1 / 31

Colin Lobley Director Information Strategy & Risk

Managing Information Risk Putting the ‘I’ back in IT: Creating Tangible Value from the Intangible Asset. Colin Lobley Director Information Strategy & Risk. Webinar Aims & Structure. Aims: Provide evidence for taking an information risk approach rather than an IT/cyber security approach

Download Presentation

Colin Lobley Director Information Strategy & Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Managing Information RiskPutting the ‘I’ back in IT: Creating Tangible Value from the Intangible Asset Colin Lobley Director Information Strategy & Risk

  2. Webinar Aims & Structure • Aims: • Provide evidence for taking an information risk approach rather than an IT/cyber security approach • Introduce practical concepts and approach to managing information risk • Why Bother with Information? • The Information Opportunity • Threats and Risks • Managing Information Risk • Current Approaches, Weaknesses and Common Barriers • Overcoming the barriers: concepts and approaches to managing information and information risk management: Processes, Systems, Governance and Culture

  3. Manigent & Me • Director of Information Strategy & Risk. • 14 years in strategy, programmeand risk management; 6 years focused on the cyber threat environment. • 2007 – Business Continuity Journal, Vol. 2, Issue 3: Ascertaining the behaviors and factors driving investment in high impact risks. • 2008 – Manigent’s CEO created the Risk-Based Performance Management methodology. • Today – Building business resilience and enhancing performance by managing strategy and risk in today’s continuously turbulent, information-centric operating environment.

  4. Why bother with information?

  5. The Value of Exploiting Information: FTSE 350 View Source: The Information Opportunity Report – Cap Gemini A potential gain of £44bn gross operating profit per annum across the FTSE 350 from enhanced information exploitation.

  6. The Value of Exploiting Information: Sector Comparison Source: The Information Opportunity Report – Cap Gemini

  7. The Value of Exploiting Information: Function Comparison Source: The Information Opportunity Report – Cap Gemini Other functions with >20% of respondents saying it would be a function of greatest potential: Marketing, HR, Logistics & Supply.

  8. Information Risks: Personal Data Breaches per Sector Source: Cost of a Data Breach Survey 2013, PonemonInstitute $215 (£129) per capita in financial services (direct). But the indirect impact on financial services is huge – insurance and compensation claims.

  9. Personal Information Risk: Evolving Legislative Environment • New legislation and regulatory oversight likely to make this worse • Current: Data Protection Act (UK) • Information Commissioners Office enforces • Maximum fine of £0.5m • To date largely a public sector focus (& Sony - £350k in a £170m+ incident) • FCA also have the ability to fine • Zurich - £2.3m in 2010 • New EU Data Protection Regulation in 2015 (est.): • Fines of 5% turnover? • Criminal Prosecution?

  10. Information Risk: Financial Services Case Studies • J.P.MorganInternational Bank Limited, 2013, £3.1 million– direct fine by the FCA for systems and controls failings. Highlighted issues: • Client files which were not kept up to date • A computer based record system that did not allow sufficient information to be retained, suitability reports that failed to contain relevant client information. • A 2 year persistent failing during which “JPMIB’s senior management did not have sufficient information and oversight tools to identify and address these deficiencies”. • Sesame Limited, 2013, £6m - fine for failings between 2005-2009 during which the: • “vast majority” of sales were flawed because of a “mismatch between customers stated investment objectives and attitude to risk and the product sold” and • “the suitability letters provided to customers stated incorrectly that income or capital growth was guaranteed” • Many others – TJX, Citigroup, Barclays, De-Vere Group, NASDAQ …… and the list goes on.

  11. Information Risk: Evolving Regulation in FS • Emerging Financial Services Regulative oversight (UK) likely to lead to increased frequency and size of fines and stricter reporting. • FCA Risk Outlook 2013: “Increasing reliance on technology without fully understanding the consequent risks and dependencies” • UK’s Financial Policy Committee stated that: “market participants had increasingly highlighted concerns about operational risk, including threats of cyber-attack”. (June 2013) and “the boards of the relevant supervisory bodies to ensure that there was a concrete plan in place to deliver a higher level of protection against cyber-attacks for each institution at the core of the financial system, including banks and infrastructure providers.” (Sept 2013) • Waking Shark II report: “The PRA and FCA will coordinate to ensure dual-regulated firms are fully aware of the regulators’ incident reporting requirements and update frequencies.”

