I take a different view of IT governance—to me, it is all about enabling desired business outcomes efficiently, about ensuring that the money an organisation spends on IT is devoted to delivering a business outcome, no more and no less. So, good governance is more about saying "yes you can do this because it is good for the business" than saying "No, haven't done that before, it looks risky". Of course, the conventional controls are still important—systems that don't work waste money, facilitating fraud, doesn't deliver a good outcome for an ethical company and so on—but it should be 'just enough' control, to show that risk is being managed effectively.
One often overlooked area of poor governance is the end-user experience. How much time is wasted by people ministering to their desktop computer, installing patches (waiting to get their machine back if it needs to reboot), dealing with the virus threat, updating software and so on? Or, how much time wasted fighting a PC so locked down that they can''t do what they want to do for the business?
I confess that I very much liked the idea of the last-century network computer. One of its problems was cultural—users liked having their 'own' desktop computer that they could play with and which wasn't controlled by the corporate police, but that was then. Companies control their desktops these days and people are used to using browsers and smartphones for real work—so the all-singing all-dancing desktop PC is becoming seen as an expensive acronism. Inflicting it on the end user might be seen as poor governance.
In the vanguard of the new way of computing (which at a high level looks a lot like Network Computing as espoused by Oracle, Sun, IBM etc., to me, although the technology is somewhat different) is Google with its Chrome OS devices. These are largely being promoted as consumer devices, but Jon Hunt, of Point to Point, tells me that it has a customer rolling out Chrome OS over the enterprise, as an alternative to upgrading its Windows XP environment to yet another, different, version of Windows. What makes this appropriate to the enterprise, Jon tells me, is the often-overlooked Chrome management console—and the availability, when the browser isn't enough, of mature software virtualisation solutions from the likes of VMware and Citrix (although running these with an optimal user experience, while very possible, does need access to the right skills and experience).
From a governance point of view this looks intriguing to me—promising a better browser-based user experience (with more Freedom to work the way you want), with less overhead and with 'just enough' control (to enable Trust between employer and employee). I'll be following developments with interest.