© 2012 IBM Corporation Five IT risk management practices of companies with excellent reputations How security and business continuity can shape the reputation and value of your company IBM Global Technology Services
Oct 19, 2014
© 2012 IBM Corporation
Five IT risk management practices of companies with excellent reputationsHow security and business continuity can shape the reputation and value of your company
IBM Global Technology Services
© 2012 IBM Corporation2
Definition of IT risk and reputational risk
Findings from 2012 Reputational Risk Study
Financial implications of security breaches
Recovery from reputational damage
Five characteristics of companies with excellent reputations
Ten essential practices…how they can help
Philip KiblerIBM, GTS Director Cyber Security Assessment and Response
Phil has 31 years of IT experience and has led IBM Professional Security Services business since 2007. Recently he has been focusing on Cyber Threats and Intelligence and marshaling the resources of the IBM Corporation to support clients globally to deal with the growing Cyber Storm.
Today’s speaker
© 2012 IBM Corporation3
Reputational risk and IT:
Reputational risk:a type of risk related to the trustworthiness of business. Damage to a firm's reputation can result in lost revenue or destruction of shareholder value, even if the company is not found guilty of a crime. Reputational risk can be a matter of corporate trust, but serves also as a tool in crisis prevention.
Source: http://en.wikipedia.org/wiki/Reputational_risk
What is reputational risk and why you should care?
Equation taken from - International Centre for Financial Regulation
© 2012 IBM Corporation4
Reputational risk and IT:
IT risk is comprised of a number of core components:
� Security and privacy
� Business continuity and disaster recovery
� IT compliance
� Supply chain
� Business transformation
� Product assurance
How do we define IT risk?
© 2012 IBM Corporation5
Reputational risk and IT: introduction
To find out where and how IT makes its biggest impact on reputational risk, IBM conducted a worldwide study.
#1 IT risks have a major impact on a company’s reputation
#2 Companies have rising IT risk concerns related to
emerging technology trends e.g cloud, social media
#3 Companies are integrating IT risk and reputational risk management, with strongest focus on threats to data and systems
Study demographics
� Conducted by Economist Intelligence Unit, paid for by IBM
� 427 respondents from around the world
� 23 industries
� 15 job titles
� Company sizes <$500M to >$10B
© 2012 IBM Corporation
IBM factors reputational risk into the domain of IT security risk.
Security Risk Management is the application of control to detect and block the threat, to detect and fix a vulnerability, or to respond to incidents (impacts) when all else fails. Reputational risk becomes a factor in the evaluation of the potential impact
Threat
Can exploit
Vulnerability Impact
(Weakness)(Actor) (Loss)
And cause
Risk exists when …
© 2012 IBM Corporation
83% 84%78%
58%
83%81%
63%59%
38%
71%64%
28%
36%33%
42%
The study identified the 5 key characteristics of companies reporting excellent reputations.
7
Integrate IT into reputational risk
management
Have strong/very strong
IT risk management
capacity
Have adequate IT risk
management funding
Very strenuously
require supply chain to match
standards
1 Defining Characteristic: Have a special emphasis on reputational risk with the support of senior management and have effective escalation and reporting process
Organizations reporting their reputation as: Excellent Very good Average or worse
Reputational risk and IT: what you can do now
Are very confident/ confident in IT risk
management related to data breach/data
theft
23
45
© 2012 IBM Corporation
In the recent IBM reputational risk and IT study, security factors are ranked #1 among IT risks that can cause reputational harm.
8
Reputational risk and IT Study: security findings
of respondents identify and manage reputational risk as part of their IT security operations
of respondents very strenuously require third-party sources to match their level of IT security
of respondents included data breaches, data theft and cybercrime among the IT risks that are most harmful to reputation
© 2012 IBM Corporation
80% rate reputation as excellent or very good
There seems to be a mismatch between how well companies rate their reputation and how well they are protecting it.