  12. Information Risk: Linked with Conduct Risk • Customer Management was the #1 area businesses felt could be improved through better information exploitation • Root cause of many FCA fines can be identified as poor management and analysis of customer data • Conduct Risk Agenda: To make relevant markets work well so consumers get a fair deal. • Consumers get financial services and products that meet their needs, from firms they can trust; • Markets and financial systems are sound, stable and resilient, with transparent pricing information; and • Firms compete effectively, with the interests of their customers and the integrity of the market at the heart of how they run their business. • The risk of poor information management will lead to bad conduct.

  13. Conclusion: Information Exploitation and Risk “Early adopters of effective information exploitation strategies are seeing real and tangible business performance improvements. Those that chose to do nothing have seen the gap between themselves and the market leaders widen.” • There are significant risks to: • The information you have driven by the cyber threats • Failing to exploit what you have already • Not having the right information to exploit • Compliance with changing laws and regulation

  14. Managing Information & information risk

  15. The Traditional Approach ….. HACKERS CHINA LOSS OF REPUTATION IT (CYBER) SECURITY LED BY CISO / IT DIRECTOR REACH FOR A STANDARD (ISO 27001) ….. Is immature and clearly not working.

  16. Barriers to Exploiting Information 2. SYSTEMS (66) 3. PEOPLE – governance and culture (121) 1. PROCESSES (110) Source: The Information Opportunity Report – Cap Gemini

  17. Barriers to Managing Information Risk Source: EYs Global Information Security Survey; PwC Global State of IT Security Survey 2013 and associated PwC blog The Survey says ….. • Poor alignment between: • Information security strategy and business strategy • Information security strategy and risk appetite or tolerance • Security policies and business objectives • Security spending and business objectives • Budget constraints / Insufficient capital funding • A lack of leadership from the CEO or Board • A lack of vision on how future business needs will impact security I say …. • PROCESSES: Complete failure of many businesses to articulate, manage and report the value of information and information risk linking the benefits and risks to business drivers • SYSTEMS: Too much focus on IT systems and not enough on information systems – the asset of real business value • PEOPLE: CIO’s focus on technology not information; lack of Board engagement on an “IT issue”; no ownership of information assets

  18. Information-centric Business Systems & Processes STRATEGIC OBJECTIVES DECISIONS STRATEGIC KNOWLEDGE OPERATIONAL USE ACCESS STORE OPERATIONS (ACQUIRE) INFORMATION ANALYSE PROCESS ICT COLLECT / GENERATE DATA ICT & more importantly, information, are the key enablers of any modern business.

  19. People: Changing the Information Culture Source : Information Asset Profiling; James F. Stevens; June 2005, Carnegie Mellon University; The National Archives – Information Asset Factsheet; Harnessing information to enhance business performance, Cap Gemini Think of information as an asset of value: “The value of the server [...] is probably negligible—it can be replaced quickly or its function can be moved to another server—however, the information asset stored on the container is not as easily replicated if compromised, and the impact to the organization is much more extensive.” “An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively.” “60% of the senior executives felt that the information within their organisation was being used for retrospective reporting rather than to point a path to the future – a clear sign of failure to use information for competitive advantage”

  20. Process: Determine Information Value Drivers • Other drivers identified by businesses we have worked with include: • Brand value • Revenue generation • Contribution to UK National Security • Supplier expectations Source: Harnessing information to enhance business performance, Cap Gemini; Manigent assignments “An organisations information assets were felt to be unique and therefore impossible to compare to the information assets of other organisations.” Valuing information is unique to each business, depending on its business drivers.

