advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

Erik Guldentops: father of Cobit

Erik Guldentops has been involved in developing the IT governance framework Cobit (Control Objectives for Information and Related Technology) since its inception. On 16 December last year, Cobit version 4 was released by the IT Governance Institute, where Guldentops chairs the development team. He works as a management consultant in Brussels, and is also executive professor at the University of Antwerp Management School. SA Mathieson recently spoke to him about Cobit, the contemporary threat landscape, and EU/US differences.

What are the most important changes between version 3 and the new edition of Cobit, version 4?

"It’s five years between them, although version 3 was well ahead of the market. It took a while for people to really understand and appreciate, especially because in version 3 we added the whole management layer. We did a lot of add-ons [to version 3]: we did Cobit Quickstart for small and medium sized enterprises, we built an implementation guide, we built courses. We had an information security briefing for board directors, and we did something which was very popular, the Cobit Security Baseline, where we extracted the basic principles of security out of Cobit, and presented them in a Cobit format.

The three biggest changes are:

One, it is now an IT governance framework, because with all the research that we’d done and publications on IT governance, we had a much better insight into those practices that are on the fringes and even outside IT but that relate to IT, like what is the business’ responsibilities in order to make decisions about IT? What are the things they should take responsibility for? What are the kinds of things that people at the executive and board level need to be concerned about IT? How should they drive the strategy, what are the minimum control requirements or governance requirements?

"So it broadens the coverage upwards towards the business, and executive and board level.

The second major improvement is we’ve improved the interface downwards. We added things like process relationships, we identified for all major IT processes the major activities and added a RACI chart, identifying who is responsible, who is accountable, who is consulted and who is informed about these major activities. On top of that, we also built a structured IT balanced scorecard for all the IT processes.

"The third one, which is the smallest one but appeared to be the most appealing to the industry, is two tables which identify the major business drivers for IT, structured along a balanced scorecard – we identified some 20 major business drivers. And a second table, which identified 28 major IT goals. We linked one to the other. It’s only two pages, but it was based on extensive research: we did structured interviews in eight different industries.

"We did many other things: consistency improvement, granularity – because some material was very high-level, some lower-level – consistent language, consistent principles. We pulled out everything that wasn’t generic and put it in the framework, so as a result we had in size, the controlled material itself is only half the size in number of words.

"Cobit is not a standard. It’s not something which you take and implement, it is a body of knowledge and best practices. It covers everything, and then you need to make an analysis based on your requirements, pick out of it what is appropriate.”

Which IT security threats do you think are growing in importance?

"There are two big things, spam and identity theft. Of course, there is privacy, but that is more of a compliance issue. It’s big in the US but is less so in Europe, because we have a longer history with privacy legislation. We had a bit of an over-reaction in the 80s and 90s, which is slowing down a little bit. They caught up in the US a little later: I guess the pressure in the US comes together with privacy, privacy legislation together with the phenomenon of the internet and identity theft. Suddenly all those things come together, that’s why you have this very strong interest in privacy and compliance. Spam is more of an operational issue, I think: it’s the annoyance factor, and the costs associated with that.”

Will the US continue to get closer to Europe in its approach to these issues?

"It’s not going to change very quickly. The economic and political models are so different that there will be these differences for a while. Europe has the longer view, very often – you see it in industry, you take a longer view and take decisions, whereas in the US they take faster decisions but they take a very short view, a profit-oriented view. Then the legal systems are different.

"It’s interesting to see how the power of India and China is going to influence that, because they can have totally different sets of values, legal systems and ways of operating, completely foreign to the US and Europe. The differences between Europe and America are peanuts compared to that.

"There’s one thing where all these come together: the topic of security, the topic of Sarbanes-Oxley, the topic of a control framework, the differences in culture between Europe and the US. They all come together when I listen to some of the more mature organisations in Europe when they talk about Cobit, when I hear a CIO say, I’ve taken Cobit because it gave me an end-to-end view of IT.

"All of those people, including those at Barclays and BP, who have to make a decision about a control framework for IT, who have the challenge of Sarbanes-Oxley, those people try to solve the problem in an integrated fashion. And their conclusion is, if we have to do this, let’s get some synergies out of it. They’re saying, we’ll adopt a framework. It fits my organisational structure and is generally acceptable, so I’m going to use it as the basis for my compliance, for audit programmes, for security, to build my IT policies, for improving my outsourcing contract, for risk management.

"Having one framework, having people with the skills to work with it, I get synergies. And at the end, rather than costing me money, it’s making me money because it’s made clear to me that I can do things in a very similar way across the enterprise for many different reasons, and do them in a singular, standard way. I’ve seen this much more in Europe than in the US.”

© SA Mathieson 2006



 

 
Search this Site:
Google Custom Search



Click here...