Posts Tagged ‘risk management’
Six Keys To Effective Reputational And IT Risk Management
In September of last year, I blogged about the IBM 2012 Global Reputational Risk and IT Study, which I explained was an “investigation of how organizations around the world are managing their reputations in today’s digital era, where IT is an integral part of their operations and where IT failures can result in reputational damage.”
I also wrote “corporate reputations are especially difficult to manage in an era when anyone with a smartphone and Internet connection can file their complaint with a single touch.”
That continues to be the case, but what’s new is that IBM has recently issued another report on further implications of this study and its findings, and more importantly, what organizations can do to get on offense when it comes to better managing their corporate reputation.
The Connection Between Reputational Risk And IT
When the corporate world first began paying attention to the concept of reputational risk in 2005, organizations’ focus tended to be on business issues like compliance and financial misdoings.
Today, the focus has shifted to include the reputational impact of IT risks. Virtually every company is now reliant on technology for its critical business processes and interactions. While it may take 10 minutes or 10 hours to recover from an IT failure, the reputational impact can be felt for months or even years.
Reputational damage caused by IT failures such as data breaches, systems failures and data loss now has a price tag. According to analyses performed by the Ponemon Institute, the economic value of a company’s reputation declines an average of 21 percent as a result of an IT breach of customer data — or the equivalent of an average of US $332 million.
The question now is not whether IT risks affect your corporate reputation, but what you can do to effectively prevent and mitigate these risks.
Six Keys To Effective Reputational And IT Risk Management
An analysis of responses to the IBM study revealed distinct correlations between the initiatives that organizations are undertaking to protect their reputations from the ramifications of IT failures and the overall effectiveness of their reputational and IT risk management efforts.
Based on this analysis, and the pattern it revealed among organizations that are most confident in their ability to prevent and mitigate IT-related reputational risk, there are six key initiatives that IBM recommends as part of every company’s efforts:
- Put someone in charge. Ultimate responsibility for reputational risk, including IT-related items, should rest with one person.
- Make the compliance and reputation connection. Measuring reputational and IT risk management strategies against compliance requirements is essential.
- Reevaluate the impact of social media. In addition to recognizing its potential for negative reputational impact, social media should be leveraged for its positive attributes.
- Keep an eye on your supply chain. Organizations must require and verify adherence of third-party suppliers to corporate standards.
- Avoid complacency. Organizations should continually evaluate reputational and IT risk management against strategy to find and eliminate potential gaps.
- Fund remediation; invest in prevention. For optimal reputational risk mitigation, companies need to fund critical IT systems as part of their core business
How IBM Can Help
When planned and implemented effectively, your organization’s reputational and IT risk strategy can become a vital competitive advantage. When you protect against and mitigate reputational risks successfully, you can enhance brand value in the eyes of customers, partners and analysts. Further, your organization can better attract new customers, retain existing customers and generate greater revenue.
IBM can help you protect your reputation with a robust portfolio of IT security, business continuity and resiliency, and technical support solutions. You can start with an IT security risk assessment, or penetration testing performed by IBM experts.
For business continuity and resiliency, you can begin with a Continuous Operations Risk Evaluation (CORE) Workshop and move on to cloud-based resiliency services. Our technical support solutions range from basic software support to custom technical support.
What makes IBM solutions work is global reach with a local touch. This includes:
- Over 160 business resiliency centers in 70 countries; more than 50 years of experience
- More than 9,000 disaster recovery clients, with IBM providing 100 percent recovery for clients who have declared a disaster
- A global network of 33 security operations, research and solution development centers; 133 monitored countries
- 15,000 researchers, developers and subject matter experts working security initiatives worldwide.
To learn more about the IBM Global Reputational Risk and IT Study go here.
Live @ IBM Pulse 2013: A Cloud Computing Security Roundtable
At the IBM Cloud Security press roundtable, several IBM Security experts expounded on the issues and challenges organizations are facing as they work to better secure their cloud computing environments.
If you’ve followed the headlines recently, you can’t help but notice the constant barrage of news concerning security break-ins at some of the most public cloud sites on the planet: Facebook, Google, Evernote…the list goes on and on.
Yet in spite of the looming cloud security concerns, enterprises and organizations continue to ramp up their investments in both public and private cloud infrastructure as a cost-effective, dynamic way to scale up their IT capacity.
At the IBM Cloud Security roundtable here at IBM Pulse 2013 yesterday in Las Vegas, several IBM security experts came together to discuss some of the challenges, best practices, and solutions to protect against threats and provide security-rich cloud computing environments.
Jack Danahy, director of security for IBM North America, hosted the panel before the gathered industry press, and offered up some prefacing comments to set the stage for the security discussion.
Jack began by stating that 9 out of 10 global CEOs say that cloud computing is critical to their business plans and “a way to increase their organizational productivity, but all also admit security is a lingering concern.”
Brendan Hannigan, the general manager for the IBM Security Division, explained that there are some key basic security concerns around cloud, including the safety of enterprise data, and whether or not it can be compromised or lost.
