Technology governance

Information technology (IT) is critically important for most organisations, including as an enabler of communications, business efficiency and information storage. Governing technology investment, risks and opportunities is an increasingly important part of a board’s digital leadership role. The board’s fiduciary duty of care to protect the company’s assets includes protecting information and other digital assets. 

Technology governance

The technology governance directorsbrief explores the board’s role in digital leadership, which includes ensuring innovation, technology and associated risks are considered as part of the board’s strategic role. It includes questions and pointers to help directors protect information assets, manage cyber security risks, influence technology performance and enhance strategic oversight.

For an overview of the board’s IT governance role see pages 123-124 of the Four Pillars of Governance Best Practice.

Corporate Governance of IT International Standard (ISO 38500) provides an overview of the legal, regulatory and ethical obligations in IT for directors. The standard provides a framework for directors to use when evaluating, directing and monitoring IT in their organisations. Standard ISO 38502 (2014) provides information about the nature of, and relationships between, governance and management in relation to IT. The standards can be purchased through Standards New Zealand.

The Government Chief Information Officer (GCIO), Colin MacDonald, has functional leadership for government ICT, and is responsible for ICT-enabled transformation across government agencies to deliver better services to citizens.

Institute of IT Professionals NZ is New Zealand's leading body for those working or studying IT related fields. For IT news and views go to the IITP Techblog. The IITP IT Governance Taskforce was established in 2013 to help raise awareness of IT governance with directors.

iStart is a New Zealand ICT research hub. Although more focused on technical information there is also some governance information, such as a 2013 feature article, Mind the gap, which questions if there is enough understanding of IT at the board level and suggests questions for board members to ask about IT.

ISACA is a global non-profist association with resources focused on information security, assurance, risk management and governance.

A video interview with Paul Willmott, director of McKinsey & Co about the opportunities and threats presented through the evolution of digital technology.

Cyber and information security

Cybersecurity issues should be at the forefront of board and risk committee agendas. With technology now at the centre of nearly all business processes, information security is no longer simply an operational concern. Thousands of IT systems are compromised every day around the world. The financial, operational, legal and reputational risks posed by cyber-threats are serious. No organisation is immune to these risks.

The IoD’s Cyber-Risk Practice Guide provides boards with five useful principles to help them understand and monitor cyber-risk, develop strategies for seeking assurance, and oversee management. It also poses critical questions directors have a duty to ask. Members can download the guide here.

This  is based on the work of our colleagues at NACD who produced a comprehensive guide, which can be downloaded here.

The institute of Internal Auditors Research Foundation also adapted the core principles for auditors and their paper is available here.

National Cyber Policy Office advises the government on cyber security policy and strategies. It is also responsible for leading international engagement on cyber security and facilitating coordinated engagement with the private sector on cyber security policy issues.

A refreshed New Zealand Cyber Security Strategy, accompanying Action Plan, and a National Plan to Address Cybercrime, were released on 10 December 2015. This new Strategy signals the Government's commitment to ensuring New Zealand is secure, resilient and prosperous online and is available on the DPMC website.

New Zealand’s Connect Smart website (a cybersecurity initiative launched by the National Cyber Policy Office in June 2014) encourages taking proactive steps to protect against cyber threats and includes resources to help boards to put cybersecurity on the agenda, before it becomes the agenda.

MARSH launched a series of videos in connection with Connect Smart week 2015. The short clips provide a concise overview of enterprise cybersecurity risk in New Zealand.

In 2012 the Australian Department of National Defence issued guidance regarding a set of 35 controls that avoid, counteract, or minimize security risks. Research conducted in 2013 by the AFCEA Cyber Committee revealed that the first four of these controls are effective in protecting against 85% of the targeted cyber intrusions addressed by the DND Defence Signals Directorate, in addition to improving both operational effectiveness and cost efficiency.

The Verizon Data Breach Investigations Report (DBIR) is an ongoing investigation into nine common cyber-threat patterns and how they evolve over time. The 2015 report additionally addresses the effect mobile malware has on data security and better estimates of the financial impact of a data breach.

The research noted above by the AFCEA Cyber Committee, (The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment) is an excellent resource which presents a framework for investment in cybersecurity controls and mitigation strategies. This framework is extended to account for more sophisticated threats in “The Economics of Cybersecurity Part II: Extending the Cybersecurity Framework

The Internet Security Alliance has also conducted research into the sophisticated management of Cyber Risk and, sponsored by AIG, produced this report in 2013.

