SlideShare uma empresa Scribd logo

Reputational Risk and IT - 2013

Cynthia Sech
Cynthia Sech

Read how security and business continuity can shape the reputation and value of your company.

1 de 23
Baixar para ler offline
IBM Global Technology Services Executive summary: Reputational risk and IT How security and business continuity can shape the reputation and value of your company RLP03019-USEN-00 © 2012 IBM Corporation
Reputational risk and IT: introduction Make a resolution to make 2013 the year that your enterprise makes reputational risk an integral part of IT risk management. IBM is happy to provide this presentation for use in fostering discussions in your organization about the connections between IT risk and reputational risk. The information in this presentation is provided “as is.” IBM is not responsible for any changes made to the presentation by users outside of IBM. For more information, visit: ibm.com/services/riskstudy 2 © 2012 IBM Corporation
Reputational risk and IT: introduction Your reputation is at risk every day. An IT issue can set off a series of events that can have significant impact on business value. IT event Storms trigger Partial failure in Critical Highly visible power outage data center UPS servers fail service outage Reputation suffers News reports on People talk Confidence, trust the web waver Business value damaged Penalties Customers Stock price accrue defect falls 3 © 2012 IBM Corporation
Reputational risk and IT: introduction To find out where and how IT makes its biggest impact on reputational risk — and uncover any gaps — IBM conducted a worldwide study. Respondents: 427 Industries: 23* Middle Latin East/Africa, America, 5% The study survey was 8% All others, 28% Banking, conducted by the North 19% Economist Intelligence America, 33% Unit on behalf of IBM Asia Pacific, IT/Tech, 26% Professional 15% Services, 5% Respondents were Financial asked questions about Markets, 9% Energy/ Europe, 29% Insurance, Utilities, 13% their companies’ 11% reputational and IT risk efforts, plans and spending to provide a Job titles: 15* Company sizes: 5 detailed picture of IT Other non- C-suite, IT manager, $10B or $500M or reputational risk 23% 24% more, 27% less, 37% management around the world SVP/VP/ CIO/CTO/ Director, 11% Tech director, $5B to 12% $10B, 9% Other CEO/President/ $1B to $5B, $500M to C-suite, 14% Managing 16% $1B, 13% Director, 13% CRO/Risk *Top responding categories shown. Director, 3% 4 © 2012 IBM Corporation
Reputational risk and IT: introduction The study results revealed three key observations concerning IT’s impact on reputational risk. #1 IT risks have a major impact on a company’s reputation #2 Companies have rising IT risk concerns related to emerging technology trends #3 Companies are integrating IT risk and reputational risk management, with strongest focus on threats to data and systems “IT and reputational risk management and mitigation are… key success factors of our business and must be given due emphasis.” C-level executive, Malaysian agriculture and agribusiness company 5 © 2012 IBM Corporation
Reputational risk and IT: perception vs. reality There seems to be a mismatch between how well companies rate their reputation and how well they are protecting it. rate reputation 80 % as excellent or very good 17 % rate theirIT risk as very strong to manage company’s overall ability There is room for improvement in almost every organization Source: Q1: How would you rate your company’s current reputation within its industry? Q5: How would you rate your company’s overall ability to manage IT risk? 6 © 2012 IBM Corporation
Reputational risk and IT: perception vs. reality IT risks strongly affect the factors most important to a company’s reputation — making IT risk integral to reputational risk. 78 % include IT risk management as part of reputational risk management “IT… is like the heart pumping blood to the whole body, so any failure could threaten the whole organization's survival.” IT manager, French IT and technology company Most important to reputation Strongly affected by IT risk Best-in-class product/service 29% Customer satisfaction 46% Customer engagement 24% Brand reputation 41% Trusted partner status 14% Compliance 40% Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy? Q6: Which of the following is the single most important factor driving your company’s reputation? Q3: In your estimation, how much do IT risks affect the following? 7 © 2012 IBM Corporation
Reputational risk and IT: perception vs. reality Data breach tops the list of IT risk factors that can cause the most reputational harm. Top three IT risk factors harmful to reputation 61 % data breach 44 % systems failure 37 % data loss Source: Q7: Which of the following IT risk factors do you think has the greatest potential to harm your company’s reputation? Select the top three. 8 © 2012 IBM Corporation