Hannigan explained: “Cloud is simply another computer upon which we can deploy capabilities for our customers, and we should be able to look at cloud security the same way we do across other domains.” That includes giving organizations a single view of identity across their cloud environments.
Kris Lovejoy, general manager for IBM Security Systems, discussed some of the key inhibitors to organizations providing more effective cloud security measures, and explained that the cloud is actually inherently more securable than traditional IT infrastructure because of they way it’s designed and the manner by which you can replicate security controls.
So if the cloud is inherently more securable, why the seeming contradiction that nobody seems to be able to effectively secure it?
Because, Lovejoy explained, when you buy public cloud capability you typically have to buy the security features as an added extra, and may customers don’t do so.
“Think about the provider as being a hotel,” Lovejoy explained, “and in each hotel room they have a series of diseases. The provider must provide you good housekeeping to protect you from diseases in the other rooms, and yet so many cloud computing tenants don’t make that obvious investment to protect their cloud applications and data.”
When Danahy asked the panel about what can be done to make executives more comfortable with the idea of security investments in the cloud space, Hannigan chimed in, and explained the rationale comes down to a distinction in the type of data you’re working with, and delineating between the information that is critical and that which is less sensitive.
“When you have a specific application or data set,” Hannigan explained, “there are wonderful opportunities afforded by the cloud because in security, one of the biggest challenges is striking a balance between locking the infrastructure down and providing free and unfettered access to the that information customers and employees need.”
Lovejoy explained it was not dissimilar from the crazy notion of automakers selling cars without seatbelts or brakes. “You don’t want to suddenly discover you don’t have these features going 60 miles per hour down the interstate.”
Kevin Skapintez, program director of product strategy for IBM Security, said that the need for more cloud security standards reminded him of the late 1800s, when fire hydrants had different nozel sizes that required varying widths of connectors for the hoses.
“You have to have standards related to identity,” Kevin explained, “so you don’t have to build different registries per cloud!”
“More organizations needed to also heighten their log management regimes,” he explained, “so that they have improved visibility to see if they have the right controls in place and where incidents are occuring.”
Lovejoy explained that “most organizations have a pretty defined pathway to cloud success.” Many are using develop and test environments and are moving to non-core workloads, allowing a lot of applications to emerge and consolidate on the cloud.
At the same time, she explained, most companies are planning a security operations optimization and that the cloud is a remarkable opportunity. “As we consolidate,” she explained, “things get simpler. Companies need to think about this in the context of business transformation. You need to adopt the cloud in a safe and reliable manner while managing the risk.”
During the Q&A, I asked the panel whether or not all these very public public cloud security incidences we’ve seen in the headlines were driving any real productive conversation in terms of making cloud security more of a priority.
Lovejoy explained the scenario typically went something like this: A CEO would call up their provider, ask for an assessment, give them a threat briefing, then go to a third party standard to see if they matched the security checklist.
But that not enough of them were what she termed “security aware.”
Hannigan concluded, “It’s a classic dilemma with security spending. Security concerns are not specific just to the cloud, and clients are working about losing data, period. The question is, can they invest all the money necessary to adequately secure those environments?”
To date, the answer seems to largely be “no.”
IBM Announces New Security Solutions, Focuses On Cloud, Mobile, Big Data
Today, IBM made a move designed to reduce the biggest security inhibitors that organizations face in implementing cloud, mobile and big data initiatives with the announcement of a broad set of security software to help holistically secure data and identities.
I blogged about IBM’s 2012 Global Reputational Risk and IT Study recently, the headline of which was this: Managing reputational risk is crucial to many organization’s business, and managing IT is a major part of their efforts.
I also interviewed Brendan Hannigan, the general manager of IBM’s Security Systems Division, at IBM InterConnect last week about some of these critical security matters.
Today, IBM made a move designed to reduce the biggest security inhibitors that organizations face in implementing cloud, mobile and big data initiatives with the announcement of a broad set of security software to help holistically secure data and identities.
New IBM Security Solutions
IBM’s new software capabilities help clients better maintain security control over mobile devices, mitigate internal and external threats, reduce security risks in cloud environments, extend database security to gain real-time insights into big data environments such as Hadoop, and automate compliance and data security management.
Along with IBM Security Services and IBM’s world-class research capabilities, this set of scalable capabilities supports a holistic, proactive approach to security threats spanning people, data, applications and infrastructure.
“A major shift is taking place in how organizations protect data,” said Brendan Hannigan, General Manager, IBM Security Systems. “Today, data resides everywhere—mobile devices, in the cloud, on social media platforms. This is creating massive amounts of data, forcing organizations to move beyond a traditional siloed perimeter to a multi-perimeter approach in which security intelligence is applied closer to the target.”
IBM is unveiling ten new products and enhancements to help organizations deliver real time security for big data, mobile and cloud computing.
