1

How to talk about IT

Governance with your boss in

the elevator?

Bruno Horta Soares

GOVaaS – Governance Advisors, as-a-Service

Before you do things right, you have to do the right things. Why good

communication between business and IT areas is so important to help

organizations delivering value and how to put everyone speaking the

same language using COBIT 5 related materials. Reality check and

lessons learned from projects and initiatives developed to improve IT

savviness at small medium enterprises in a “small medium country” like

Portugal.

2

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”

Donald Rumsfeld

Agenda

1.

You have the size of

your dreams!

2.

Going up?

1.

You have the size of

your dreams!

A B

C

DE

We are what we do

“Don't tell me there is a problem, tell

me there is a solution”The boss

Linear thinking

The world have changed?

Hipperconected Knowing-doing gap

Always-on

“The essence of systems theory is that a system need to be viewed holistically –not merely as a sum of its parts – to be accurately understood”

von Bertalanffy, L.; General System Theory: Foundation, Development, Applications

Non-linear thinking

“The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding 50 million euro, and/or an annual balance sheet total not exceeding 43 million euro.”

Source: Extract of Article 2 of the Annex of Recommendation 2003/361/EC

SMEs: Always the same old story

The rosetta stone

“Meeting point talk”

Frameworks provide a structure

for a system

“Basement talk”

Standards agreed, repeatable

way of doing something

“Vanilla Sky talk”

Models schematic description of a

system

11

2.

Going up?

Elevator pitch

“How about the weather?”

“Solutions that focus

on specifics will be

outdated rapidly; a

principle-based

approach is

required”World Economic Forum

COBIT® 5 provides a

comprehensive business

framework that assists

enterprises to achieve their goals

and deliver value through

effective governance and

management of enterprise IT.

Adopt ad adapt COBIT® 5

X“I do not know if you had the

opportunity to analyze the budget

regarding ISO / IEC 27001

certification… is not urgent... but we

are always afraid of an attack that

will end our business”

Tip#1 There is always two sides

of the story

“My security guy is 5

stars, have lots of

certifications and is

very concerned ... It’s a

shame I don’t

understand anything

he says or what he

does!”The boss

Stakeholders drivers

Benefits

Realisation

Resource

Optimization

Risk

Oprimisation

s

Necessidades dos Stakeholders

Business Goals

IT Related Goals

Enablers Goals

Influence

Cascade to

Cascade to

Cascade to

COBIT 5 Principle 1: Meeting Stakeholder Needs

Tip#1 There is always two sides

of the story

“We know that continuity and

availability is critical to our business

and we are setting Information,

infrastructure and applications’

securuty as one of our critical goals.

We’llidentify relevant enablers to

support this goal and I would

appreciate your sponsorship to our

Security Program.”

Tip#1 There is always two sides

of the story

X“I’m so sorry for all the inconvenient

the incident caused! We are already

doing an audit and we are almost

sure it was an outsourcer’s

responsibility. I promise it will not

happen again!”

Tip#2 Remember, there are no

technical problems

“Why the system

failed? Who’s the

responbible? I’m taking

care of the business,

you have to take care

of the IT!”The boss

Governing Body

Management

Operations and Execution

Owners and Stakeholders

Delegate

Set Direction

Instruct and align

Accountable

Monitor

Report

COBIT 5 Principle 2: Covering the Enterprise End-to-end

Tip#2 Remember, there are no

technical problems

"The analysis of the incident allowed

us to conclude that it’s necessary a

better involvement of the entire

organization in IT related decisions.

We would suggest the creation of a

IT Steering Committee to get all

areas involved and to increase our

IT savvinness. "

Tip#2 Remember, there are no

technical problems

X"We are so happy for our recent

achievements. We received two

awards related with ITIL and

ISO20000 certification and our

KPIs are all green. We are

100% focused on providing our

best support to our internal

clients, that’s why those new

projects are a little bit delayed!"