Reputational risk and IT: perception vs. reality Companies’ perceptions differ from reality when it comes to the comprehensiveness of their reputational risk protections. Data breach Very confident/confident about level of protection perception 70% Have access to the latest security threat intelligence reality 32% Systems failure Very confident/confident about level of protection perception 70% Have 24x7 expert technical support coverage reality 52% Data loss Very confident/confident perception about level of protection 76% Perform testing including business users reality 45% * Companies are overlooking the IT fundamentals that can enhance their ability to mitigate reputational risk Source: Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following? Q17: Which of the following procedures, processes and controls do you have in place? 9 © 2012 IBM Corporation
Reputational risk and IT Study: security findings Well publicized scenarios of financial and reputational impact due to security breaches are in the news every day. Payment Online gaming Retailer processor community Hackers intrude core Community and Customer data stolen line of business. entertainment sites over more than 18 hacked. months. Nearly 130 million Around 100 million At least 45 million customers affected. customer records records stolen. compromised. Estimated costs: Estimated costs: Estimated costs: up to $500M $3.6B up to $900M Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles. © 2012 IBM Corporation
Reputational risk and IT: perception vs. reality The impact of IT risk events on “reputational recovery” is measured in months, not hours or days like recovery time objectives (RTO). 0-6 months 6-12 months 12+ months Website outage 78% 14% 8% System failure 72% 17% 10% Workforce mobility 71% 18% 11% Data loss 70% 17% 12% Inadequate continuity plans 65% 21% 13% Insufficient DR measures 63% 24% 12% New technology 64% 18% 18% Data breach 65% 19% 16% Compliance failure 64% 22% 14% Poor IT skills / tech support 64% 22% 14% Source: Q9: In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following IT risk factors? Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following? 11 © 2012 IBM Corporation
Reputational risk and IT: perception vs. reality Companies may be opening themselves up to unintended reputational risk by ignoring the impact of their partners. Only 28% of companies “very strenuously” require their vendors, partners and supply chain to match levels of risk control * * Average “A major deliverable was on How many outside sources does your a contractor’s company rely on? laptop, and it was stolen. We missed Are you enforcing your IT risk mitigation an important client policies on these sources? deadline and lost the source files for How are you monitoring your sources’ all the work.” compliance with your standards? Chief marketing officer, American education company Source: Q16: How seriously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk ? 12 © 2012 IBM Corporation
Reputational risk and IT: security, continuity and social media Most companies have security items in place to react to reputational threats, but this is only part of the picture. Critical security fundamentals currently in place Firewall management 79% Identity/access controls 71% Network & endpoint protection 60% Danger: Up to 40% of companies are missing critical security protections But “Being proactive and preventive is much more effective than being reactive.” IT manager, American energy and utilities company Companies are overlooking many Cloud security protection 23% of the items that Access to latest security can proactively 32% threat intelligence protect their reputations before Penetration testing/ethical hacking 43% harm happens Source: Q17: Which of the following procedures, processes and controls do you have in place? 13 © 2012 IBM Corporation
Reputational risk and IT: security, continuity and social media Companies also have continuity basics in place, but are missing the opportunity to leverage IT fundamentals for additional protection. Companies have the continuity basics in place Backup/restore testing 78% Fully documented DR plan 68% Automated backup processes 67% Now Up to 55% of companies can improve reputational risk management through the use of IT fundamentals There is Change management 45% untapped potential to use IT 24x7 onsite maintenance/ repair for critical equipment 51% fundamentals to better manage 24x7 software tech support 53% reputational risk Source: Q17: Which of the following procedures, processes and controls do you have in place? 14 © 2012 IBM Corporation
Reputational risk and IT: security, continuity and social media Companies are using social media tools to do business; now they need to use them to protect their reputations. Social media used to communicate with customers Company website 87% Social media/networking tools 50% Text messaging (SMS) 46% But only Company-branded mobile 44% application 27% provide for employee social media use during crisis Companies are missing the 19% have opportunity to leverage incorporated social social media to protect and media into their disaster recovery plans recover their reputations Source: Q21: Which of the following channels does your organization use to communicate with customers Q17: Which of the following procedures, processes and controls do you have in place? 15 © 2012 IBM Corporation
