j-j.co.za

On Thursday evening (5th August) I presented at the ISACA KZN Chapter meeting. As Chapter coordinator I have the privilege of finding speakers and venues, and from time to time an arranged speaker has other commitments and so is unable to make the presentation. I always try and keep a “backup” presentation of my own and this time around it was my (our) “Tale of two cities – or control frameworks” presentation that was first presented at the IT Web security summit earlier in the year. This time I did the presentation without the assistance of my colleague from Jhb,  David Volschenk, as he had other work commitments  which prevented him traveling to Durban for the day.

It IT Web we had 45m for the presentation and Q&A so where fairly time constrained and did not have much time at all for discussion or questions. At the Chapter meeting we had much more time to go through the presentation at a leisurely place, have discussion around certain aspects and make it a much more interaction (and fun) session.

There were about 20 people present, representing the consulting firms (EY, PKF, Deloitte), public sector and private sector.

Off the top of my head (I was presenting rather than taking notes the main areas of discussion were around :

• Getting executive buy in for the project
• Getting adequate funding
• Instilling change in an organisation where the maturity level is low and the corporate culture is such that the environment is generally poorly controlled
• What the drivers are for the implementation of a control framework, and particularly King 3 and how it is changing perspectives (creating the fire)
• The implications of King 3, and how they will drive change from the top (rather then it being left to middle management to drive failed projects)
• The apparent lack of understanding of King 3 on the part of directors, and how negative statements having to be made in the Annual Financials with respect to King 3 compliance could affect their reputations and those of the organisations they represent (or what happens if they “lie” and put in statements of compliance when they aren’t compliant). Company directors really do need to start taking notice of this.
• The implementation of control frameworks is a long term process, not a quick fix. Deciding 6 months ahead of the King 3 implementation deadline that the organisation needs to be compliant may be an impossible task

In “off the record” discussions after the presentation a number of consultants wanted to know if the failed company (Company B) was actually Company XYZ or Company ABC. The answer each time was know, it wasn’t that company, Company B was a combination of failed projects. That said, the names of companies mentioned by the other parties in each case also were not one of the companies involved in the combined “Company B”.  It seems there are a lot of failed control framework and security framework implementations out there.

I really enjoyed the presentation and the discussions that went with it. Thanks to all who attended for your attendance and participation. If you are interested in having further discussions around this, or have me meet with your directors to discuss further, please contact me.  j-j (at) worldonline (dot) co (dot) za or on Twitter.

Thanks to Ernst & Young for hosting the chapter meeting.

See you next time at PKF.

Justin

You can find a copy of the presentation in the original article or directly here. More on King 3 here. And get a copy of the King 3 report from the IOD website.