© 2013 ibm corporation reputational risk and it in 2013 how to protect brand value with security...
TRANSCRIPT
© 2013 IBM Corporation
Reputational risk and IT in 2013How to protect brand value with security and business resiliency
Presenter
Date
© 2013 IBM Corporation
Patrick Mcilwee FBCI,FICPEM, BSc, MBa, MRs
International keynote speaker
Nearly 30 years in industry
4575 events successfully handled
Author
Fellow Of the BCI
Fellow of the Institute of Civil Protection & Emergency Management
© 2013 IBM Corporation3
© 2013 IBM Corporation4
Agenda
Why reputational risk is a critical issue
What IT risk factors most impact reputation
Six key recommendations for effective reputation and IT risk management
© 2013 IBM Corporation5
OPTIONAL SLIDE
Presenter: Add a slide on a recent or high-profile incident relevant to your customer / audience
© 2013 IBM Corporation6
Reputation has a definable value — much like brand value — that can be diminished by IT risk-related events
-21%The economic value of a company’s reputation declines an average of 21% as a result of an IT breach of customer data*
*“Reputation Impact of a Data Breach: U.S. Study of Executives & Managers,” Sponsored by Experian® Data Breach Resolution Ponemon Institute, November 2011.
“Underestimating the cost of reputational risk greatly exceeds the cost of protection.”
Finance manager, American financial services company
US$1MEconomic value assigned to corporate brand or reputation*
US$10BUS$1.56BAverage
© 2013 IBM Corporation7
The impact on “reputation recovery” is measured in months, not hours or days like recovery time objectives (RTO)
Website outage
0-6 months
71%
6-12 months
12%
12+ months
System failure 68%8%
Mobility (BYOD) 68%14%10%
Data loss 64%14%10%
Inadequate continuity plans 54%22%10%
Insufficient DR measures 56%20%11%
New technology 58%13%
Data breach 59%16%13%
Compliance failure 56%19%12%
Poor IT skills / tech support 59%18%11%
6%
15%
15%
Study findings (2013 data)
© 2013 IBM Corporation8
In partnership with the Economist Intelligence Unit, IBM has been studying the business perspectives of IT risk since 2010
20102010 20112011 20122012 20132013
IT security and system availability are key concerns
IT risk management lacks executive support
IT security and system availability are key concerns
IT risk management lacks executive support
Emerging trend: holistic IT risk management
Compliance is an IT risk issue
CIOs and IT managers chief stakeholders
Emerging trend: holistic IT risk management
Compliance is an IT risk issue
CIOs and IT managers chief stakeholders
IBM Global Reputational Risk and IT Study2012 and 2013
IBM Global Reputational Risk and IT Study2012 and 2013
Findings of the study: IT is a key safeguard to protecting against reputational harm
Findings of the study: IT is a key safeguard to protecting against reputational harm
Implications of the study: what you can do to protect your reputation
Implications of the study: what you can do to protect your reputation
© 2013 IBM Corporation9
Our most recent worldwide study examined where and how IT is making impacts on reputational risk — and what are the gaps
Largest study to date examining the relationship between IT and reputational risk
Initial survey of 427 respondents was conducted by the Economist Intelligence Unit on behalf of IBM
Additional 175 participated online at an IBM survey website
Respondents: 604
North America, 47%
Europe, 23%
Asia Pacific, 19%
Middle East/Africa,
6%
Latin America, 4%
Industries: 23*
Banking, 18%
IT/Tech,
13%Energy/ Utilities, 10%
Insurance, 9%
Financial Markets, 9%
Professional Services, 5%
All others, 36%
Job titles: 15*
IT manager, 33%
CIO/CTO/ Tech director, 11%
CEO/President/ Managing Director, 10%
CRO/Risk Director, 2%
Other C-suite, 10%
SVP/VP/ Director, 11%
Other non- C-suite, 23%
Company sizes: 5
$500M or less, 35%
$500M to $1B, 14%
$1B to $5B, 15%
$5B to $10B, 9%
$10B or more, 26%
*Top responding categories shown.
© 2013 IBM Corporation10
Data breach tops the list of IT risk factors that can cause the most reputational harm
62%
45%
40%
data breach
system failure
data loss
Top three IT risk factors harmful to reputation
Study findings (2013 data)
© 2013 IBM Corporation11
Put someone in charge
Make the compliance connection
Reevaluate the impact of social media
Based on study findings and IBM IT risk management expertise, we recommend six key initiatives
Keep an eye on your supply chain
Avoid complacency
Fund remediation; invest in prevention
Six keys to effective reputational and IT risk management
1
2
3
4
5
6
© 2013 IBM Corporation12
Put someone in charge1Study findings (2013 data) Study implications
Ultimate responsibility for reputational risk should rest with one person — but who?
