In a recent article for the Payment Card Industry magazine – Secure Payments, I introduced the conceptual idea of Information Technology Governance as a bicycle wheel with the organization being made up of the spokes (representing all initiatives – contractual; regulated; competition necessitated), and the rounded wheel depicting the operating strategy of the business fully integrated and inter-dependent. Check out the article here online (starting on page 24), or join the SPSP and receive complimentary free copies in the mail. I distinguish the challenges of organization’s focusing on single regulations as a means to orchestrating their security and compliance programs. The concept of creating a custom control framework is articulated and broken down in IT Compliance and Controls that I published last year with John Wiley and Sons (for those looking for greater discussion and practical advice).
Why is that wrong – to extend upon the articles points: The information technology operations of the business are unique to every business, as unique as that of the culture of the business. While the parts that make up the information technology (routers, switches, clouds, software, etc…) the combination and implementation make up the competitive advantage of the business. So, if following one regulation is not appropriate for all businesses, is it appropriate for those within that particular industry? Simply answered, no.
The organization, in the instance of PCI DSS, is susceptible to many different risks. These risks relate to geography, staffing, operational decisions, and external factors to the business. Each standard is conceived under the premise that under a single environment XYZ are the risks and appropriate mitigating responses. This premise falls apart when additional concerns, assets, and risks are introduced.
IT Strategy and Governance must constitute a merging of business aptitude with technology capability. This shall be a topic that we will revisit with greater specifics and tools to achieve this objective. Thoughts / Concerns?
James DeLuccia IV