Tip #3 Speak the same language

“Why are we paying

every year so much

money to be certified

and our business

executives keep saying

you are not answering

their needs!”The boss

Performance

Drivers

Complience

COBIT 5 Principle 3: Applying a Single Integrated Framework

Tip #3 Speak the same language

"We just finished a service delivery

continuous improvement initiative.

We improved the coordination

between internal and external IT

areas, we reviewed business areas'

needs, adjusted our SLAs to better

manage all stakeholders

expectations and enforced new

compliance controls."

Tip #3 Speak the same language

X"Our project management tool is

getting old. We are now studying

new solutions to replace it and as

soon we have the new technology

we believe that our IT related

projects will start to get in the way of

success."

Tip #4 Show him the big picture

“A friend of mine told

me about these new

servives in the cloud. I

think it's a great

opportunity to get rid of

IT costs and focus in

my core business.”The boss

ProcessesOrganisational

structuresCulture, ethicsand behaviour

Principles, policies and frameworks

InformationServices,

infrastructure and applications

People, skills and competencies

Enablers

Resources

COBIT 5 Principle 4: Enabling a Holistic Approach

Tip #4 Show him the big picture

“We analysed why do projects fail

and we believe that only by aligning

people, processes and technologies

it will be possible to deliver better IT

related projects. We’ll review the

project management methodology,

update our supporting tool,

implement a new PMO and train our

people!”

Tip #4 Show him the big picture

X“We have been implementing a

new IT governance framework

and set all associated

processes. As soon we finish it

we will send it for your

approval.”

Tip #5 There are unknowns

unknowns

“I’m already

responsible for the

corporate governance,

you can take care of IT

governance.”The boss

Evaluate

Plan Build

Governance

Management

Run Monitor

Direct Control

Stakeholderneeds

Feedback

COBIT 5 Principle 5: Separating Governance From Management

Plan Build

Operations

Run Monitor

Tip #5 There are unknowns

unknowns

"We are designing the new IT

Governance and Management

framework to focus in value creation

and we would like to discuss with

the Board it’s role and how IT can

contribute to benefits realization,

risk and resources optimization. It

would be very important to have

your direction so we can better

manage our IT."

Tip #5 There are unknowns

unknowns

Next steps

Bruno Horta Soares, CISA®, CGEIT®,

CRISC™, PMP®

• Founder and Senior Advisor at GOVaaS – Governance

Advisors, as-a-Service

• Visiting professor and coordinator at ISCAC - Coimbra

Business School - Coimbra, Portugal

• Visiting professor at Instituto Superior Técnico (IST) -

Lisbon, Portugal

• Visiting professor at Universidade Portucalense (UPT) -

Porto, Portugal

• Visiting professor and coordinator at Universidade Europeia

| Laureate International Universities - Lisbon, Portugal

• Visiting professor at Unipê - Centro Universitário de João

Pessoa - Paraíba, Brasil

• Visiting professor at Universidade Católica Portuguesa -

Lisbon, Portugal

• Founder and President at ISACA Lisbon Chapter

• Member of ISACA Government and Regulatory Advocacy

Regional Subcommittee Area 3

• IT Governance coordinator at the Portuguese Institute of

Directors

• ISACA Knowledge Center Topic Leader - COBIT 5

• APMG individual accredited trainer for COBIT 5

Academic training

• 5 years degree in Management and Computer Science, from ISCTE and a post-degree in Project Management, from ISLA Campus Lisboa.

Professional certifications

• Certified in Project Management Professional (PMP), from Project Management Institute (PMI), Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) and COBIT 5 Foundation from ISACA, ITIL® version 3 Foundation, ISO/IEC 27001 Lead Auditor and Training for Trainers Certification (CAP). He’s also APMG individual accredited trainer for COBIT 5.

“More you know,

less you no”

Bruno Horta Soares, CISA®, CGEIT®,

CRISCTM, PMP®

Founder & Senior Advisor

GOVaaS - Governance Advisors, as-a-Service

Rua do Tamisa, BL 5.02.03 D 1.ºC

Parque das Nações

1990-518 Lisboa

Mobile: +351 962 103 153

@: bruno.soares@govaas.com

www.govaas.com

33