Real Time Security for Big Data Environments
State of the art technologies including Hadoop based environments have opened the door to a world of possibilities. At the same time, as organizations ingest more data, they face significant risks across a complex threat landscape and they are subject to a growing number of compliance regulations.
With today’s announcement, IBM is among the first to offer data security solutions for Hadoop and other big data environments.
Specifically, Guardium now provides real time monitoring and automated compliance reporting for Hadoop based systems such as InfoSphere BigInsights and Cloudera.
Highlighted data security solutions:
NEW: IBM InfoSphere Guardium for Hadoop
ENHANCED: IBM InfoSphere Optim Data Privacy
ENHANCED: IBM Security Key Lifecycle Manager
To learn more about the data security portfolio go here.
Mobile Security: Improving Access and Threat Protection
Today IBM is also announcing risk-based authentication control for mobile users, integration of access management into mobile application development and deployment as well as enhanced mobile device control.
IBM is also announcing a comprehensive Mobile Security Framework to help organizations develop an adaptable security posture to protect data on the device, at the access gateway and on the applications.
Highlighted mobile security solutions:
NEW: IBM Security Access Manager for Cloud and Mobile
ENHANCED: IBM Endpoint Manager for Mobile Devices
Go here to learn more about specific mobile security product attributes.
Cloud Security: From Inhibitor To Enabler
While the cloud can increase productivity with anywhere, anytime information access, it can also introduce additional challenges for enterprise security.
IBM today is announcing security portfolio enhancements designed to address these new challenges, providing improved visibility and increased levels of automation and patch management to help demonstrate compliance, prevent unauthorized access and defend against the latest threats using advanced security intelligence.
With IBM’s new SmartCloud for Patch Management solution, patches are managed automatically regardless of location and remediation cycles are reduced from weeks to hours thereby reducing security risks.
Additionally, IBM is announcing enhancements to its QRadar Security Intelligence Platform that provides a unified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and security related data from distributed locations, using the cloud to obtain greater insight into enterprise-wide activity and enable better-informed business decisions.
The new IBM Security Privileged Identity Manager is designed to proactively address the growing insider threat concerns and help demonstrate compliance across the organization.
IBM Security Access Manager for Cloud and Mobile which provides enhanced federated single sign-on to cloud applications is now available with improved out-of-the-box integration with commonly adopted SaaS applications and services.
Highlighted cloud security solutions:
NEW: IBM SmartCloud for Patch Management
NEW: IBM Security Access Manager for Cloud and Mobile
NEW: IBM Security Privileged Identity Manager
ENHANCED: QRadar SIEM and QRadar Log Manager
Visit here to learn more about specific cloud security product attributes, please visit
Enhanced Mainframe Security Capabilities
In addition, IBM is announcing mainframe security capabilities that enhance enterprise-wide security intelligence based on QRadar security solution integration that provides real time alerts and audit reporting.
The mainframe offers Common Criteria Evaluation Assurance Level 5+ (EAL 5+) certification for logical partitions, providing a platform for consolidating systems, helping protect private clouds, and helping secure virtualized environment.
New IBM Security zSecure improvements help to reduce administration overhead, automate compliance reporting, enforce security policy, and pro-actively detect threats.
Highlighted zSecure security solutions:
ENHANCED: IBM Security zSecure
Through IBM Global Financing, credit-qualified clients can take advantage of 0% interest for 12 months on qualifying IBM Security products and solutions.
About IBM Security
With more than 40 years of security development and innovation, IBM has breadth and depth in security research, products, services and consulting.
IBM X-Force is a world-renowned team that researches and evaluates the latest security threats and trends. This team analyzes and maintains one of the world’s most comprehensive vulnerability databases and develops countermeasure technologies for IBM’s security offerings to help protect organizations ahead of the threat.
IBM has 10 worldwide research centers innovating security technology and nine security operations centers around the world to help global clients maintain an appropriate security posture.
IBM Managed Security Services delivers the expertise, tools and infrastructure to help clients secure their information assets against attacks, often at a fraction of the cost of in-house security resources.
The Institute for Advanced Security is IBM’s global initiative to help organizations better understand and respond to the security threats to their organization. Visit the Institute community at www.instituteforadvancedsecurity.com.
IBM X-Force Mid-Year Report: Security Attacks Focused On Browsers, Mobile, Social
SPAM aside, IBM’s mid-year X-Force Trend and Risk Report shows a sharp increase in browser-related exploits, renewed concerns around social media password security, and continued challenges in mobile devices and corporate “bring your own device” (BYOD) programs.
Yesterday, IBM released the results of its X-Force 2012 Mid-Year Trend and Risk Report.
The mid-year report is troubling, revealing ongoing challenges and opportunities and the need for continued vigilance in the digital security realm.
The headlines: The latest report shows a sharp increase in browser-related exploits, renewed concerns around social media password security, and continued challenges in mobile devices and corporate “bring your own device” (BYOD) programs.
