RSA Business Resiliency Management

Transcription

1 RSA Business Resiliency Management RSA Advanced Security Summit, München Gerald Pernack GRC Solution Consultant EMEA, RSA 1

2 Disclaimer-Safe Harbor Statement This presentation is for informational purposes only. This document contains certain statements that may be deemed forward-looking statements" within the meaning of the Private Securities Litigation Reform Act of Forward-looking statements are based on assumptions and assessments made by us in light of our experience and perception of historical trends, current conditions and expected future developments. Actual results and timing of events may differ materially from those contemplated by the forward-looking statements due to a number of factors, including regional, national or global political, economic, business, competitive, market and regulatory conditions. Any reproduction, retransmission, or republication of all or part of this document is expressly prohibited without the permission of RSA. Concepts presented for consideration. EMC makes no representation and undertakes no obligations with regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates collectively, Roadmap Information ). Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby. 2

3 Session Abstract In this session you will learn: The difference between business resiliency and business recovery Basic elements of business resiliency The journey from recovery to resiliency 3

4 Business Continuity and IT Disaster Recovery Business Continuity and IT Disaster Recovery is the discipline of preparing recovery plans to be able to respond to and recover from disruptions to the business and IT infrastructure. Concepts presented for consideration. EMC makes no representation and undertakes no obligations with regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates collectively, Roadmap Information ). Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby. 4

5 Where is Business Continuity Today? Most companies have BCM and IT DR programs, but they are not positioned to keep up with the increasing number and impact of disruptions constantly affecting global and local organizations. Complexity Frequency Cost Damage 5

6 Disruptive Events are increasing Disruptive events are increasing making it difficult for traditional BCM and IT DR programs to keep up. BC/DR Programs have to start taking a more proactive approach 6

7 What is Business Resiliency? Business resiliency is the ability of an organization to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation by preventing, avoiding and resisting damage and recovering quickly. Also defined as an organization s capacity to anticipate disruptions, adapt to events, and create lasting value. 7

8 Traits of a Resilient Business Model Flight Crews are: Well-trained Manages many things at once Fully accountable Backup procedures Resilient Traits: Ability to respond quickly and rebound Recover from threats to day-to-day operations Builds duplication and redundancy into operations Organizational challenges: Process silos Multiple systems Lack of backups and redundancies Turnover and lack of training 8

9 Tale of Two Companies Acceleration problems forced recall of 7.4 million cars Supply-chain problems following the 2010 tsunami 50% sales drop in China Share price only dropped 1.3% 400 vehicles recalled for a faulty gearbox Using suppliers in China, but lacked the skills and experience to make it work effectively Had to seek equity investment and lost independence 9

10 The Journey to Becoming Resilient Maturity Isolated Consistent Defined Measurable Optimized Time Baseline business and IT disaster recovery only Resilient processes operate fluidly and adapt quickly 10

11 Business Resiliency should be a part of GRC Detect & respond to attacks Identify & resolve security deficiencies Identify & prepare business resumption strategies Manage crisis & communications Manage the lifecycle of 3 rd party relationships Establish business policies & standards Identify & meet regulatory obligations Manage inherited risk Implement and Monitor Controls Identify, assess & track emerging & operational risks Independently review & assure management actions 11

12 Business Resiliency is a Component of ERM Board External Audit Enterprise Risk Management CXO LOB Executives Operational Risk Management Audit CISO Protect business assets Security Protect against disruptions Resiliency Manage regulatory obligations Regulatory Compliance Manage inherited risks Third Party Management Third Line of Defense Business Operations RSA Archer Concepts presented for consideration. EMC makes no representation and undertakes no obligations with regard to product planning information, anticipated product characteristics, performance specifications, or anticipated release dates collectively, Roadmap Information ). Roadmap Information is provided by EMC as an accommodation to the recipient solely for purposes of discussion and without intending to be bound thereby. 12

13 Business Resiliency Helps Address Key Risks Competition Litigation Opportunities Missed Poor internal controls & governance Human errors Supply Chain Interruption 3 rd party nonperformance or disruption Regulatory violations, fines and sanctions Product liability claims Employee Health & Welfare Inefficient processes & technologies Unknown, unidentified risks Environmental damage Business interruption Information Security breaches Internal and external fraud 13

14 Align related processes Business Continuity Planning Business Operations & IT Disaster Recovery Incident Management Enables organizations to Crisis Management Establish business context for resiliency Identify and prepare business recovery strategies Prepare for and recover from IT system outages Catalog and resolve incidents, understand 3 rd party readiness Manage crisis events and communications reducing the risk of IT and business disruptions, harmful operational events and significant business crises. 14

15 Metrics and Reporting Track information and create metrics and reporting that will drive priority, results and progress Visibility Noise Analysis Action Metrics Visibility + Analysis = Priority Priority + Action = Results Results + Metrics = Progress 15

16 Foundations to ensure success Foundations are critical elements necessary for the overall success of the Maturity Journey: Management Commitment The degree and level of leadership commitment to a Business Resiliency culture, strategy and priorities Budget and Resources Sufficient resources for the Business Resiliency program to achieve success Stakeholder Involvement Importance of improvement and maturity of Business Resiliency processes to your stakeholders and business constituents Performance & Acceptable Risk - Defined levels of performance and acceptable risk for Business Resiliency Expectations & Measurement - Clear expectations and success criteria defined for the Business Resiliency program 16

17 Build Supply Chain Resiliency Compliance Business Continuity Risk Management Key Customers 3rd, 4 th and N th Parties 17

18 Resilient Because of (not in spite of) New Trends Mobile Cloud Big Data Extended Workforce New Regulations Cyber Threats Global Economy Infrastructure Transformation Less control over access device and back-end infrastructure Business Transformation More hyper-extended, more digital, more regulated Global Risk Transformation Virtual borders, more interconnected and exposed 18

19 The Business Value of Resiliency Alignment and coordination Cost and efficiency benefits Manage Business Resiliency Risk Strategies Prioritization Visibility & business context Reduce costs Automation Identify gaps & improve Highest risks planned for Manage response from minor operational issue to Crisis Built in operational resiliency 19

20 EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.