As technology evolves, how do businesses in various industries ensure that their IT infrastructure remains scalable, adaptable, and secure, and what strategies can be employed to navigate the challenges of legacy systems while embracing emerging technologies?
First of all, organisations need to classify IT infrastructure and categorise based on criticality. In addition, they should determine the ownership of the infrastructure (business-enterprise) and who maintains the asset (internally, third party, fourth party). Following this, they should establish a profile of the infrastructure that has ownership classification and determine the KPIs for performance and security according to a matrix based on the classification level.
The strategy of legacy systems is to use the data in the legacy system to build a learning system to help decision making from data. Then, after understanding the decision, businesses should build a vision based on the story of data that can be used for emerging technology.
How can organisations align their IT strategies with broader business objectives to drive innovation and efficiency, and what role does effective IT governance play in ensuring the seamless integration of technology into business operations?
The organisation needs to have two different developing teams based on the strategy and vision of organisation. One is a business team who collects business requirements and analyses it so that a technical team can build a solution for the business to then have multiple separate tests (user test, technical test, security test) for a solution that satisfies the business and security requirements. They can contact each other through a tool that helps to build a story and sprint for developing these requirements in an iterative cycle.
The role of IT governance is to establish a committee for technical change management to prioritise changes according to strategy priorities and the resources required for this change. It should also identify ownership of changes and the ways of communication in case of any matters.
In the context of cybersecurity, how do businesses approach the delicate balance between safeguarding sensitive information and maintaining the usability and accessibility of digital assets, especially considering the diverse cybersecurity challenges across different industries?
First, we need to categorise and classify the information in the system to determine which system is highly critical and which is not, this helps to implement security controls in an efficient way. If we don’t know how critical our information system is, we cannot focus on what we should protect first. If we know which system is critical, we can provide the protection based on the classification of data according to the matrix.
With the rise of remote work and increasing cyber threats, how can organisations ensure a resilient cybersecurity posture, and what proactive measures can be taken to address emerging threats in a rapidly evolving digital landscape?
We need to know who is accessing the system and do they have the legitimate right to access the system. Also, we need to know if they are using a safe device to access the system. Many controls could be applied, but first the system classification and information give the system more priority when accessed remotely. Sometimes the system cannot be accessed outside a certain geographical area for regulatory and security reasons.
In the realm of GRC, how can organisations strike a balance between fostering a culture of innovation and ensuring robust governance structures to effectively manage risks and comply with regulatory requirements?
The organisation needs to have a risk management methodology that describes threats and opportunities and then determines the risk tolerance, appetite and capacity according to strategic and operational goals and objectives. Having good governance of risk management helps organisations determine when to tolerate, transfer, terminate, treat, exploit, enhance, or share a risk.
Considering the global landscape, what challenges and opportunities does the convergence of Governance, Risk Management, and Compliance present for organisations, and how can they leverage integrated GRC strategies to enhance overall business performance?
It is important that GRC is integrated with other control functions in the organisation such as internal audit, cybersecurity etc. Also, GRC needs to be integrated within the business in case of any new changes that could affect the organisation. Linking the risk appetite with strategy and KPIs in all levels of strategy and operation can help organisations understand potential risks early and support them in achieving their goals.
Fahd Baawadh is the Internal Audit Team Leader at the Real Estate General Authority (REGA) of Saudi Arabia. He specialises in Cybersecurity, and is certified in IT & Cybersecurity Audit, Governance, Compliance & Risk Management. He works in Audit Management as a team leader to perform audit engagements from planning stage to follow up remediations. He has 17 years of experience in Healthcare IT , enterprise GRC, and Audit.