“Companies are faced with a constantly evolving threat landscape, with emerging technologies making it increasingly difficult to manage and secure confidential data,” said Kris Lovejoy, General Manager, IBM Security Services. “A security breach–whether from an outside attacker or an insider–can impact brand reputation, shareholder value, and expose confidential information. Our team of security threat analysts track and monitor security events and attack activity to better help our clients stay ahead of emerging threats.”
Mobile, Social: New Security Targets Of Opportunity
Since the last X-Force Trend and Risk Report, IBM’s X-Force has seen an increase in malware and malicious web activities:
- A continuing trend for attackers is to target individuals by directing them to a trusted URL or site which has been injected with malicious code. Through browser vulnerabilities, the attackers are able to install malware on the target system. The websites of many well-established and trustworthy organizations are still susceptible to these types of threats.
- The growth of SQL injection, a technique used by attackers to access a database through a website, is keeping pace with the increased usage of cross-site scripting and directory traversal commands.
- As the user base of the Mac operating system continues to grow worldwide, it is increasingly becoming a target of Advanced Persistent Threats (APTs) and exploits, rivaling those usually seen targeting the Windows platform.
Emerging Trends in Mobile Security
While there are reports of exotic mobile malware, most smartphone users are still most at risk of premium SMS (short message service, or texting) scams.
These scams work by sending SMS messages to premium phone numbers in a variety of different countries automatically from installed applications. There are multiple scam infection approaches for this:
- An application that looks legitimate in an app store but only has malicious intent
- An application that is a clone of a real application with a different name and some malicious code
- A real application that has been wrapped by malicious code and typically presented in an alternative app store
One game-changing transformation is the pervasiveness of Bring Your Own Device (BYOD) programs. Many companies are still in their infancy in adapting policies for allowing employees to connect their personal laptops or smartphones to the company network.
To make BYOD work within a company, a thorough and clear policy should be in place before the first employee-owned device is added to the company’s infrastructure.
Improvements in Internet Security Continue
As discussed in the 2011 IBM X-Force Trend and Risk Report, there continues to be progress in certain areas of Internet security. IBM X-Force data reports a continuing decline in exploit releases, improvements from the top ten vendors on patching vulnerabilities and a significant decrease in the area of portable document format (PDF) vulnerabilities.
IBM believes that this area of improvement is directly related to the new technology of sandboxing provided by the Adobe Reader X release.
Sandboxing technology works by isolating an application from the rest of the system, so that if compromised, the attacker code running within the application is limited to what it can do or what it can access.
Sandboxes are proving to be a successful investment from a security perspective. In the X-Force report, there was a significant drop in Adobe PDF vulnerability disclosures during the first half of 2012.
This development coincides nicely with the adoption of Adobe Reader X, the first version of Acrobat Reader released with sandboxing technology.
New IBM Security Operations Center Opens In Poland
To further protect its clients from emerging threats like those reported in the IBM X-Force Mid-Year Trend and Risk Report, IBM yesterday announced the opening of a security operations center in Wroclaw, Poland.
This newest IBM Security Operations Center is the 10th worldwide facility to help clients proactively manage these threats, including real-time analysis and early warning notification of security events.
Data for the bi-annual X-Force report comes from IBM’s security operations centers which monitor more than 15 billion security events a day on behalf of approximately 4,000 clients in more than 130 countries.
About the IBM X-Force Trend and Risk Report
The IBM X-Force Trend and Risk Report is an annual assessment of the security landscape, designed to help clients better understand the latest security risks, and stay ahead of these threats.
The report gathers facts from numerous intelligence sources, including its database of more than 68,000 computer security vulnerabilities, its global Web crawler and its international spam collectors, and the real-time monitoring of 15 billion events every day for approximately 4,000 clients in more than 130 countries.
These 15 billion events monitored each day, are a result of the work done in IBM’s 10 global security operations centers, which is provided as a managed security service to clients.
To view the full X-Force 2012 Mid-Year Trend and Risk Report go here.
IBM Survey: Social Media Impacting Threats From Reputational Risk
More than 400 respondents in 23 industries across the globe agree: managing reputational risk is crucial to their business, and managing IT risk is a major part of their efforts. And, social media is cited as a major factor for those shifting more focus to their reputational risk management efforts. Learn what these respondents are doing — and what they’re overlooking — in the 2012 IBM Global Reputational Risk and IT study report.
So here’s a question for you? What is your organization doing to more effectively manage its risk profile?
IBM recently released its 2012 Global Reputational Risk and IT Study, and the findings suggest that companies are viewing their IT investments through a new lens.
First, some background, and then a summary of the findings.
This study is an investigation of how organizations around the world are managing their reputations in today’s digital era, where IT is an integral part of their operations and where IT failures can result in reputational damage.
The report was written by the Economist Intelligence Unit, which both executed an online survey and conducted client executive interviews.
That included 427 senior executive responses from around the world, 42 percent of those being C-level, with 33 percent of respondents coming from North America, 29 percent from Europe, and 26 percent from Asia-Pacific.
The survey included industries that ran the gamut, including banking, IT, energy and utilities, and insurance.
