Workplace Innovation

  • For Project success, get the PMO’s role right

    Conclusion: The PMO role has many manifestations. It is also rarely static. When the organisation is in transformation mode the PMO must ensure project managers work as a team and deliver results. It is analogous to the role of an orchestra conductor who must get the musicians to rehearse so they know their roles and work together to make their opening concert a success.

    Post transformation, one of the PMO’s roles is to get business operatives to assimilate the system’s functions so the benefits expected are realised. Similarly, the conductor’s role is to get the orchestra to perform so well there is a full house at every performance and the producer gets a satisfactory payback from the production.

  • Gateway Reviews

    Conclusion: Organisations in both the public and private sectors have been actively improving capability and implementing processes and frameworks to improve project delivery effectiveness over the past decade. Project management approaches such as Prince2 and PMBOK have been adopted to improve project management practitioner capability and equip project boards and project sponsors to understand their roles and responsibilities in supporting project delivery.

    The Gateway Review Process was designed and implemented as part of assurance activities and was intended to be a supportive and proactive activity that highlighted areas that may impact on successful project delivery thus enabling organisations to take corrective action well in advance of major milestones.

    However, based on a number of high profile project disasters in organisations that have implemented the proactive assurance approach of Gateway Reviews, there are some learnings that will assist other organisations to avoid project failure.

  • Business Strategy and Enterprise Architecture

    Conclusion: The enterprise architect (EA) role is one of the most intellectually challenging in an organisation. This is because it involves developing a systems roadmap to migrate from the current to a desired future state that is compatible with the business strategy.

    Assign the wrong person to the EA role and the future systems will probably be unattainable and realising the business strategy problematic.

  • GDPR – A European standard impacting Australian organisations

    Conclusion: Australian organisations and agencies need to embrace the European Union’s new General Data Protection Regulation (GDPR) legal framework for protecting and managing Private Individuals Information (PII). There is considerable risk to organisations that do not take action to comply, financially and to organisations’ brands.

    There are also potential upsides in embracing the requirements and being able to demonstrate compliance with the accountability principles, and implementing both technical and organisational measures that ensure all processing activities comply with the GDPR.

    Whilst Australian companies may already have practices in place that comply with the Australian Privacy Act 1988, GDPR has a number of additional requirements, including the potential appointment of “data protection officers”. Action should already be taking place, and organisations should not underestimate the time and effort it may take to reach and maintain compliance.

  • Identify the baton holders for effective ICT service delivery

    Conclusion: Successful ICT life cycle service delivery from strategy development to system decommissioning relies on the person assigned the role picking up the work in progress and successfully completing the task before handing it to the next agreed role. It is analogous to the relay runner at an athletics carnival taking the baton from the previous runner and, on completion of the leg, handing it onto the next runner.

    Unless the ICT service delivery model is designed well, critical activities might be missed or partially performed by different roles, resulting in duplication of effort, output overlap and, at worst, process failure. To overcome this problem the service delivery model must be thorough, and activities and the level of accountabilities clear so staff know what is required of them by activity.

  • Considerations for cyber security audits

    Conclusion: An audit is an integrity check that assesses whether an organisation is doing what it said it would do, and what others should reasonably expect it to do. The previous sentence also points out that it’s not enough to have better practices documented. An organisation must also be able to demonstrate that staff are adhering to these. There are some excellent resources available for organisations preparing for a cyber security audit. The real gold will be in the quality of the conversations and resulting maturity in perspective at the most senior levels of an organisation that occur through the work that is carried out in preparation for the audit.

  • Data: An Asset and a Liability

    Conclusion: Organisations must proactively manage exactly which data is kept, secured, and backed up, as well as which data must be archived or permanently deleted. Data hoarding adds considerably to storage costs as well as potentially exposing organisations to risks especially if the data is inappropriate, unencrypted, or could put an organisation’s brand at risk.

    Organisations need to have clear policies on exactly what sort of data is to be kept, especially when there are legal, regulatory or other specific reasons for keeping the data. Additionally, organisations need to be clear on what should not be kept.

    Organisations cannot leave the management of this issue at simply expecting compliance to a policy. Business stakeholders must be closely involved in defining the business imperative for tracking data relevance and the value of data. Data specialists equipped with the appropriate tools will be required to specifically find data and manage it based on defined policies.

  • APRA and the Cloud: Organisations must be able to show their working

    Conclusion: IT executives in financial services organisations have expressed frustration at the seemingly vague requirements of APRA, but this misses the true intention of APRA. APRA is not anti-Cloud, but the regulator insists that financial services organisations consult with APRA so that APRA can gauge the maturity of the proposed plan. This is not a mechanism to forbid Cloud, but rather a sanity check to ensure the stability of the Australian financial market by ensuring that organisations are not abrogating their risk identification and management responsibilities.

