COBIT: The Road Ahead

1996 had its share of significant events. The first flip phone, the Motorola StarTAC, went on sale. The Czech Republic applied for European Union membership. Australia defeated Sri Lanka 2-0 to win cricket’s World Series Cup. The first version of the Java programming language was released. The massive Internet collaboration “24 Hours in Cyberspace” took place. IBM computer Deep Blue became the first computer to win a game of chess against a reigning (human) chess champion. Excel Communications Inc. became the youngest company ever to join the New York Stock Exchange. Intel released the 200 MHz Pentium chip. And ISACA published the first edition of what was then called Control Objectives for Information and related Technology, or COBIT, as its typography was styled at the time.
Of course, at the time it was released, no one knew it would be just the first of several versions of COBIT. Nor did they foresee that it would undergo continuous evolution to make it ever more relevant and useful to practitioners seeking to control organizational information and the technology that processed, manipulated and stored it. Neither could anyone have anticipated the level of acceptance and use COBIT would achieve, as it was increasingly used—alone or in combination with other frameworks or in-house solutions—in governments and companies large and small worldwide.

COBIT 5: A New Framework for a New World

Since its release, COBIT 5 has been downloaded tens of thousands of times, has been widely discussed on social media, and has been prescribed for use by national governments and municipalities alike. Likewise, the impetus for use of COBIT has evolved from just supporting internal audit to a means of organizing multiple frameworks (including regulatory frameworks) and as a means for connecting overall enterprise objectives to the governance and management of IT assets.
The traditional use of COBIT has been to assist companies with their compliance and assurance needs, but those needs exist outside of just for-profit companies. For example, the government of South Africa has mandated the use of COBIT among municipalities.¹ The intent is to exercise proper control over the use of scarce IT resources to ensure delivery of value to those served. Municipalities are expected to use COBIT to align their goals for the use of IT assets with the requirements of the local governments.

The impetus for use of COBIT has evolved from just supporting internal audit to a means of organizing multiple frameworks and as a means for connecting overall enterprise objectives to the governance and management of IT assets.

In May 2006, the government of Turkey mandated the use of COBIT for banks operating within Turkey.² The Banking Regulation and Supervision Agency of Turkey (BRSA) mandated that all banks operating in Turkey must adopt COBIT’s best practices when managing IT-related processes. The result of this legal requirement has been that internal auditors and bank management have put into place resources based on the process descriptions used in COBIT. Compliance reports are now submitted to government officials to demonstrate adherence to COBIT process and practice descriptions. There have been other government mandates for the use of COBIT in Costa Rica and Nigeria.
These uses were not foreseen, but they are understandable, natural extensions of the framework. The potential for a comprehensive framework is to use it to administer resources such that greater efficiency and effectiveness are realized and value is created for stakeholders. IT resources are ubiquitous, and the potential for IT spending without clear alignment to overall strategic aims is high. That risk of misalignment is a control issue.

Fast Change, Faster Response

One area where this issue is particularly impactful is in the arena of new and emerging technologies—particularly those that have a high potential for “shadow IT” adoption (i.e., adoption without central oversight such as by IT or another organization). In many cases, an enterprise can become aware that users have begun adopting a new technology only after that technology has begun to proliferate throughout the enterprise as a whole.
When that happens, resources can be consumed in a way that does not align with enterprise requirements nor directly or indirectly progress the prioritized goals of the enterprise. This is obviously undesirable as it can divert time and attention away from those activities and investments that do tie directly to those goals and anticipated or desired outcomes. The issue is further compounded as, in many cases, senior management is unaware that this resource strain is even occurring in the first place. Cloud services is an example of this (in particular, software as a service [SaaS]), mobile technologies (whether bring your own device [BYOD] or otherwise), and social media. It does not take an extraordinary level of insight to see that these disruptive changes, when adopted without a workmanlike and disciplined approach, can bring about potential areas of risk, introduce potential inefficiencies and spark other undesirable outcomes.
COBIT already provides the means to manage technology resources no matter their origination, purpose, internal user community or other defining factors. Organizations can already adopt and apply COBIT 5 (as it exists right now) in such a way that all technology use is deployed, managed, measured, and otherwise aligned with stakeholder needs and business goals. This puts organizations in the position of being able to lessen the potential disruptive impact of new technology, better manage and control risk, and directly measure the value to the business (even of “shadow IT”) against the business value provided through the use of new technologies. Looking forward, though, a primary area of further growth for COBIT lies in the ability of the framework to provide value as the pace of change accelerates and as operational technology and traditional IT merge.

Governance

It does not take a rocket scientist or an especially astute prognosticator to be able to state a few things with confidence about where enterprise technology use is heading in light of the trends we are seeing in the marketplace already. First, we can state with confidence that a proliferation of devices will likely occur as the Internet of Things (IoT) continues to expand. Likewise, we know that certain sectors that have specialized operational technology (i.e., the clinical network of a health care provider, industrial control systems, specialized networks used for telecommunications, broadcasting or other industries that require high-speed or specialized transmission) are likely to see their existing specialized technology use continue and, in fact, become even more specialized in supporting the way that they do business tomorrow.
While the COBIT framework can be used already to address these challenges head on, there are opportunities to provide more and better guidance to practitioners about how, specifically, to do this. For example, specialized supporting artifacts and tools to build upon the COBIT framework can provide immediate value to the practitioner so they are not “reinventing the wheel” separately from enterprise to enterprise. Tools that are immediately practical to the professional in the field—such as templates to support deliverable creation and reporting; governance artifacts such as policy examples and templates; and tools that support measuring effectiveness, managing risk or other activities to support robust governance—are a necessity given the pace at which technology use evolves and the likely even more rapid pace at which it will evolve tomorrow.
These items and others that directly target an increase in the practical value of the framework to the practitioner are on the forefront of the COBIT research agenda. Just as COBIT evolved over the last 20 years to meet the changing landscape of enterprise and become a framework for systematic governance of enterprise IT (GEIT), the future will mean continued evolution to address a systematic framework for governance as “information technology” becomes just “technology”—as usage and scope expand beyond the borders of the IT department and become embedded in the fabric of the business more generally. Likewise, as the alacrity of change (and the pace of disruption that occurs as a result) continues to increase, the framework will continue to evolve to meet those needs.

Peter Tessin, CISA, CRISC, CGEIT

Is a technical research manager at ISACA where he has been project manager for COBIT 5 and has led the development of other COBIT 5-related publications, white papers and articles. He also played a central role in the design of the COBIT online web site. Prior to joining ISACA, Tessin was a senior manager at an internal audit firm where he led client engagements and was responsible for IT and financial audit teams. Previously, he worked in various industry roles including staff accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and auditor. He has worked in many countries outside of his native US including Canada, Mexico, Germany, Italy, France, UK and Australia.

[ISACA – COBIT Focus]