Impact of Social Media On Risk
Corporate reputations are especially difficult to manage in an era when anyone with a smartphone and Internet connection can file their complaint with a single touch.
With social media sites like Facebook and Twitter boasting over 1.4 million people combined, there is now a highly visible and immediate alterative to a company’s own communications regarding its reputation.
Because of that, more organizations have introduced reputational risk as a distinct category within their enterprise risk management frameworks.
The study suggests that companies have begun to pay closer attention to the links between IT failures and reputational damage, and also examines how executives are attempting to protect their brands from what could arguably be called “a preventable glitch.”
So, drum roll, please. Here’s a summary of some of the key findings:
- IT risk management and investment directly supports a company’s reputation. Reputational risk has evolved into an asset that is fundamentally supported by IT planning and investment. 78 percent say they included reputational risk in their own IT risk planning, and 75 percent say their budget will grow due to concerns for such. Eighteen percent indicate that spend will increase by more than 20 percent in the next 12 months.
- The CEO owns it but shares it. When asked to name the top 3 C-level execs who owned reputational risk, close to two-thirds say it was shared across the C-suite. 80 percent of CEOs indicated it was theirs to win, followed by 31 percent of CFOs, 27 percent of CIOs, 23 percent of CROs (Chief Risk Officers), and 22 percent of CMOs.
- Five characteristics of highly effective companies — they get reputational risk and invest in it. Of those who do, 83 percent indicated they have integrated IT into their reputational risk management regimes. They also perceive stronger links between IT threats and key elements of reputation (especially customer sat and brand reputation), and they also say they have strong or very strong IT risk management capacity (84 percent). Seventy-seven percent indicated they have well-resourced IT risk management functions, and are more likely to require vendors and supply chain partners to meet the same levels of control as they require internally.
Improving Reputational Risk Management: Best Practices
So what’s a concerned C-level exec to do? The study revealed several core strategies:
- Be proactive rather than reactive. That is, be prepared to invest in developing comprehensive reputational risk management strategies that include robust controls on IT risks, particularly those related to security, business continuity and tech support.
- Create an organization where IT managers collaborate with other risk management specialists. Together, they should be tasked with presenting a comprehensive profile of organization-wide reputational risks to senior management.
- Engage in scenario analysis, especially with new and emerging technology. Don’t wait for the worst to happen — there are plenty of case studies to be used as a basis for “what-if” planning.
- Assess risks across the entire supply chain. A failure by a downstream supplier can be just as devastating as an internal problem, and risk controls can be harmonized among key players.
A More Integrated, Holistic Approach
This more integrated, enterprise-wide approach to risk management — led by the C-suite on down — can help your organization increase the attention being paid to the direct reputational impact of IT risks, and help you mitigate those risks (including those stemming from the use of new technologies).
To learn more and to gain access to the full study, go here.
In Search Of The Mobile Enterprise
The new mobile business model — with anytime, anywhere transactions and a blurring of lines between corporate and individual — can make your IT organization feel like it has lost control. For all the good that comes with mobilizing your workforce, there are challenges: maintaining security and compliance, managing multiple device platforms and addressing complex mobile requirements.
You can’t throw a rock these days without hitting a new smartphone or tablet device.
Last week, it was the iPhone 5 and the new Kindle Fire HD. Tomorrow, HTC’s expected to introduce some new mobile products.
And Apple still has yet to introduce the Apple “mini” iPad, currently expected in October.
The move to mobile computing raises some intriguing questions about the nature of work. What is it? Where does it take place?
As someone who’s worked their entire career at IBM, I can certainly attest to the idea that here, increasingly, work is not a place you go but what you do.
I’ve spent nearly nine full years working from my home, and several of those years, spent at least a week a month living (and working) in airplanes.
As the IBM “Services for the Mobile Enterprise” team recently observed, the new workplace is now undeniably a mobile enterprise.
CIOs On Mobile: 66% Plan To Increase Mobile Investments in 2012
Which makes it no big surprise that 66 percent of CIOs plan to increase investments in mobile services in the next year.
And of course, there’s the “BYOD” movement to contend with (“Bring Your Own Device”), with employees expecting whatever device they have to fit into their corporate environment.
This new mobile business model, with anytime, anywhere transactions and a blurring of lines between corporations and individuals, can send IT folks into a conniption fit.
Despite all the goodness — for employees, management, and most importantly, the bottom line — there are challenges that accompany this mobilization of the workforce.
Issues such as maintaining security and compliance. Managing multiple device platforms. Addressing complex mobile requirements.
IBM recently released this interactive infographic that has some interesting statistics I thought worthwhile sharing here.
To start, 35 percent of the world’s total workforce is expected to be mobile by 2013.
Here in the U.S., up to 72.2 percent of workers are already plugged in remotely.
This year, some 43 billion mobile applications are expected to be downloaded.
And yet on average, mobile workers spend only a total of 28 minutes a day on technology distractions…there’s too much work to do, otherwise!
