In today’s rapidly changing digital environment, ISACA’s COBIT framework is designed to help enterprises understand how to obtain value and manage risk relating to information and technology. Rather than providing in-depth detailed guidance for specific domain experts, the COBIT approach provides a set of objectives that ought to be fulfilled, understandable to anyone at a management level and is relevant to enterprises of all sizes, whether commercial, not-for-profit, or in the public sector.
Based on analysis of all the available standards, frameworks and accepted good practices, COBIT provides a common language at the level of what to do strategically covering the entire scope of an enterprise’s use of technology. The scope covers the whole business, IT functions and technology providers end-to-end: everything that is needed to effectively govern and manage information and technology. Its high level non-technical presentation enables managers to understand what is required without depending on silos of technical experts. The content is cross referenced to more detailed sources such as ITIL and TOGAF for more details. Maturity models and metrics provide management with tools to monitor performance.
COBIT has evolved over the past 20 or more years to be one of the most useful frameworks at a time when there has never been a bigger focus by business leaders on the use of technology. It helps position other practices properly in the minds of management by de-mystifying important topics such as security, architecture, change management and value management. This has expanded training opportunities not just for COBIT but also for other key practices as well.
Unfortunately, however, COBIT has not always been well understood in the market. The ISACA legacy of originally being an Auditor’s Association has made some believe that COBIT is just an Auditor’s framework. The emphasis on GRC in recent years has resulted in a perception that COBIT is a compliance framework especially in North America. COBIT training opportunities may have been missed because we have too often limited ourselves to traditional IT technical roles and we have probably not properly explained the value that COBIT provides.
The use of technology is changing beyond recognition compared to only few years ago. We now talk about robotics, AI, drones and data analytics and the need to handle vast amounts of information in networks and the cloud. Enterprises are shifting away from developing and managing software and infrastructure to renting applications and business services in the cloud. IT departments are shrinking, and a broader range of professionals are emerging skilled at leveraging technology for business value. New training opportunities are appearing with new role players in business who need to better understand how technology and information should be managed.
Lastly, training companies, exam institutes and trainers themselves may not have helped market perceptions of the value COBIT and other frameworks by over-focusing on exams and certifications rather than explaining the business value of the practices and guiding adoption and strategic improvement in training classes. Certifications based on just a few days training have also falsely labeled some technology professionals as experts reducing management trust. COBIT, unlike most other frameworks has several associated real certifications offered by ISACA depending on the professional’s focus such as CGEIT for governance and management, CRISK for risk, CISA for auditors, CISM for security.
There is a misconception that such certifications were designed to value IT specialists, but these are not the only ones in need of training. Business users and managers need it too. Bringing these two groups together who have for years suffered from chronic communication issues, enterprises become more capable of using technology and information as critical elements of strategic success.
Positioning COBIT Strategically
- Position it in the context of business needs. The focus should not be just on the development of one’s CV or career or even just skill but advancing enterprise capabilities.
- Focus on business drivers and risks. There’s a model presented on COBIT called ‘Goals Cascade’ supported by a toolkit that helps to link good practices to strategic objectives in different scenarios and some of the risks that worry senior management.
- Identify root causes. We could all be doing a better job at identifying the reason behind the challenges that we face. Often, the answer revolves around good practices not being followed. The COBIT framework helps to apply good practice and measure maturity when looking at problems of accountability, immature process, lack of good control and discipline as well as lack of skill to do all these things. COBIT guidance is non-technical and management oriented.
- Emphasize the importance of COBIT communicating in a non-technical language to decision makers. Use plain language and business terms regardless of the technical complexity of what is being addressed, whether it is architecture, security or any other topic.
Focusing on the key points mentioned above leads to the creation of buy-in with senior management. Additionally, it justifies the importance of up-skilling and improving capabilities. It generates the business case and creates a proper program of improvement to get the IT capabilities at the level management requires.
- Move up the value chain with COBIT. Talk to the right people, who are likely to be the buyers, and build relationships at the right level. Discuss at Board and Executive level as well as with Risk and Audit committees. Work with CIOs who have the the trust of their business colleagues
- The whole idea is to focus on the enterprise and not only on the students to fill seats. Deal with the management, not just the HR/L&D departments.
- COBIT classes are perfect for mixing business people, from top management to business executives and professionals with IT managers. It’s not unusual at all to train COOs, CIOs, and Heads of Audit in Foundation classes.
- When possible, focus on in-house classes to connect to the enterprise context. 5-10 classes with single clients is desirable as that triggers the perception of other areas that probably ought to be up-skilled. It often leads the learners to ITIL, TOGAF, Cloud, Security, etc.
An approach that encompasses the points above widens the audience and allows top management to see the value of the framework (often for the first time). When the top understands the value, the whole cycle of involving more training becomes a natural progression. It needs to be made clear that training is done for purpose rather than for certification sake. In the process, further trust is developed on trainers.
Sell the Enterprise Benefits
Sales golden rules:
- If there is no real need, there should be no training. Identify IT pains and issues that may arise interest.
- Irresistible propositions create a need to adopt better practices. Communicate how COBIT training helps solving business needs.
- Close the sale. Workshops that clarify the value of the training and explain how it may minimize risks demonstrate the benefits to be gained. Make sure after the sale to follow up and show commitment for shared results.
You can watch a webinar where I get into more detail here.
About the author
Gary has over 40 years of experience in the IT industry, and is recognized globally as an expert and thought leader in gaining business value from technology. He has helped private and public sector enterprises around the world to deliver improved governance and management practices. Gary is Ambassador for the Business Relationship Management Institute in sub-Saharan Africa. Gary was one of the originators of the COBIT initiative in 1992 and has been a key member of ISACA’s COBIT development team for the past 20 years.
He has been a lead developer of all the COBIT versions including COBIT5 and acted as an advisor to ISACA, and author of many of the ISACA IT governance guidance publications. He is often referred to as “Mr. COBIT”. Gary was instrumental in initiating the COBIT education program in 2003 and is the architect of the IT preneurs IT governance education portfolio. Gary has a Computer Science degree and has worked as a systems analyst, project leader, computer audit manager, consultant and Director for Gulf Oil, British Aerospace, Deloitte and Touche Zergo, and Arthur Andersen. Gary is the Owner and Director of IT Winners in South Africa.