management defines portfolio governance and the characteristics of the portfolio. And remember, our portfolios were gonna include our projects and programs.
Now, when we go to V G four,
we're going to align and integrate value management with the enterprises Financial planning.
Right. So we're gonna look at the budget for I t. Is part of the enterprise budget. We're gonna look at returns on investment and how that filters into the enterprise budget is a hole. We're gonna make sure that planning in terms of finances
and true financial planning is used in i t as opposed to the Hey, we need this. Now write us a check kind of method.
We're gonna look at where we are now and figure out what needs to change. And that comes down to senior management
financial planning for I t. Just like we have financial planning for other areas of the organization,
right? And so long for so long, we've looked at i t as the exception, right? I t has been over there. They don't really generate value. They're just here to work 24 hours a day and keep the systems up and running. But again, we've got a look at this from a value perspective.
And if we're looking to deliver value,
we've got a plan, and we've got to get our finances as a department, as a group, you know, under wraps.
All right. I think that is a good place for us to stop because we still have a couple of the governance practices, and then we're gonna expand, and we're gonna move into portfolio management. So I don't want to get ah too deep into enterprise governance.
And then, actually, you know what? I think we could wrap this up. I think we can do that before we break. And then
that will give us a stopping points just right after the value governments practices. So v G five established governance monitoring. We've talked about that, but again, we establish the metrics ahead of time.
We established the means that we're gonna use to monitor and to measure,
we're gonna define our objectives.
How are reports they're going to be constructed? How frequently we're gonna report and we're going to make sure that we have a process in place, that we review those reports and we monitor and work towards improvement. The areas that need improvement again, the same lines, what we're talking about. And then v g six
right? What have we learned throughout these five other processes? What's worked for us? What hasn't Can we go back and take advantage of what worked an implement it in a better way so that we can constantly improve the value we do live?
so that is actually good place to stop. We've covered the value, principles and practices from Val I t. And really kind of looking at, um,
really looking at delivering value from the enterprise standpoint.
All right, so that's going to wrap things up for the day. I hope this session was helpful to you, and I hope that it ah furthers your thought process in merging the world of governance and practice of I t. And understanding that
we're all feeding into the organization as a whole. And the better we support the organization,
the better off we all are. So we're going to wrap things up for today. Tomorrow morning, we will pick up with question Answer session at 8 30 in the morning. Ah, and then at two. PM on Fridays. So 8 30 in the morning, two. PM On Fridays
we go over, we have a question answer session so that anything that you'd like to know, you have a form in which you can ask
You can, ah, you know, will communicate directly. We'll try to make sure that you have all the information you need. So hope you have a great afternoon. Thanks for tuning in. We'll see tomorrow.
Certified Information Security Manager (CISM)
Cybrary's Certified Information Security Manager (CISM) training is a great fit for IT professionals looking ...
13 CEU/CPE Hours Available
Certificate of Completion Offered
In this COBIT training, we discover a success story of how COBIT was enacted to ...
4 CEU/CPE Hours Available
Certificate of Completion Offered