Visible Ops Blog

In our survey, we asked about management’s emphasis on IT controls.  Overall, the answers were mixed almost 50/50.  49% felt controls were “important” or “very important” to management. 51% felt IT controls were “reasonably important” or “not important”.  Of those that felt controls were important, 72% had defined consequences for “intentional unauthorized changes”.  Of those that felt controls were not as important, almost the opposite was found: 70% did not have defined consequences.   So far, nothing surprising.  Most of organizations that have a strong management commitment to IT Controls have defined consequences for not following the controls.

The surprise to me, was how many of those organizations DID NOT consistently enforce the consequences.  60% of them to be exact. 60% of organizations we surveyed that have management that views IT controls as important, and that have defined consequences -- enforce those consequences “never” or only “sometimes”.

Seems like a lot of work to implement IT controls, define consequences for not following controls, then not enforce the consequences. The purpose of IT controls is to create a repeatable process or procedure to address a specific objective. If staff don’t consistently follow the defined process, then results are not going to be repeatable or predictable.

Next week we’ll look at the data to see if the use of the stick, and not just the threat of the stick, correlates to actual results.

Please post a comment if you know of research in this area of consistent use of consequences.