The Mobile Upside: 240 Extra Hours Worked Per Worker Per Year
And here’s the upside bonus for you managers: Such mobile workers work an average of 240 extra hours per year.
But as the infographic observes, with those benefits come expectations.
This new mobile generation of workers demands flexibility. Today’s employees expect to use their own devices and applications at work to access information and social networks at will. They even value this flexibility more than a higher-paying salary (Can you say “Mobile enables work/life balance?”).
Cisco’s Connected World Technology Report in 2011 found that 66 percent of workers said they would take a job with less pay and more flexibility in device usage, access to social media, and mobility than a higher-paying job without such flexibility.
Mobile Presents New Challenges
So, as businesses work to embrace these new productive mobile work habits, they must also face the requisite challenges asscoated with the growing number of devices, networks, and applications. Enterprises need a solution that intertwines cross-platform compatibility, security, cost management, compliance, and the inevitable complexity.
By way of example, 21 percent of mobile workers say they have experienced a security issue related to their smartphone (lost, stolen, hacked, virus) in the last year alone.
Fifty-four percent of enterprises rate security and authentication as one of the two top concerns for their mobile environments.
Seventeen percent say they need to meet compliance/regulatory requirements in mobile environments.
And yet 45 percent of IT departments say they aren’t prepared policy- and technology-wise to handle this more borderless, mobile workforce.
Bridging Your Mobile Gap
To overcome those challenges, enterprises need an experienced partner with a strategy capable of spanning the distance between mobile advances and existing infrastructures.
Those early adopters are leaping ahead: They’re already experiencing 20 percent cost savings and productivity improvements.
And 75 percent of CIOs say mobility solutions are a top priority of theirs for 2012.
On the mobile front, IBM workers are walking their own mobile talk, connecting to 10 different networks located around the world, and with 100K+ of them connecting using their own handheld devices (using at least five supported device platforms).
IBM’s own app store, Whirlwind, offers over 500 applications and was recognized by CIO Magazine with the “CIO 100 Top Innovation Award.”
All of that experience IBM has had with its own mobile enablement has informed and shaped the company’s customer-facing mobile initiatives, both through product development and through the introduction of its mobile services offerings.
IBM can help your staff develop the right strategy and governance and deliver a wide range of mobile enterprise services to create a more productive, connected workplace.
You can read about some of those offerings here.
New IBM Security Study: Finding A Strategic Voice In The C-Suite
I’m back from IBM Impact 2012…but my brain is still processing all the information I took in through all the interviews Scott and I conducted for ImpactTV and for all the sessions I attended…and I won’t mention all the cocktails in the evenings where I learned SO much from my industry peers.
The first ever IBM security officers study reveals a clear evolution in information security organizations and their leaders with 25 percent of security chiefs surveyed shifting from a technology focus to strategic business leadership role.
I’ll be putting together a recap post of some of the major announcements, and I’ve still yet to transcribe my interview with Walter Isaacson, but first, I wanted to highlight an important new study from IBM on the security front.
For those of you who follow the Turbo blog, you know the issue of security (particularly cybersecurity) is one I take very seriously and that I follow closely, partially because of my longstanding interest in the topic, and partially because I recognize we live in an imperfect world using imperfect technology, created and used by imperfect humans.
But the promise and hope for security, fallible though it may sometimes be, is a worthy aspiration. There are ideas, assets, and often even lives at risk, and the more we move up the stack into an intellectual capital driven global economy, the more there is at stake and the more that will be needed to protect.
So, that’s a long way of saying expect to be hearing even more from me on this important topic.
Chief Security Officers: “We’ve Got Our CEO’s Attention”
To that end, now for the new information security study results. The new IBM study reveals a clear evolution in information security organizations and their leaders, with 25 percent of security chiefs surveyed shifting from a tech focus to one of a more strategic business leadership role.
In this first study of senior security executives, the IBM Center For Applied Insights interviewed more than 130 security leaders globally and discovered three types of leaders based on breach preparedness and overall security maturity.
Representing about a quarter of those interviewed, the “Influencer” senior security executives typically influenced business strategies of their firms and were more confident and prepared than their peers—the “Protectors” and “Responders.”
Overall, all security leaders today are under intense pressure, charged with protecting some of their firm’s most valuable assets – money, customer data, intellectual property and brand.
Nearly two-thirds of Chief Information Security Executives (CISOs) surveyed say their senior executives are paying more attention to security today than they were two years ago, with a series of high-profile hacking and data breaches convincing them of the key role that security has to play in the modern enterprise.
Emerging Security Issues: Mobile And A More Holistic Approach
More than half of respondents cited mobile security as a primary technology concern over the next two years. Nearly two-thirds of respondents expect information security spend to increase over the next two years and of those, 87 percent expect double-digit increases.