Reputational risk and IT: who owns it? When asked who was most accountable for the company’s reputation, respondents put responsibility squarely with the CEO. CEO: Best able to drive reputational risk management throughout an organization 80 % CEO 31% CMO: The critical link CFO 27% 23% 22% between the company and its CIO customers CRO CMO Source: Q10: Which functions within your organization are most accountable for the company’s reputation? Select the top three. 16 © 2012 IBM Corporation
Reputational risk and IT: focus and funding New technologies and social media are leading factors behind an increased focus on reputational risk. 64 % will increase focus on reputational risk compared to five years ago “Technology is Shareholder pressure, 3% Other, 7% an amplifier in all it touches, Board of directions/ C-suite mandate, 10% for better and worse. If we use New technology/ it, we must Why social media, 43% manage it increase? rigorously.” Previous event harmful CIO, Barbados to company, 18% professional services firm Previous event harmful to competitor/industry, 20% Source: Q11: How much will your organization focus on managing its reputation going forward as compared to five years ago? Q11a: What is the primary reason your company will focus more on managing its reputation going forward as compared to five years ago? 17 © 2012 IBM Corporation
Reputational risk and IT: focus and funding Often as a result of increased spending, companies are reporting adequate funding to manage reputational risk. 60 % For many organizations, adequate funding means increased funding say they have adequate funding to 57% 59% provide the have increased spending will increase spending level of IT risk management over the past 12 months over the next 12 months needed to protect the organization’s reputation “Underestimating the cost of reputational risk greatly exceeds the cost of protection.” Finance manager, American financial services company Source: Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation? Q13: Over the past 12 months, how much has your IT budget increased due to concerns over reputational risk? Q14: Over the next 12 months, how much will your IT budget increase due to concerns over reputational risk? 18 © 2012 IBM Corporation
Reputational risk and IT: what you can do now Start a reputational risk dialogue across your enterprise. Have the reputational risk conversation — the sooner, the better Elevate your discussion — lead with reputational risk to justify IT investments X Team up with your risk colleagues Confirm partners’ compliance with your standards Extend your reporting and escalation process to include reputational risk impact 19 © 2012 IBM Corporation
Reputational risk and IT: what you can do now Incorporate the key characteristics of companies reporting excellent reputations. 1 Companies with excellent reputations see stronger links between IT threats and reputation—especially customer satisfaction and brand reputation 83% 81% 84% Organizations 78% reporting their reputation as: 64% 63% Excellent 59% 58% Very good Average or 2 36% 38% worse 3 28% 33% 4 5 Integrate IT into Have strong/ Have adequate IT Very strenuously reputational risk very strong IT risk management require supply management risk management funding chain to match capacity standards Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy? Q5: How would you rate your company’s overall ability to manage IT risk? Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation? 20 Q16: How strenuously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk? © 2012 IBM Corporation
Reputational risk and IT: what you can do now Learn more about the reputational risk and IT connection, and how IBM can help you protect the reputation and value of your company. Download the full study report includes all you’ve seen today, plus other important findings ibm.com/services/riskstudy Add your voice to the discussion Take the reputational risk survey online and get a complimentary copy of the 2013 expanded report Scan the code or go to bit.ly/ibmrisksurvey Get the experts’ views on managing IT risk The Reputational Risk Webcast Series features industry and IBM experts exploring the relationship between reputation and IT risk ibm.com/services/riskstudy/webcasts Explore how IBM can help you with: Request to Security speak with an IBM specialist about Business continuity your business needs Technical support services 21 © 2012 IBM Corporation
Thank you for your interest 22 © 2012 IBM Corporation
© Copyright IBM Corporation 2012 IBM Corporation IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America November 2012 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. 23 © 2012 IBM Corporation

