Corporate IT strategy

Tom Sangala October 11, 2017

411 2 minutes read

Do you have an established company IT strategy? If not – why not? Do you know that most public or private limited financial services companies are required by international law to have such a strategy – and this strategy needs to be reviewed by the country’s central bank? If you do – when was the last time you reviewed this?

Did you pay particular attention to malware protection – especially in view of the ransomware attacks experienced globally, and in Malawi – in the recent year? What about cyber security – especially with regard to a greater adoption of bring your own devices (BYOD) in the workplace? User training and skills building? Have you considered the future of your service offerings in the mobile arena? So – let us start with some structured scrutiny.

Does your IT infrastructure reflect your user and business needs? IT enables efficiencies, and efficiencies lead to increased success through cost savings and an increase in performance. Do your users have the tools and services to maximise their efficiency? What I find in many organisations is that senior management sport the latest “tooled up” equipment and often the business critical users back office users are lumbered with inferior equipment. This reduces efficiencies throughout the organisation.

In my opinion, senior managers should be concentrating on making executive decisions on the company performance information available to them. This does not require them to have the latest, greatest devices. This information is usually prepared and input by more junior employees, who need devices with the capacity to input and process information speedily. This may make the efficient computer manager unpopular with management, but an objective assessment of IT need is a must.

A second, and ever growing priority is assessing risk at the workplace. Risk mitigation requires that you look at each and every “disaster scenario”. From power outages, to major hardware crashes, from SLAs with your ISP, to backup and disaster recovery procedures. What happens to your business if your server room is burgled or catches fire? Your strategy document should outline a resolution for each of these scenarios – with responsibilities allocated to properly skilled staff in each event.

An important drill is to simulate a disaster during an off-peak period, so that you and management have a clear idea of the extent of downtime for each scenario. Risk and security control also need to consider both internal and external threats to your business. External threats include malware and remote hacking attacks. What protection does your infrastructure have against these?

Is your anti virus solution up to date? Does it report on security vulnerabilities across your network on a regular basis? How do you identify and protect against high risks online activity by your company users? Are your licences legal and patched?? What security policies does your financial applications provider or your ISP have in place? Internal threats include users deliberately or unknowingly providing access to your data to external organisations. Data theft is a major issue.

Users providing access to confidential information through the unwitting abuse of your infrastructure is as important. To this end it is imperative that you have a User IT policy in place. This clearly guides and informs users on how they use the company IT resources. For example, are there policies on removable media in the office? Remote access, internet downloads, social chats and password structures?

How timely are you in locking down user profiles for departing employees? How frequently are IT audit trails examined? This is the time to make a case and confirm management buy in for a proactive IT strategy. A number of other areas, such as internal and external communication, also need to be looked at in detail – IT strategy definition is a dynamic process and extends across every area of your company. Start controlling technology pro-actively before it controls you.