The UK Government’s 10 steps to Cyber Security provides guidance on information risk management and recommends applying the same level of rigour to assessing risks to information assets as to legal, regulatory, financial or operational risk.

Information Security Governance: Guidance for Boards of Directors and Executive Management (2006) by the IT Governance Institute in the USA provides guidance on what information security governance is, why it’s important and how to deliver effective governance.

The World Economic Forum at Davos, in collaboration with Deloitte and building on previous work focused, in 2014 and 2015 on identifying critical risks to organizations and potential steps to cyber risk quantification models. The result was a report entitled “Partnering for Cyber resilience: Towards the Quantification of Cyber Threats”. This article provides an overview of the exercise.

The National Institute of Standards and Technology (USA) have produced this Framework for Improving Critical Infrastructure Cybersecurity

Research by McKinsey and the World Economic Forum points to a widening range of technology vulnerabilities and potentially huge losses in value tied to innovation. Read the report here.

Additionally, this McKinsey & Co article explores why, despite increasing awareness of the growth in the risk of cyber-attacks, few companies are making the right organisational shifts to protect critical information. The leadership of senior managers is a key factor.

One of the most significant data breaches of 2013 and the most significant hack in American retail history was that of Target. A good overview of this case-study is provided by the Bloomberg Business Week, here.

For interested readers, the Target consolidated class action complaint can be found here.


The Privacy Act 1993 has strict rules applicable to the accessing of data and the protection of individuals’ privacy.

The Privacy Commissioner administers the Act and provides guidance and resources to assist with privacy compliance. The Government has signalled its intention to reform the Privacy Act which could include the Commissioner ordering agencies to fix business practices that breach the law. For information about the proposed law reform see here.

The 2012 Independent Review of ACC’s Privacy and Security of Information recommended improvements to ACC’s privacy and a management practices as a result of a serious breach in 2011 involving the unauthorised disclosure of details of 6,748 clients.

The 2013 (March) boardroom article, Privacy protection, highlights the importance of having systems and procedures in place to avoid privacy breaches.

Privacy law in Australia

In March 2014, significant changes to Australia’s Privacy Act came into effect. Not only must directors and boards comply with the new Australian Privacy Principles (APPs), they need to demonstrate this compliance. For coverage of the Australian privacy legislation and what it means for directors in Australia go to the Australian Institute of Company Directors website.

Social media

boardroom has a series of articles that discuss the social media and the need for boards to understand developments, risks and opportunities:

Board role and competency

In 2012 the Canadian Institute of Chartered Accountants published the second edition of the publication 20 questions directors should ask about IT. The focus here is on the role of the board in governing information assets, the appropriateness of the organisation’s information asset strategy and managing performance and risks relating to information assets.

The 2013 boardroom article, Are boards flying blind on enterprise technology governance?  by Elizabeth Valentine, asks if directors and boards have the necessary governance mechanisms for effective enterprise technology governance.

Elizabeth Valentine’s research and commentary on enterprise business technology governance (EBTG) and board competency can be found here.

See also Elizabeth Valentine’s presentation at the IoD in June 2014, Digital leadership: the board’s role.

Governance of Enterprise Security: CyLab 2012 Report – How Boards & Senior Executives are Managing Cyber Risks (by J R Westby). The third since 2008, these surveys  explore the degree to which board of directors and senior management exercise governance over cyber security and privacy. The 2012 report shows concerning low levels of active management of cyber risks and recommends how to best exercise such governance.

Disruptive technologies

Scott Bartlett, CEO of Kordia Group, shares his views on the three technology trends every business leader should focus on in 2018. In this three part video series, Scott discusses why the Internet of Things (IoT), cyber security and machine learning are the 'ones to watch'. Watch the three part series here.

Deloitte Directors’ Alert 2014, Boardroom strategies in an era of disruptive change, examines changes likely to affect organisations and boards in 2014.

The National Association of Corporate Directors (NACD) – Disruptive technologies – what boards need to know – is the US equivalent of the IoD and contains a number of useful resources on the subject.