Recomendados

Unicom Software Corporate Profile
Unicom Software Corporate ProfileUnicom Software Corporate Profile
Unicom Software Corporate Profile
Alexander A. Grygoruk
 
Leveraging Analytics to achieve your Customer Experience Objectives
Leveraging Analytics to achieve your Customer Experience ObjectivesLeveraging Analytics to achieve your Customer Experience Objectives
Leveraging Analytics to achieve your Customer Experience Objectives
Jj HanXue
 
Career in Malaysia ICT (IT) sector
Career in Malaysia ICT (IT) sectorCareer in Malaysia ICT (IT) sector
Career in Malaysia ICT (IT) sector
Wee Khang Teoh
 
CFO Cloud Savings
CFO Cloud SavingsCFO Cloud Savings
CFO Cloud Savings
Envision Technology Advisors
 
Social Networking 2 - Final
Social Networking 2 - FinalSocial Networking 2 - Final
Social Networking 2 - Final
Willie Favero
 
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
IBMGovernmentCA
 
Proactive Management of Operational Risk
Proactive Management of Operational RiskProactive Management of Operational Risk
Proactive Management of Operational Risk
Jay Jayasuriya
 
Managed services the road to operational efficiency
Managed services the road to operational efficiencyManaged services the road to operational efficiency
Managed services the road to operational efficiency
caidadao
 

Recomendados

Unicom Software Corporate Profile
Unicom Software Corporate ProfileUnicom Software Corporate Profile
Unicom Software Corporate Profile
Alexander A. Grygoruk
 
Leveraging Analytics to achieve your Customer Experience Objectives
Leveraging Analytics to achieve your Customer Experience ObjectivesLeveraging Analytics to achieve your Customer Experience Objectives
Leveraging Analytics to achieve your Customer Experience Objectives
Jj HanXue
 
Career in Malaysia ICT (IT) sector
Career in Malaysia ICT (IT) sectorCareer in Malaysia ICT (IT) sector
Career in Malaysia ICT (IT) sector
Wee Khang Teoh
 
CFO Cloud Savings
CFO Cloud SavingsCFO Cloud Savings
CFO Cloud Savings
Envision Technology Advisors
 
Social Networking 2 - Final
Social Networking 2 - FinalSocial Networking 2 - Final
Social Networking 2 - Final
Willie Favero
 
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
Social Networks the Next Emerging Spectrum in Asymmetric Warfare and Counter ...
IBMGovernmentCA
 
Proactive Management of Operational Risk
Proactive Management of Operational RiskProactive Management of Operational Risk
Proactive Management of Operational Risk
Jay Jayasuriya
 
Managed services the road to operational efficiency
Managed services the road to operational efficiencyManaged services the road to operational efficiency
Managed services the road to operational efficiency
caidadao
 
Nexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSourceNexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSource
John Mancini
 
Making it happy_with_mobile_content_management
Making it happy_with_mobile_content_managementMaking it happy_with_mobile_content_management
Making it happy_with_mobile_content_management
QuestexConf
 
James B Murry Resume Presentation Feb2009
James B Murry Resume Presentation Feb2009James B Murry Resume Presentation Feb2009
James B Murry Resume Presentation Feb2009
jamesbmurry
 
Data growth-protection-trends-research-results
Data growth-protection-trends-research-resultsData growth-protection-trends-research-results
Data growth-protection-trends-research-results
Accenture
 
Taxonomy Change Management
Taxonomy Change ManagementTaxonomy Change Management
Taxonomy Change Management
That Matt Johnson Consulting
 
Motorola Report: State of Mobility in Healthcare
Motorola Report: State of Mobility in HealthcareMotorola Report: State of Mobility in Healthcare
Motorola Report: State of Mobility in Healthcare
3GDR
 
IT Next February 2010 Issue
IT Next February 2010 IssueIT Next February 2010 Issue
IT Next February 2010 Issue
Shashwat DC
 
2012 Global State of Information Security Survey
2012 Global State of Information Security Survey2012 Global State of Information Security Survey
2012 Global State of Information Security Survey
soccerkev
 
Reputational Risk
Reputational RiskReputational Risk
Reputational Risk
IBMGovernmentCA
 
IBM Journey To A Value Integrator
IBM Journey To A Value IntegratorIBM Journey To A Value Integrator
IBM Journey To A Value Integrator
david_hawkins
 
IBM Software Story
IBM Software StoryIBM Software Story
IBM Software Story
Strategy Advisory Group
 
The Top Reasons Enterprises Outsource IT to MSPs
The Top Reasons Enterprises Outsource IT to MSPsThe Top Reasons Enterprises Outsource IT to MSPs
The Top Reasons Enterprises Outsource IT to MSPs
CA Nimsoft
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
M Life 2009 Modern Government And Mobility Eduardo Fernandez Rojo
M Life 2009 Modern Government And Mobility Eduardo Fernandez RojoM Life 2009 Modern Government And Mobility Eduardo Fernandez Rojo
M Life 2009 Modern Government And Mobility Eduardo Fernandez Rojo
Ed Fernandez
 