  • The Top Business Technology Priorities for 2016

    Conclusion: As the concept of digital disruption and digital transformation takes hold, it is vital that IT is not only aligned with, but synonymous with business. Both business executives and IT groups find themselves in a constant race against competitors who have embraced new technologies and new business models. Unfortunately, this situation results in a mad dash between one hot new technology and another in an effort to meet evolving business priorities. In any race, having a skilled navigator and an accurate map is vital. IBRS’s Business Priorities Atlas (see Figure 1) presents the highest-level view of Australian business priorities and the likely technological landmarks along the way towards meeting the organisation’s desired destinations. The Atlas may be used to stimulate discussion between senior IT and non-IT executives as to what, where, and when to invest.

  • The new IT Business Model

    Conclusion: The new digital business model for IT is based on selecting, composing, and leveraging a dynamic range of Cloud based external services. Under the new IT paradigm people will work the way they want, when and where they want and with all the tools with which they are familiar; collaborate using a wide range of low-cost commodity services; and use their own devices (and in some cases their own applications) while those responsible for information governance seamlessly maintain control over the organisation’s enterprise information, privacy and security.

  • A purpose-driven culture creates a resilient organisation

    Conclusion: There are two compelling information security reasons for creating a sense of purpose and ownership within an organisation. The first is that a sense of purpose and ownership will empower staff so that they move from responding to basic security hygiene matters, towards pre-empting issues. The second reason is so that organisations look out beyond themselves and work towards a more resilient ecosystem.

    This level of resilience maturity is vital and will be driven by leadership and a continuing commitment to talent development. Astute security leaders will use cultural indicators such as engagement and sense of purpose and ownership, as a guide to the ability of the organisation to withstand security incidents.

  • Improving Digital Maturity requires a proactive team effort

    Conclusion: To improve the digital maturity of an organisation the CIO must encourage a team effort from business and technical areas within their organisation as well as strategic partners in the IT industry. Laggard IT vendors should be dropped in favour of digital leaders. The CIO will also need to convince their organisation to make early investments in long term capabilities that are critical to the adoption of new digital initiatives.

  • Why Organisations need an Information Security Executive

    Conclusion: Non-IT executives are often reported as being concerned about the prospect of a cyber incident, but as security is not their area of expertise, responsibility for mitigation and preparation is often devolved to IT. This is a mistake, because as much as lack of any security could be devastating, applying the wrong controls to an organisation can be equally debilitating. Security is a response to risk, and it is the ongoing mandate of executives to demonstrate that they are guiding their organisation through foreseeable risks. Consequently, many organisations would benefit from the appointment of an information security officer who is able to translate between IT and the business and ensure that cyber risks are prepared for responsibly.

  • Justifying IT Infrastructure investment

    Conclusion: Sustained investment in IT Infrastructure is critical for the delivery of services to clients and delivering business efficiencies. Without continued investment service quality will deteriorate, operational incidents occur more frequently and the organisation’s network put at risk from unwanted intrusions.

  • Demand driven evergreening of Governance Artefacts

    Conclusion: Most organisations have some form of central approval process (Governance) based around agreed artefacts – few organisations have a built-in evergreening process to ensure governance controls are in line with emerging technology and business trends.

  • Applying the Five Knows of Cyber Security

    Conclusion: It is undeniable that Cloud services will only become more important to organisations. However, executives must bear in mind that as increasing Cloud adoption meets an onslaught of cyber-attacks, regulators and courts will be looking for evidence that organisations exercised due care in vendor selection and support of information security initiatives. The great challenge is in communicating to non-technical people what are often thought of as merely technical issues. In this shifting market, an approach such as the “Five Knows of Cyber Security” can prove invaluable in shifting a technical conversation to a governance conversation.

  • The Value of an independent external committee member

    Conclusion: Governance committees face a number of challenges that can undermine their effectiveness. These challenges include groupthink, a focus on individual responsibilities rather than organisation-wide benefits and trust issues. Experienced independent external advisors can play an important role in overcoming these challenges.

  • Why Organisations need an Information Security Outreach Function

    Conclusion: Security leaders know that it is not enough for the security group to do its job; they must be seen to be doing their job. This need for communication between security and the business is resulting in organisations creating outreach roles. Many organisations have yet to realise that this communications gap directly impacts their risk management capabilities. While the security team may be executing its work with technical accuracy, it is not serving the true needs of the business. The key to bridging this gap is an outreach function.

  • Lessons from security analytics projects

    Conclusion: Big data and analytics projects can learn important lessons from the domain of information security analytics platforms. Two critical factors to consider when planning deployment of an analytics platform are: the need for a clear business objective and; the depth and duration of organisational commitment required. Without a clear understanding of the objective of the analytics project, or adequate resource commitment, the project will likely fail to deliver on expectations. The worst outcome is that inadequate investment in people could result in an organisation drawing incorrect conclusions from the analytics platform.

  • Running IT-as-a-Service Part 8: Governance processes critical for HyperCloud success

    Conclusion: IT organisations adopting IT-as-a-Service strategies tend to acquire the best of breed services from the market instead of building them in-house. This leads to increased adoption of multi-sourced services, whereby reliable governance processes are critical success factors to realise the desired business benefits in a timely and cost-effective manner.