Rather than just reactively responding to security incidents, the CISO’s role is shifting more towards intelligent and holistic risk management– from fire-fighting to anticipating and mitigating fires before they start. Several characteristics emerged as notable features among the mature security practices of “Influencers” in a variety of organizations:
- Security seen as a business (versus technology) imperative: One of the chief attributes of a leading organization is having the attention of business leaders and their boards. Security is not an ad hoc topic, but rather a regular part of business discussions and, increasingly, the culture. In fact, 60 percent of the advanced organizations named security as a regular boardroom topic, compared to only 22 percent of the least advanced organizations. These leaders understand the need for more pervasive risk awareness – and are far more focused on enterprise-wide education, collaboration and communications. Forward-thinking security organizations are more likely to establish a security steering committee to encourage systemic approaches to security issues that span legal, business operations, finance, and human resources. Sixty-eight percent of advanced organizations had a risk committee, versus only 26percent in the least advanced group.
- Use of data-driven decision making and measurement: Leading organizations are twice as likely to use metrics to monitor progress, the assessment showed (59 percent v. 26 percent). Tracking user awareness, employee education, the ability to deal with future threats, and the integration of new technologies can help create a risk-aware culture. And automated monitoring of standardized metrics allows CISOs to dedicate more time to focusing on broader, more systemic risks.
- Shared budgetary responsibility with the C-suite: The assessment showed that within most organizations, CIOs typically have control over the information security budget. However, among highly ranked organizations, investment authority lies with business leaders more often. In the most advanced organizations, CEOs were just as likely as CIOs to be steering information security budgets. Lower ranking organizations often lacked a dedicated budget line item altogether, indicating a more tactical, fragmented approach to security. Seventy-one percent of advanced organizations had a dedicated security budget line item compared to 27 percent of the least mature group.
Recommendations to Evolve the Security Role in an Enterprise
To create a more confident and capable security organization, IBM recognizes that security leaders must construct an action plan based on their current capabilities and most pressing needs. The report offers prescriptive advice from its findings on how organizations can move forward based on their current maturity level.
For example, those “Responders” in the earliest stage of security maturity can move beyond their tactical focus by establishing a dedicated security leadership role (like a CISO); assembling a security and risk committee measuring progress; and automating routine security processes to devote more time and resources to security innovation.
About the Assessment
The IBM Center for Applied Insights study, “Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer Assessment,” included organizations spanning a broad range of industries and seven countries.
During the first quarter of 2012, the Center conducted double-blind interviews with 138 senior business and IT executives responsible for information security in their enterprises. Nearly 20 percent of the respondents lead information security in enterprises with more than 10,000 employees; 55 percent are in enterprises with 1,000 to 9,999 employees.
Click here to access the full study.
Managing & Mitigating Risk: The 2011 IBM Global Business Risk & Resilience Survey
Once again, IBM has published a global business risk and resilience study, this year in partnership with Economist Intelligence Unit on behalf of IBM.
The study was conducted in June of this year, and included responses from 391 senior executives…Thirty-five percent of the respondents were C-level executives…About 39% were from North America,38% from Western Europe, 20% from Asia Pacific, and 3% from Eastern Europe.
Companies with less than U.S. $500M in revenue comprised 39% of the responses, and 48% of the respondents hailed from companies with more than U.S. $1 billion in revenue…The survey also covered a gamut of industries, including financial services (16%), IT and technology (16%), professional services (13%), manufacturing (8%) and healthcare (7%).
Click on the image to enlarge. The IBM Global Risk & Resilience Study revealed that to date, companies around the world are focused heavily on building out their resilience and risk plans, as well as putting the supporting technologies and processes in place to get them into effect.
Before I dive into the results, here’s the setup: Global organizations are increasingly emphasizing business resilience; that is, the ability to rapidly adapt to a continuously changing business environment. Resilient corproations are able to maintain continuous operations and protect their market share in the face of natural or man-made disasters as well as radical changes in the financial or economic climate. They are also equipped to seize opportunities created by unexpected events.
So, the question is, are they?
It’s a mixed bag.
The research suggests that more and more businesses will adopt a more holistic approach to risk management in the next three years ass they deal with growing uncertainty and the increasing interconnectedness of the varied risks they face.
That’s the good news, aspirational though it may be.
But in terms of today’s reality, the study indicated that only a minority of companies (37%) has implemented an organization-wide business resilience strategy…with 42% saying they’ll do so in the next three years.
Almost two-thirds (64%) say they have a business continuity plan of some sort, and a robust 58% have dedicated contingency plans for dealing with a variety of risks.
That’s the topline…now on to the deeper dive:
- Larger organizations are more likely than smaller ones to have an integrated strategy. They, of course, typically have more to lose, and complexity increase’s an organization’s exposure to risk. Larger firms are more likely to have assigned overall responsibility for enterprise risk management to a single executive (which means, of course, direct accountability). Still, there is a contingent of small companies that have adopted integrated strategies. These companies also rank highly with regard to indicators of success such as revenue growth, profitability, and market share.