Keynote by Mario Derba at Oracle event in Luxembourg
Keynote by Mario Derba at Oracle event in LuxembourgKeynote by Mario Derba at Oracle event in Luxembourg
Keynote by Mario Derba at Oracle event in Luxembourg
Mario Derba
 
Information securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinalInformation securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinal
Dilpreeta Vasudeva
 
Complimentary report on the current needs of CIOs
Complimentary report on the current needs of CIOs Complimentary report on the current needs of CIOs
Complimentary report on the current needs of CIOs
BMAJCHER
 
IT Failure and Waste
IT Failure and WasteIT Failure and Waste
IT Failure and Waste
Michael Krigsman
 
Cloud on PureSystems, Botond Kiss
Cloud on PureSystems, Botond KissCloud on PureSystems, Botond Kiss
Cloud on PureSystems, Botond Kiss
IBMSERBIA
 
A Survival Guide For CIOs
A Survival Guide For CIOsA Survival Guide For CIOs
A Survival Guide For CIOs
ErgoGroup
 
Pulse 2013 - How to run a successful BYOD initiative
Pulse 2013 - How to run a successful BYOD initiativePulse 2013 - How to run a successful BYOD initiative
Pulse 2013 - How to run a successful BYOD initiative
Chris Pepin
 
Business Meets IT presentation: Business Continuity
Business Meets IT presentation: Business ContinuityBusiness Meets IT presentation: Business Continuity
Business Meets IT presentation: Business Continuity
William Visterin
 

Mais conteúdo relacionado

Mais procurados

Making it happy_with_mobile_content_management
Making it happy_with_mobile_content_managementMaking it happy_with_mobile_content_management
Making it happy_with_mobile_content_management
QuestexConf
 
James B Murry Resume Presentation Feb2009
James B Murry Resume Presentation Feb2009James B Murry Resume Presentation Feb2009
James B Murry Resume Presentation Feb2009
jamesbmurry
 
Data growth-protection-trends-research-results
Data growth-protection-trends-research-resultsData growth-protection-trends-research-results
Data growth-protection-trends-research-results
Accenture
 
Motorola Report: State of Mobility in Healthcare
Motorola Report: State of Mobility in HealthcareMotorola Report: State of Mobility in Healthcare
Motorola Report: State of Mobility in Healthcare
3GDR
 

Mais procurados (7)

Nexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSourceNexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSource
 
Making it happy_with_mobile_content_management
Making it happy_with_mobile_content_managementMaking it happy_with_mobile_content_management
Making it happy_with_mobile_content_management
 
James B Murry Resume Presentation Feb2009
James B Murry Resume Presentation Feb2009James B Murry Resume Presentation Feb2009
James B Murry Resume Presentation Feb2009
 
Data growth-protection-trends-research-results
Data growth-protection-trends-research-resultsData growth-protection-trends-research-results
Data growth-protection-trends-research-results
 
Taxonomy Change Management
Taxonomy Change ManagementTaxonomy Change Management
Taxonomy Change Management
 
Motorola Report: State of Mobility in Healthcare
Motorola Report: State of Mobility in HealthcareMotorola Report: State of Mobility in Healthcare
Motorola Report: State of Mobility in Healthcare
 
IT Next February 2010 Issue
IT Next February 2010 IssueIT Next February 2010 Issue
IT Next February 2010 Issue
 

Semelhante a Reputational Risk and IT - 2013

IBM Journey To A Value Integrator
IBM Journey To A Value IntegratorIBM Journey To A Value Integrator
IBM Journey To A Value Integrator
david_hawkins
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
IBM Security
 
Information securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinalInformation securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinal
Dilpreeta Vasudeva
 
A Survival Guide For CIOs
A Survival Guide For CIOsA Survival Guide For CIOs
A Survival Guide For CIOs
ErgoGroup
 
Pulse 2013 - How to run a successful BYOD initiative
Pulse 2013 - How to run a successful BYOD initiativePulse 2013 - How to run a successful BYOD initiative
Pulse 2013 - How to run a successful BYOD initiative
Chris Pepin
 
