Are you tongue-tied when it comes to communicating the impact that IT is having on positive business results or negative business risks? You are not alone if you said yes.

Recently published research conducted by the IT Policy Compliance Group reveals that nearly half of organizations (47 percent) effectively communicate the impact IT is having on the organization, while the other half (53 percent) do not.

In which group do you belong—the one in two whose communications are ineffectual or the one in two whose communications influence decisions?

Communicating the impact of IT—both good and bad—is apparently not done well enough, or frequently enough, by organizations. And, both the quality and frequency of communications about IT are directly related to the size of the budget being allocated to IT and information security functions.

Communication and Spend on IT

As one CEO stated, “Until they (IT management) presented what it (IT) meant to me, I ignored it (IT). After I got it (the information), we increased spending in some areas pretty dramatically.”

Sounds like an obvious assertion: if you communicate more, you’re more likely to see increased spending on more relevant areas of the business. And, given that information systems and IT are used to operate and manage more business procedures today, it would seem to be axiomatic that increased spending on both IT and information security would be a given. But the research shows this assumption is only true among the organizations where specific kinds of reporting and communications, among other practices, are implemented.

The research findings reveal that those with the largest budgets are not just paper-reporting tigers that know how to manage upwards. Rather, these are the same firms experiencing the fewest incidents of data loss or theft, the fewest problems with audit in IT, and the least amount of unplanned business downtime due to hiccups and problems occurring in IT. Additionally, these are the same organizations with the best top-line results (revenue and profit) relative to their peers.

It is important to learn what the best performers do about communication and reporting related to IT. Almost all of these firms (eight in 10) say their reporting and communications about IT influences the decisions being made about IT by senior management, senior business leaders and other stakeholders. In contrast, eight in 10 of the worst-performing organizations do not report or communicate the value, or the risk, of using IT to anyone.

ITPCG’s new report, “Data Driven Reporting and Communication About IT:  Better Results, Less Risk” includes findings on:

• Business benefits and risks of using IT
• Communicating value and risk
• People involved in making decisions
• Focus of communications and reports
• The communication secrets that work
• Information that is gathered, stored and analyzed

I encourage you to read the report and find out about the data-driven reporting and communication techniques of the best performers. Learn what to do to make IT integral to the business of your organization, and make information security and IT audit business-relevant to stakeholders.

Jim Hurley
Managing Director, IT Policy Compliance Group

We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post.

To view all blog posts, please click on the ISACA Now link in the blue box on the left.