Reporting

IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

 IBRS iQ is a database of Client inquiries and is designed to get you talking to our Advisors about these topics in the context of your organisation in order to provide tailored advice for your needs.

Conclusion: Cyber security incidents are a foreseeable business risk, and organisations must learn from the ongoing litany of cyber incidents that accompany any digital enterprise. Organisations that have data at their core live or die by how they manage this asset. The Equifax data breach is an unfortunate example of an organisation of senior business executives that were not making decisions on cyber risk management that aligned with societal expectations. Equifax is a company with data at its core, and time will tell whether it was incompetence or negligence that resulted in the data breach this month. Either way, Equifax clearly failed to exercise due care in the reasonable protection of its wealth and sustainability in the face of eminently addressable risks. It is a serious mistake for any executive to think that risk management of digital assets is somehow merely an IT issue.

Conclusion: Cyber threats and incidents will continue to be covered in the mainstream media, and local organisations will increasingly become part of this coverage. Not only may these stories get reported more frequently and in more depth, but local board members will become increasingly aware of what the technical aspects around cyber security mean. Reporting to the board is a blend of what the board – the people tasked with ensuring that the organisation is dealing responsibly with its risks – thinks is important with what the CIO and their team consider to be important. Finding the balance of information to report is important, and will be a continually evolving discussion between cyber security leaders and their boards.

Conclusion: Ransomware is a widespread scourge in the local region and organisations must take steps to address this eminently foreseeable risk. User education is necessary, but it is not sufficient to address this risk – otherwise it would already have been dealt with. Organisations must review their information systems and become rigorous on technical hygiene strategies, such as patching. Using the revised Strategies to Mitigate Cyber Security Incidents from the Australian Signals Directorate (ASD) is an excellent starting point, as these are empirically validated. The critical action is to determine where these strategies are best applied, and this must be guided by the risk tolerance of the business.

Conclusion: The success of a security professional is not measured by whether their recommendations are adopted, but whether the technical risks faced by the organisation have been identified and communicated in terms of business impact to decision makers. This enables the business to make informed decisions. Consequently, security professionals must make it their highest priority to be in communication with the business, because one of the most impactful technical risks is a communications gap between the security team and the business. IT security professionals must take on learning the language of their business, because it isn’t the business’s responsibility to learn to speak IT security.

Conclusion: Organisations that may be at risk of a discovery action should have strategies to minimise the impact of eDiscovery requests. They should have agreed processes in place and have implemented a comprehensive information and records management system that will enable rapid responses and minimise cost when responding to such requests. Poor electronic information management, particularly in the areas of email and collaboration tools are certain to create eDiscovery problems and expenses.

Conclusion: Unless CIOs are able to provide business with a balanced and accurate picture of IT performance, it is likely that IT will be treated as ‘just another supplier’ in the minds of senior business executives. Moving IT up the value chain to become trusted and strategic business partners requires more than concerted efforts in delivering projects and keeping the IT lights on. It requires effective marketing and good communication. One of the ways of improving IT credibility is to develop an effective IT scorecard that highlights precisely how IT’s performance supports and indeed, adds value to the business. Further, providing scorecarding data to IT management and staff is likely to provide an incentive for them to lift IT performance levels.

Conclusion: Evaluation and measurement are creative activities in the technology business. In terms of evaluating the productivity benefit of broadband, the creativity needed is quite high. Finding a standard ROI assessment approach is not easy and designing better methods to locate broadband productivity is another challenge.

In terms of measuring broadband, the methodology applied, is critical for understanding how broadband contributes to productivity. As the broadband debate rages over both sides of the Tasman, the need for a better designed research project that determines the extent to which broadband contributes or not to productivity of knowledge workers should be a priority for organisations in the IT industry.

Conclusion: IT/MIS within an organisation can be thought of as a business and, like any business, should have an active marketing plan in place. Such a plan helps the CIO and key members of the MIS group actively promote to all parts of the organisation the value of the services delivered by the MIS Department. The plan should be couched in business terms understood by each user community and not in “IT-speak”.

Conclusion: Due to their scale of operation and the massive databases they need to manage, Australia’s major banks often act as a bellwether for other IT users. This is certainly the case at present as a number of banks commit to Master Data Management (MDM) in an effort to bring their management reporting into order.

Conclusion: Inexperienced organisations often see benchmarking as the process of measuring best performance and fail to achieve the real value of benchmarking which is the discovery and adoption of best practices that drive best performance. Done appropriately benchmarking can yield unexpected and significant benefits, but done inappropriately it wastes considerable time and money1.