Sunday, October 29, 2017

We surveyed 100+ people on IT Controls, Governance Frameworks and Standards!

When I was younger, I liked Family Feud. (You got me - I still watch it on occasion). When the host started each question with: "We surveyed 100 people and the top answers are on the board", I kept wondering about how they found those 100 people.

My imagination ran wild.

Could it be that the same 100 people were answering all the questions? Did the show lock them in a room with no windows until all questions were answered?

I recently had a chance to run my version of the Family Feud polls.

Before my speech in August 2017 about "IT Governance" at the Governance, Risk & Compliance (GRC) conference organized jointly by the Institute of Internal Auditors (IIA) and Information Systems Audit & Control Association (ISACA) in Dallas, Texas, the organizers alerted me of a mobile polling tool we could use to live-poll the audience.

I jumped on the opportunity.

In October, I spoke on the same topic at ISACA's Cyber Nexus (CSX) Security Conference in Washington, DC and used the same polling tool.

According to the official numbers:
  • 225 people listened to my speech at the GRC Conference; about 110 people answered the live surveys. 
  • 130 people listened to my speech at the CSX Conference; about 43 people answered the live surveys. 
  • Attendees for both sessions represented various sectors including financial services, healthcare, government and utilities. 
  • Among them were GRC professionals, auditors, banking regulators, CISOs, CIOs etc. Most of them were from the US, but I also met some folks who attended from Brazil, South Africa and Ghana.
  • What you see below is the combined polling results from those two sessions. 
We surveyed a 100+ people and the top answers are on the board...

There are no major surprises from my perspective.

Here are my observations:
  • Many enterprises perform risk assessments. 
  • Several companies use COBIT, COSO, ITIL and NIST frameworks.
  • Majority of the organizations have a control library.

Here is my wish list: 
  • More companies should consider implementing a governance framework. 
  • Organizations should focus on control self-testing and process maturity assessments.
  • A broader adoption of best-practice frameworks such as OCTAVE, TOGAF, Risk IT, PMBOK, and Balanced Scorecard could benefit many organizations. 
What do you think?