In 2013, Simon Moutter, CEO of Telecom, talked to IoD members about the massive changes in technology that are currently taking place in the world, what they have meant to Telecom, what they might mean to other organisations and to their directors, and what Telecom is doing about this.

The Auditor-General’s 2012 report, Realising benefits from six public sector technology projects, showcases the use of technology to deliver faster, cheaper, and more convenient public services, such as emergency financial support following the Christchurch earthquakes and SmartGate at airports.

A 2014 Monitor Deloitte report, More growth options up front, discusses how big data can enable decision makers to consider growth options which were previously unimaginable.

IT projects – oversight and governance

Reports on major public sector IT project failures such as Novopay provide lessons for improving governance and oversight of IT projects and investments.

Treasury’s Major Projects Assurance Group oversees major projects in the public sector and the website has information about monitoring, the Gateway process and project delivery.

Technology terms

Definitions have been primarily sourced from the 2011 New Zealand Cyber Security Strategy and from

Big data
Big data is an evolving term that describes any voluminous amount of structured, semi-structured and unstructured data that has the potential to be mined for information.

A blog (short for weblog) is a personal online journal that is frequently updated and intended for general public consumption. The format is a series of entries posted to a single page in reverse-chronological order.

A network of compromised computers running malicious programmes under a command and control infrastructure.

Cloud storage
Cloud storage is a service model in which data is maintained, managed and backed up remotely and made available to users over a network (typically the Internet).

Cyber attack
An attempt to undermine or compromise the function of a computer-based system, access information, or attempt to track the online movements of individuals without their permission.

Cyber crime (or computer crime)
Any crime where information and communications technology is:

  • used as a tool in the commission of an offence
  • the target of an offence
  • a storage device in the commission of an offence.

In New Zealand, some of the most common examples of cyber crime include fraud, identity theft and organised crime.

Cyber security
The practice of making the networks that constitute cyber space as secure as possible against intrusions, maintaining confidentiality, availability and integrity of information, detecting intrusions and incidents that do occur, and responding to and recovering from them.

Cyber space
The global network of interdependent information technology infrastructures, telecommunications networks and computer processing systems in which online communication takes place.

An attempt by an unauthorised person, whether successful or not, to access an information system, usually for malicious purposes.

Hacktivism is the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose.

Identity fraud
Any offence involving the misuse of a personal identity. The majority of identity crime is committed with the help of computers.

Information assets
The UK National Archives defines an information asset as a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.

Intellectual property
Includes a diverse range of commercially valuable assets including patents for new inventions, trade marks for marketing goods and services and copyright works like photographs, prototype drawings, literature and music. In business terms, intellectual property means that proprietary knowledge – a key component of business success – is protected.

Internet service provider (ISP)
An organisation that provides access to the Internet, commonly using copper, wireless or fibre connections.

Malicious software or potentially unwanted software installed without informed user consent, generally covering a range of software programmes designed to attack, or prevent the intended use of information and communications networks.

A form of Internet fraud that aims to steal valuable information such as credit card details, user
IDs and passwords by tricking the user into giving the attacker the confidential information.

Privacy can mean different things to different people. A common understanding reflected in New Zealand laws includes the ability for people to protect information about themselves. Go to Privacy Commissioner for more information. 

Ransomware is malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key. It spreads through e-mail attachments, infected programs and compromised websites. A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm.

Deceptive, uninvited contacts or promises designed to trick people into giving away their money or your personal information.

Social engineering
The practice of obtaining otherwise secure information by tricking, exploiting human traits of trust and helpfulness, or manipulation of legitimate users.

Social media
Social media is the collective of online communications channels dedicated to community-based input, interaction, content-sharing and collaboration. Websites and applications dedicated to forums, microblogging, social networking, and wikis are among the different types of social media. Well known examples of social media are Facebook, Twitter, Wikipedia and LinkedIn.

The use of electronic messaging systems (including most broadcast media, digital delivery systems) to send unsolicited bulk messages indiscriminately. The most widely recognised form of spam is email spam.

Spyware is any technology that aids in gathering information about a person or organisation without their knowledge. On the Internet (where it is sometimes called a spybot or tracking software), spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.

A computer program that disguises itself as a useful software application, whereas it’s true purpose is to carry out and run a hidden, harmful transmission of material across a network.

A self-replicating program that spreads to other users by inserting copies of itself into other executable code or documents.