John Edwards
Contributing writer

7 IT governance mistakes — and how to avoid them

Jun 21, 2022
IT Governance

IT governance can be a minefield for the unwary. Don’t let these common errors damage your organization — and your career.

banana peel slip accident mistake fall by rapideye getty
Credit: RapidEye / Getty

Everybody makes mistakes, but when a CIO messes up, the consequences can be devastating to the instigator, as well as the entire IT department and enterprise.

IT governance should be well-defined, clearly understood, and led by principles that reflect your organization’s mission, vision, and strategy, advises Donna Bales, principal research director at Info-Tech Research Group. “Good governance should delegate and empower individuals to deliver to defined outcomes that support organizational direction.”

Still, despite CIOs’ best efforts, there are an almost endless number of IT governance pitfalls. It’s particularly important to keep an eye peeled for the following seven common mistakes that can bite even that most careful IT leader.

1. Not keeping pace with evolving business priorities

Business practices and priorities shift frequently to accommodate emerging technologies, customer expectations, and product and service delivery demands. “It’s critical that governance changes in tandem to stay aligned and effective,” Bales warns. “Organizations often fail to recognize this [need] and rarely want to change governance once it’s in place.”

Governance should be designed with adaptability in mind to ensure IT remains in alignment with business objectives, continually providing value while effectively safeguarding the organization against potential risks, Bales says. “Effective governance ensures that the right technology investments are made at the right time to support organizational change and enable successful business outcomes,” she adds.

Governance should be part of your organization’s DNA — central to its being yet unique to your organization, Bales says. “Your governance structure should be dynamic and [designed to] identify triggers that may evoke a revision, and its effectiveness should be constantly measured so that it remains relevant.”

2. Poor risk planning

CIOs frequently launch strategic initiatives without fully considering all the risks involved. “This leads to adding governance as an afterthought instead of using a governance methodology as an integral part of a risk management program,” says Scott Perry, principal for crypto and digital trust services at Schellman, a global cybersecurity assessor. “By that time, governance structures are rushed and risk mitigation measures lose their effectiveness.”

All too often, critical initiatives are pushed through by CIOs without fully understanding whether the system will be able to meet its strategic objectives. “This can create risks, such as technical vulnerabilities, uptime constraints, improper continuity, and customer rejection,” Perry cautions. Properly identifying these risks early in the process, and addressing them with an organized risk mitigation process as part of an overall governance program, is essential for strategic initiative success.

Perry suggests instituting an oversight program that includes risk assessment, governance requirements established to mitigate controllable risks, and internal and external audit programs to measure the effectiveness of governance requirement conformance. He also recommends conducting a residual risk evaluation to determine any remaining risk exposures, as well as a program feedback loop.

3. Insufficient operational visibility

While most CIOs have already created a complete and detailed governance plan, many IT leaders lack the operational visibility necessary to assess their organization’s acceptance and practice of specific governance policies and mandates. Although many CIOs believe that all enterprise leaders have easy access to and understand IT governance policies, they really don’t, says Azadeh Dardras, Edge Center of Excellence director for business and IT consulting firm Capgemini Americas.

In many cases, the IT organization works in isolation, Dardras says. “If you don’t understand the context and results of your governance decisions, then your policy can have a negative effect on the business,” she warns. If IT governance doesn’t reach and involve all essential stakeholders, particularly team members working within the enterprise’s business segments, key decisions might be made without full and proper consideration. “This can seriously impact the affected teams’ work and, ultimately, the business as a whole,” Dardras notes.

4. Failing to fully align IT governance with enterprise governance

IT leaders frequently strive to complete projects as quickly as possible to meet a particular business need. “In doing so, they may not properly involve their company’s governance teams, such as legal, compliance, and information risk management,” cautions Brian Mannion, chief legal and data protection officer at insights and data management platform provider Aware.

To prevent a potential governance misalignment, CIOs should encourage their IT representatives to routinely partner with their enterprise governance counterparts. At a tactical level, IT and enterprise governance teams should regularly educate each other on new tools, as well as new and enhanced features designed for existing tools. The teams should also propose and coordinate potential solutions to identified risks.

A standard set of minimum controls should be identified and agreed on, Mannion suggests. “Finally, [enterprise] governance teams must have sufficient and technology-focused staffing to support IT,” he says.

5. Using past methods to measure future progress

Many enterprises continue to base their IT governance on cost and performance service level agreement (SLA) metrics. Unfortunately, these metrics tend to be lagging indicators.

IT governance should focus on leading indicators and reflect the investments and spends of tomorrow, suggests Prashant Kelker, partner for digital strategy and solutions with global technology research and advisory firm ISG. A leading indicator is a predictive measurement. Leading indicators include revenue growth, revenue per client, profit margin, client retention rate, and customer satisfaction.

6. Treating data like a waste product

It’s no secret that data has become a highly prized asset. For many information-driven enterprises, data is their most valuable asset. Still, a surprising number of organizations continue to treat data as if it were nothing more than a waste product, alleges Chethan Laxman, digital transformation executive at Apexon, a Silicon Valley digital engineering professional services firm.

As data increasingly guides decision-making, and digital innovations automate more business processes, data value and integrity become more important. “All organizations, regardless of size or sector, need to shift from viewing data as an inconvenient cost center to an asset that’s reliable, accessible, secure, and usable,” Laxman says. “Having invested in data and analytics, business and IT leaders now urgently need to ensure good governance in order to meet their goals of operational efficiency, increased growth, and improved customer experience.”

7. Overlooking insider threats

The remote/hybrid work environment — combined with record-high employee turnover — has made insider threats a huge risk to organizations of all types and sizes.

While all types of insider threats are potentially harmful, malicious workers and inside agents partnering with external attackers can be particularly damaging. “In fact, companies spend an average of $644,852 on each insider incident,” notes Kris Lahiri, CSO at content security and governance platform provider Egnyte.

Lahiri suggests taking a holistic approach to IT governance that includes prioritizing data security, implementing network security best practices, and maximizing user cyber-education. He says that it’s also important to have deep visibility into both structured and unstructured data in order to build an effective content governance program. “If you can’t see the data, then you can’t properly govern it,” Lahiri says.

Lahiri also recommends centralizing data views to understand what content is being accessed, and by whom. “This will enable the organization to detect malicious activity by recognizing commonplace user behavior and patterns.”