KPIT Cummins Investor Presentation - March 2011
KPIT Cummins Investor Presentation - March 2011KPIT Cummins Investor Presentation - March 2011
KPIT Cummins Investor Presentation - March 2011
KPIT
 
Perform better in the age of hybrid IT
Perform better in the age of hybrid ITPerform better in the age of hybrid IT
Perform better in the age of hybrid IT
Paul Muller
 

Semelhante a Reputational Risk and IT - 2013 (20)

2012 Global State of Information Security Survey
2012 Global State of Information Security Survey2012 Global State of Information Security Survey
2012 Global State of Information Security Survey
 
Reputational Risk
Reputational RiskReputational Risk
Reputational Risk
 
IBM Journey To A Value Integrator
IBM Journey To A Value IntegratorIBM Journey To A Value Integrator
IBM Journey To A Value Integrator
 
IBM Software Story
IBM Software StoryIBM Software Story
IBM Software Story
 
The Top Reasons Enterprises Outsource IT to MSPs
The Top Reasons Enterprises Outsource IT to MSPsThe Top Reasons Enterprises Outsource IT to MSPs
The Top Reasons Enterprises Outsource IT to MSPs
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
M Life 2009 Modern Government And Mobility Eduardo Fernandez Rojo
M Life 2009 Modern Government And Mobility Eduardo Fernandez RojoM Life 2009 Modern Government And Mobility Eduardo Fernandez Rojo
M Life 2009 Modern Government And Mobility Eduardo Fernandez Rojo
 
Keynote by Mario Derba at Oracle event in Luxembourg
Keynote by Mario Derba at Oracle event in LuxembourgKeynote by Mario Derba at Oracle event in Luxembourg
Keynote by Mario Derba at Oracle event in Luxembourg
 
Information securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinalInformation securitysurveyreportnovninefinal
Information securitysurveyreportnovninefinal
 
Complimentary report on the current needs of CIOs
Complimentary report on the current needs of CIOs Complimentary report on the current needs of CIOs
Complimentary report on the current needs of CIOs
 
IT Failure and Waste
IT Failure and WasteIT Failure and Waste
IT Failure and Waste
 
Cloud on PureSystems, Botond Kiss
Cloud on PureSystems, Botond KissCloud on PureSystems, Botond Kiss
Cloud on PureSystems, Botond Kiss
 
A Survival Guide For CIOs
A Survival Guide For CIOsA Survival Guide For CIOs
A Survival Guide For CIOs
 
Pulse 2013 - How to run a successful BYOD initiative
Pulse 2013 - How to run a successful BYOD initiativePulse 2013 - How to run a successful BYOD initiative
Pulse 2013 - How to run a successful BYOD initiative
 
Business Meets IT presentation: Business Continuity
Business Meets IT presentation: Business ContinuityBusiness Meets IT presentation: Business Continuity
Business Meets IT presentation: Business Continuity
 
Interest rate risk modeling day sun_gard_ambit banking
Interest rate risk modeling day sun_gard_ambit bankingInterest rate risk modeling day sun_gard_ambit banking
Interest rate risk modeling day sun_gard_ambit banking
 
Marketing Analytics Effectiveness
Marketing Analytics Effectiveness Marketing Analytics Effectiveness
Marketing Analytics Effectiveness
 
Digital Literacy Slides
Digital Literacy SlidesDigital Literacy Slides
Digital Literacy Slides
 
KPIT Cummins Investor Presentation - March 2011
KPIT Cummins Investor Presentation - March 2011KPIT Cummins Investor Presentation - March 2011
KPIT Cummins Investor Presentation - March 2011
 
Perform better in the age of hybrid IT
Perform better in the age of hybrid ITPerform better in the age of hybrid IT
Perform better in the age of hybrid IT
 