CEOs: multiple responsibilities, little time
CFOs: focused on financial risks, not IT
CROs: do traditional and IT risk responsibilities leave enough time for reputation risk?80%
CEO
CFO
34%
CRO
24%
CIO
23%
22%
CMO
Emerging trend: the Chief Digital Officer
New C-suite role for technology-driven world
Strong business and technology knowledge
Responsible for all aspects of digital presence
Role most accountable for company’s reputation
© 2013 IBM Corporation13
Make the compliance and reputation connection2Study findings (2013 data)
Study implications
Where IT and compliance intersect:
Regulatory requirements for recovery time from system outages
Legal requirements for data archiving, retrieval and eDiscovery
Legal and regulatory requirements for privacy and data protection
87%of banking
respondents say IT failures can have severe compliance consequences
Reputational factors very strongly/strongly affected by IT risk
Customer satisfaction
Brand reputation
Compliance
Profitability
74%
74%
72%
60%
Recommendations:
Integrate compliance requirements into IT and reputational risk strategies
Measure performance
Identify gaps in protection and mitigation processes
© 2013 IBM Corporation14
Reevaluate the impact of social media3
Only 27% provide
Companies are missing the opportunity to leverage social media to protect and recover their reputations
Study findings (2013 data) Study implications
Add a third dimension to risk management
guidelines for employee social media use during a crisis
Only 19% haveincorporated social media into their disaster recovery plans
Respond swiftly to IT-related reputational incidents—and use social media as an informational channel
Build a bank of goodwill—use social media as a channel for enhancing your reputation
2
3
1 Likelihood
Impact
Velocity
1 in 7?1 in 100?
SevereModerate
Mild
NEW!
© 2013 IBM Corporation15
“A major deliverable was on a contractor’s laptop, and it was stolen. We missed an important client deadline and lost the source files for all the work.”
Chief marketing officer, American education company
*Average
Keep an eye on your supply chain4Study findings (2013 data) Study implications
Two aspects of vulnerability
Security: Sensitive data shared with third parties can be compromised
Continuity: Supplier downtime can disrupt production and product availability
are “very strenuously” requiring their vendors, partners and supply chain to match levels of risk control*
Only 28% of companies
Recommendations
Identify outside sources that your company relies on
Require partners to meet your levels of IT and reputational risk management
Verify compliance through regular auditing and reporting
© 2013 IBM Corporation16
Avoid complacency5
82% rate reputation as excellent or very good
18% rate ability to manage IT risk as very strong
Recommendations
Ensure that foundational IT risk management tools are in place
Map IT and reputational risk strategy to concrete, measurable tactics
Perform regular gap analysis
Stay ahead of new technology and changing threats
There is room for improvement in almost every organisation
Perception/ reality gap
Study implications
Study findings (2013 data)
© 2013 IBM Corporation17
Companies are overlooking many of the security controls that can proactively protect their reputations before harm happens
Firewall management
Identity/access controls
Network /endpoint protection
Security threat intelligence
Penetration testing
Encryption
Vulnerability scanning
Mobile device security
66% Very confident/confident about protection againstData breach
Security controls in place
Confidence level
70%
5
Study findings (2013 data)
© 2013 IBM Corporation18
Companies have continuity basics in place, but are missing IT fundamentals that provide additional protection
68% Systems failure Data loss73% Backup/restore testing
Fully documented DR plan
Automated backup processes
Change management
24x7 software tech support
Testing includes business users
Continuity controls in place
Very confident/confident about protection against
Very confident/confident about protection against
Confidence level
76%
69%
69%
5
Study findings (2013 data)
© 2013 IBM Corporation19
Fund remediation; invest in prevention6Study findings (2013 data) Study implications
say IT risk management funding is adequate to protect reputation
Only 56% of companies
increased spending on IT related to reputational risk over the past 12 months
54% of companies have
increase spending on IT related to reputational risk over the next 12 months
55% of companies will
Recommendations
Include the CIO in reputation risk management
Evaluate the cost of inadequate funding
Treat IT as a core business asset, not a cost centre
Base IT spend on risks and outcomes, not revenue or sales
The cost of system downtime*
$181,770per hour
The cost of data centre downtime
$418,017per event
The cost of a business interruption event
*“Datacenter Downtime: How Much Does It Really Cost?” Aberdeen Group, February 2012.
© 2013 IBM Corporation2020
Going forward, new technologies and social media will help fuel increased focus on reputational risk
68% will increase focus on reputational risk compared to five years ago
New technology/ social media, 43%
Previous event harmful to competitor/industry, 20%
Previous event harmful to company, 18%
Board of directions/C-suite mandate, 10%
Other, 7%Shareholder pressure, 3%
Why increase?
“Technology is an amplifier in all it touches, for better and worse. If we use it, we must manage it rigorously.”
CIO, Barbados professional
services firm
Study findings (2013 data)
© 2013 IBM Corporation21
Reputational risk and IT in 2013—a point of view from IBM
As cybercrime escalates, so will reputational risk
Social media is the best tool you have to minimise reputational damage
Reputational risk will become a primary justification for IT investment
Your partners’ compliance with your security and continuity standards will be mandated
© 2013 IBM Corporation22
What can you do now? Develop your own set of best practices.
Be proactive — and be prepared to invest in IT controls
Create a collaborative environment — encourage executives, risk management specialists and IT managers to work together
Engage in scenario analysis, especially with new technology
Assess risk across the supply chain, and confirm partners’ compliance with your standards
Consider outside help for an unbiased view of perception versus the reality of your risk exposure
© 2013 IBM Corporation23
How well are you doing? Find out with the
IBM Reputational Risk Index
Learn more about the reputational risk and IT connection, and how IBM can help you protect the reputation and value of your company
Download the full study report ibm.com/services/riskstudy
Scan the code or go to www.ibmriskindex.com
Download the IBM point-of-viewibm.com/services/riskstudy
Yourscore
129out of200
© 2013 IBM Corporation24
Thank you for your interest
© 2013 IBM Corporation25
IBM United Kingdom LimitedPO Box 41, North HarbourPortsmouth, Hampshire PO6 3AUUnited Kingdom
IBM Ireland LimitedOldbrook House24-32 Pembroke RoadDublin 4
IBM Ireland registered in Ireland under company number 16226
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
© Copyright IBM Corporation 2013