17% rate their company’s overall ability to manage IT risk as very strong
There is room for improvement in almost every organization
Reputational risk and IT: perception vs. reality
© 2012 IBM Corporation
Are proactive in the management of latest security threats
We also found critical discrepancies between confidence level and availability of security threat intelligence to support that confidence.
10
Reputational risk and IT Study: security findings
“IT… is like the heart pumping blood to the whole body, so any failure could threaten the whole organization’s survival.”
— IT manager, French IT and technology company
Perception
Reality
Have access to the latest security threat intelligence
are very confident or confident they can manage IT risks related to data breaches, data theft and cybercrime
© 2012 IBM Corporation11
Reputational risk and IT: perception vs. reality
Companies may be opening themselves up to unintended reputational risk by ignoring the impact of their partners.
Only39%of companies are “very strenuously” requiring their vendors, partners and supply chain to match levels of risk control
� How many outside sources does your company do business with on a regular basis?
� How thoroughly have you communicated your IT risk mitigation standards to these sources?
� How are you monitoring your sources’compliance with your standards?
© 2012 IBM Corporation12
Source: Ponemon Institute LLC, “The Impact of Cybercrime on Business,” May 2012
IT security industry analysts are quantifying and tracking the actual costs of a data breach.
© 2012 IBM Corporation
Payment processor
Hackers intrude core line of business.
Nearly 130 million customers affected.
Online gaming community
Community and entertainment sites hacked.
Around 100 million customer records compromised.
Retailer
Customer data stolen over more than 18 months.
At least 45 million records stolen.
Estimated costs: up to $900M
Estimated costs: up to $500M
Estimated costs: $3.6B
Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles.
Reputational risk and IT Study: security findings
Well publicized scenarios of financial and reputational impact due to security breaches are in the news every day.
© 2012 IBM Corporation
The impact on “reputation recovery” is measured in months, not hours or days.
Website outage
0-6 months 6-12 months 12+ months
System failure 72% 17% 10%
Workplace compromise 71% 18% 11%
Data loss 70% 17% 12%
Failure to align continuity plans with business 65% 21% 13%
Insufficient DR measures 63% 24% 12%
Data breach 65% 19% 16%
Compliance failure 64% 22% 14%
78% 14% 8%
Reputational risk and IT: perception vs. reality
© 2012 IBM Corporation
Manage incidents with intelligence2
IBM uses a ten essential practice approach to better manage IT Risk and protect client reputations.
Risk-aware culture and management1
Defend mobile and social space3
Security-rich services, by design4
Automatic security “hygiene”5
Control network access 6
Address cloud and complexity 7
Manage third-party compliance 8
Secure data, protect privacy 9
Manage the identity lifecycle 10
Maturity-based approach
Proactive
Au
tom
ate
dM
an
ual
Reactive
Proficient
Basic
Optim
ized
Security
intelligence
© 2012 IBM Corporation16
Reputational risk and IT: what you can do now
What can you do now?
� Be aware. Do a Risk Security Assessment for visibility and prioritization for proper risk management strategy
� Be proactive.Manage against vulnerabilities for real-time protection against sophisticated attacks
� Be prepared.Have an incident response plan in place to quickly respond and remediate against a breach
© 2012 IBM Corporation
Learn more about the reputational risk and IT connection, and how IBM can help you protect the reputation and value of your company.
17
Reputational risk and IT: what you can do now
Download the full study report includes all you’ve seen
today, plus other important findings
www.ibm.com/services/riskstudy
Add your voice to the discussion
Take the reputational risk survey online and get a complimentary copy of the upcoming expanded
report
Learn more about IBM’s Ten Security Essential Practices
Scan the code or go to bit.ly/ibmrisksurvey
ibm.com/smarter/cai/security
© 2012 IBM Corporation18
Thank you for attending!
© 2012 IBM Corporation19
© Copyright IBM Corporation 2012
IBM Corporation IBM Global ServicesRoute 100 Somers, NY 10589 U.S.A.
Produced in the United States of AmericaAugust 2012
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.