Reputational Risk and IT - 2013

  • 1. IBM Global Technology Services Executive summary: Reputational risk and IT How security and business continuity can shape the reputation and value of your company RLP03019-USEN-00 © 2012 IBM Corporation
  • 2. Reputational risk and IT: introduction Make a resolution to make 2013 the year that your enterprise makes reputational risk an integral part of IT risk management. IBM is happy to provide this presentation for use in fostering discussions in your organization about the connections between IT risk and reputational risk. The information in this presentation is provided “as is.” IBM is not responsible for any changes made to the presentation by users outside of IBM. For more information, visit: ibm.com/services/riskstudy 2 © 2012 IBM Corporation
  • 3. Reputational risk and IT: introduction Your reputation is at risk every day. An IT issue can set off a series of events that can have significant impact on business value. IT event Storms trigger Partial failure in Critical Highly visible power outage data center UPS servers fail service outage Reputation suffers News reports on People talk Confidence, trust the web waver Business value damaged Penalties Customers Stock price accrue defect falls 3 © 2012 IBM Corporation
  • 4. Reputational risk and IT: introduction To find out where and how IT makes its biggest impact on reputational risk — and uncover any gaps — IBM conducted a worldwide study. Respondents: 427 Industries: 23* Middle Latin East/Africa, America, 5% The study survey was 8% All others, 28% Banking, conducted by the North 19% Economist Intelligence America, 33% Unit on behalf of IBM Asia Pacific, IT/Tech, 26% Professional 15% Services, 5% Respondents were Financial asked questions about Markets, 9% Energy/ Europe, 29% Insurance, Utilities, 13% their companies’ 11% reputational and IT risk efforts, plans and spending to provide a Job titles: 15* Company sizes: 5 detailed picture of IT Other non- C-suite, IT manager, $10B or $500M or reputational risk 23% 24% more, 27% less, 37% management around the world SVP/VP/ CIO/CTO/ Director, 11% Tech director, $5B to 12% $10B, 9% Other CEO/President/ $1B to $5B, $500M to C-suite, 14% Managing 16% $1B, 13% Director, 13% CRO/Risk *Top responding categories shown. Director, 3% 4 © 2012 IBM Corporation
  • 5. Reputational risk and IT: introduction The study results revealed three key observations concerning IT’s impact on reputational risk. #1 IT risks have a major impact on a company’s reputation #2 Companies have rising IT risk concerns related to emerging technology trends #3 Companies are integrating IT risk and reputational risk management, with strongest focus on threats to data and systems “IT and reputational risk management and mitigation are… key success factors of our business and must be given due emphasis.” C-level executive, Malaysian agriculture and agribusiness company 5 © 2012 IBM Corporation
  • 6. Reputational risk and IT: perception vs. reality There seems to be a mismatch between how well companies rate their reputation and how well they are protecting it. rate reputation 80 % as excellent or very good 17 % rate theirIT risk as very strong to manage company’s overall ability There is room for improvement in almost every organization Source: Q1: How would you rate your company’s current reputation within its industry? Q5: How would you rate your company’s overall ability to manage IT risk? 6 © 2012 IBM Corporation
  • 7. Reputational risk and IT: perception vs. reality IT risks strongly affect the factors most important to a company’s reputation — making IT risk integral to reputational risk. 78 % include IT risk management as part of reputational risk management “IT… is like the heart pumping blood to the whole body, so any failure could threaten the whole organization's survival.” IT manager, French IT and technology company Most important to reputation Strongly affected by IT risk Best-in-class product/service 29% Customer satisfaction 46% Customer engagement 24% Brand reputation 41% Trusted partner status 14% Compliance 40% Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy? Q6: Which of the following is the single most important factor driving your company’s reputation? Q3: In your estimation, how much do IT risks affect the following? 7 © 2012 IBM Corporation
  • 8. Reputational risk and IT: perception vs. reality Data breach tops the list of IT risk factors that can cause the most reputational harm. Top three IT risk factors harmful to reputation 61 % data breach 44 % systems failure 37 % data loss Source: Q7: Which of the following IT risk factors do you think has the greatest potential to harm your company’s reputation? Select the top three. 8 © 2012 IBM Corporation
  • 9. Reputational risk and IT: perception vs. reality Companies’ perceptions differ from reality when it comes to the comprehensiveness of their reputational risk protections. Data breach Very confident/confident about level of protection perception 70% Have access to the latest security threat intelligence reality 32% Systems failure Very confident/confident about level of protection perception 70% Have 24x7 expert technical support coverage reality 52% Data loss Very confident/confident perception about level of protection 76% Perform testing including business users reality 45% * Companies are overlooking the IT fundamentals that can enhance their ability to mitigate reputational risk Source: Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following? Q17: Which of the following procedures, processes and controls do you have in place? 9 © 2012 IBM Corporation