  21. People: Governance of Business Systems & Processes Main Board & Operating Board / Exco STRATEGIC OBJECTIVES DECISIONS STRATEGIC CIO & KIMs KNOWLEDGE COO OPERATIONAL USE ACCESS STORE OPERATIONS (ACQUIRE) INFORMATION ANALYSE PROCESS ICT COLLECT / GENERATE CTO DATA

  22. Risk Systems & Processes REVENUE REPUTATION POOR DECISIONS OPERATIONAL DOWNTIME INFORMATION UNAVAILABLE THEFT OR LOSS OF INFORMATION LOSS OF INFORMATION INTEGRITY UNAVAILABLE ICT THEFT OR LOSS OF DEVICE OR SYSTEM COMPROMISED EXTERNAL THREAT / INCIDENT INSIDER THREAT / INCIDENT MULTIPLE THREAT VECTORS NON-MALICIOUS MALICIOUS MULTIPLE THREAT ACTORS

  23. People: Changing the risk culture • “Before the risks to an information asset can be assessed, the tangible and intangible value of the asset must be known.” • “The existence of a significant [IT] vulnerability does not mean that an organization is at a significant risk. A vulnerability is only significant if it places a critical asset at risk. This is an important distinction because assets and their value to the organization determine the context for risk rather than the vulnerability itself.”

  24. Process: Risk & Risk Appetite

  25. People: Risk Governance Board REVENUE REPUTATION COO POOR DECISIONS OPERATIONAL DOWNTIME CRO & Risk Managers INFORMATION UNAVAILABLE THEFT OR LOSS OF INFORMATION LOSS OF INFORMATION INTEGRITY UNAVAILABLE ICT CIO, CTO, CISO, Physical Security, Personnel Security / HR THEFT OR LOSS OF DEVICE OR SYSTEM COMPROMISED EXTERNAL THREAT / INCIDENT INSIDER THREAT / INCIDENT MULTIPLE THREAT VECTORS NON-MALICIOUS MALICIOUS MULTIPLE THREAT ACTORS

  26. Risk-Based Performance Management (RBPM) puts it all together Strategy Management What are we trying to achieve? What is our Risk Appetite? Performance Management Risk Management Are we on track? Are we operating within appetite? Appetite Governance & Communications Culture

  27. The Risk-Based Performance Management methodology Business Drivers Our People Our Environment Our Operation Exploitable Reserves Our Economic Profit 2. Manage Performance 5.Governance Appetite 1. Set Strategy 4. Appetite Alignment Appetite 7.Culture 3. Manage Risk 6.Communications Shareholder Value Compliance Sustainability Image Profit

  28. The Risk-Based Performance Management change process Execution Formulation Define Strategic Objectives Define Strengths & Weaknesses Define Risk Appetite Define Strategic Risks Define Strategic Controls Define Strategic Goals Define Business Drivers Define the Strategy Define Indicators Assess Risks & Controls Monitor Appetite Alignment Define the Business Model Align Risk Appetite & Strategy Define Assets, Systems & Processes Define Initiatives Define Operational Risks Define Operational Controls Executive Board

  29. Summary & Conclusion Enhanced Information Exploitation offers huge opportunities – +27% operating profit in Financial Services, £44bn across the FTSE 350 Failure to manage the risks to your information and information processes leads to poor decisions, operational downtime and will ultimately have significant financial and reputational impacts The regulatory environment is changing – act now to future proof your organisation and move beyond compliance to information performance Managing information risk can help manage conduct risk To embrace the opportunity and manage the risks we need to enhance our: Processes, Systems, and People An integrated strategy and risk approach would be beneficial in develop a robust framework and implementing change.

  30. Thank You for Listening! Future Events Colin Lobley | Tel: +44 (0)77 9519 6283 | E: colin.Lobley@manigent.com • Managing Information Risk in FS Workshop. • More detail and practical tools and techniques for managing information and its risks • More detail on the threat and additional case studies • Detailed discussion on the Information Lifecycle • Methods and approaches to identifying information assets and value • The use of value profiles to monitor and report on both value and risks / losses • Practical hands-on sessions • Date: 16th April • Time: 09:00 – 17:00 • Location: London • Cost: £500 per delegate • Future webinars and workshops • Risk Based Performance Management • Driving Value from Conduct Risk • Integrating Balanced Scorecard and Risk Management • Building better indicators • If you want to talk further please get in touch

  31. Questions Colin Lobley | Tel: +44 (0)77 9519 6283 | E: colin.Lobley@manigent.com

More Related