- Continuity, IT and compliance risks remain in the foyrefront, but companies are diversifying their strategies to build business resilience. Nearly 40% of respondents say their organization regards business continuity as primarily an IT issue. However, when they’re asked to name their “primary risk management concern,” some name more than one, including disaster recovery (47%), IT security (37%), and regulatory compliance (28%). Though most have started by addressing the largest threats first, they increasingly are expected to turn to such things as communications and training programs designged to build a more resilient culture overall.
- Business resilience planning increasingly involves specialists from across the organization, yet CIOs and IT pros remain the most prominent stakeholders. Hey, what happened to sharing the love…and the risk?? Because a culture that imbues responsibility for risk management at every level enables companies to respond to changes and unexpected events. A solid majority of respondents (60%) say that business resilience is considered a joint responsibility of all C-level execs. Yet as IT penetrates more deeply into every aspect of company operations, CIOs and IT pros remain key players in building more resilient organizations. Fifty-six percent of respondents say the CIO collaborates with top IT strategists much more frequently than three years ago.
Click on the image to enlarge. Silos, budget and predicting ROI were cited as the biggest barriers in the study to adopting an holistic approach to business resilience and risk.
How Can I Better Manage Risk Moving Forward?
In most organizations, improving business resilience requires a shift in corporate culture because that is what shapes values and behavior. If a company’s culture blends risk awareness with other corporate values, then people instinctively know the right thing to do when confronted with an unexpected situation, and that reduces risk.
Understanding these principles is a good first step, but in interviews, executives are clear that buy-in from the top is essential to foster broad organizational change. Promoting holistic risk management concepts to peers and employees is also critical.
Taking an incremental approach with broad participation in strategy development can help, because it is easier to promote change if a new initiative is not seen as being pushed by one particular faction.
Senior-level commitment and adequate resources are also needed to develop comprehensive communications and training programs to support integrated risk management. One of the distinguishing features of the most resilient companies is that they are much more likely than other firms to have developed a communications strategy to push the message of resilience out to every corner of the organization.
Companies that embrace these measures are more likely to create an effective business resilience plan. This will provide a robust foundation on which to build a long-lived competitive position supported by end-to-end risk management.
Go here to download the full report.
Risky Business: Results From The First-Ever IBM Global IT Risk Study
IBM recently undertook its first-ever Global IT Risk Study to uncover the challenges associated with IT risk, and the steps IT managers and CIOs are taking to better understand, confront, and resolve this concern.
This survey was conducted in May and June of this year, in cooperation with the Economist Intelligence Unit. The survey was conducted online with 556 IT managers and others involved in their business’s IT function, and included 131 CIOs. Regions throughout the globe were included, including North America, Western Europe, Asia-Pacific, the Middle East and Africa, Eastern Europe, and Latin America.
Survey Says…
To get the flavor of the full report, I would encourage you to register and download the full report — there are way too many important details to cover here.
But in terms of big picture results, the survey provided some key directional indicators on where IT managers and executives’ concerns mostly lay, and just as important, what they should consider doing about them.
First, in terms of risk maturity. Few of today’s organizations are “risk mature,” or fully prepared for all risk situations that may occur. The lack of a risk-aware culture plays a big part in this lack of maturity.
Second, culture. Without a risk-aware culture, even the best efforts to mitigate risk may not succeed.
The 2010 IBM Global IT Risk Study provides detailed results on risk management questions that run the gamut, including important questions about risk preparedness in a variety of physical and virtual infrastructure scenarios like the ones in this graphic.
Third, and no major surprise, data protection and privacy. Data is the unifying concern across all IT risk management domains.
And finally, emerging trends. Clearly on the radar is the need to incorporate cloud computing, mobile technology, and social networking into the existing infrastructure.
In fact, the risks surrounding social networking technologies was near the top of the list of IT respondents’ concerns, with some 64% of them indicating it was “Extremely risky/risky”.
IT security was also prevalent in the study as a primary concern, with some 78 percent of IT professionals concerned about vulnerability to hackers and unauthorized access/use of company systems.
Providing Actionable Intelligence For IT Risk
After reading through the data and responses from the IBM Global IT Risk study, you may develop an inclination to set out for the closest tall building and jump.
That would be foolhardy and simply add insult to injury where your company’s risk profile is concerned. They need you — whether they know it or not is another story.
No, the good news amidst all the bad is that the IBM report also provides some actionable intelligence, recommendations for how to improve your risk situation based on the concerns expressed by IT managers worldwide.
Starting with the simplest, but most obvious, advice: Examining and assessing your organization’s IT risk maturity so you can focus on the areas that will best help your business.
Learning how to “sell” the benefits of risk mitigation, helping your colleagues understand it’s a means by which you can help bolster business growth and improve brand perception.
Or determining how to raise the level of risk awareness throughout the organization, so the burden doesn’t fall on a single set of organizational shoulders (read: Yours!).
You’ll find a wealth of this and other valuable information and counsel in the report. And on Wednesday, September 29th, 2010, you can watch a full virtual event on the presentation of the findings and their implications.
Visit here to get all the details of the Webcast and to download the full report.
And please, in the meantime, stay away from tall buildings.
turbotodd
Turbotodd 