  • 10. Reputational risk and IT Study: security findings Well publicized scenarios of financial and reputational impact due to security breaches are in the news every day. Payment Online gaming Retailer processor community Hackers intrude core Community and Customer data stolen line of business. entertainment sites over more than 18 hacked. months. Nearly 130 million Around 100 million At least 45 million customers affected. customer records records stolen. compromised. Estimated costs: Estimated costs: Estimated costs: up to $500M $3.6B up to $900M Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles. © 2012 IBM Corporation
  • 11. Reputational risk and IT: perception vs. reality The impact of IT risk events on “reputational recovery” is measured in months, not hours or days like recovery time objectives (RTO). 0-6 months 6-12 months 12+ months Website outage 78% 14% 8% System failure 72% 17% 10% Workforce mobility 71% 18% 11% Data loss 70% 17% 12% Inadequate continuity plans 65% 21% 13% Insufficient DR measures 63% 24% 12% New technology 64% 18% 18% Data breach 65% 19% 16% Compliance failure 64% 22% 14% Poor IT skills / tech support 64% 22% 14% Source: Q9: In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following IT risk factors? Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following? 11 © 2012 IBM Corporation
  • 12. Reputational risk and IT: perception vs. reality Companies may be opening themselves up to unintended reputational risk by ignoring the impact of their partners. Only 28% of companies “very strenuously” require their vendors, partners and supply chain to match levels of risk control * * Average “A major deliverable was on How many outside sources does your a contractor’s company rely on? laptop, and it was stolen. We missed Are you enforcing your IT risk mitigation an important client policies on these sources? deadline and lost the source files for How are you monitoring your sources’ all the work.” compliance with your standards? Chief marketing officer, American education company Source: Q16: How seriously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk ? 12 © 2012 IBM Corporation
  • 13. Reputational risk and IT: security, continuity and social media Most companies have security items in place to react to reputational threats, but this is only part of the picture. Critical security fundamentals currently in place Firewall management 79% Identity/access controls 71% Network & endpoint protection 60% Danger: Up to 40% of companies are missing critical security protections But “Being proactive and preventive is much more effective than being reactive.” IT manager, American energy and utilities company Companies are overlooking many Cloud security protection 23% of the items that Access to latest security can proactively 32% threat intelligence protect their reputations before Penetration testing/ethical hacking 43% harm happens Source: Q17: Which of the following procedures, processes and controls do you have in place? 13 © 2012 IBM Corporation
  • 14. Reputational risk and IT: security, continuity and social media Companies also have continuity basics in place, but are missing the opportunity to leverage IT fundamentals for additional protection. Companies have the continuity basics in place Backup/restore testing 78% Fully documented DR plan 68% Automated backup processes 67% Now Up to 55% of companies can improve reputational risk management through the use of IT fundamentals There is Change management 45% untapped potential to use IT 24x7 onsite maintenance/ repair for critical equipment 51% fundamentals to better manage 24x7 software tech support 53% reputational risk Source: Q17: Which of the following procedures, processes and controls do you have in place? 14 © 2012 IBM Corporation
  • 15. Reputational risk and IT: security, continuity and social media Companies are using social media tools to do business; now they need to use them to protect their reputations. Social media used to communicate with customers Company website 87% Social media/networking tools 50% Text messaging (SMS) 46% But only Company-branded mobile 44% application 27% provide for employee social media use during crisis Companies are missing the 19% have opportunity to leverage incorporated social social media to protect and media into their disaster recovery plans recover their reputations Source: Q21: Which of the following channels does your organization use to communicate with customers Q17: Which of the following procedures, processes and controls do you have in place? 15 © 2012 IBM Corporation
  • 16. Reputational risk and IT: who owns it? When asked who was most accountable for the company’s reputation, respondents put responsibility squarely with the CEO. CEO: Best able to drive reputational risk management throughout an organization 80 % CEO 31% CMO: The critical link CFO 27% 23% 22% between the company and its CIO customers CRO CMO Source: Q10: Which functions within your organization are most accountable for the company’s reputation? Select the top three. 16 © 2012 IBM Corporation
  • 17. Reputational risk and IT: focus and funding New technologies and social media are leading factors behind an increased focus on reputational risk. 64 % will increase focus on reputational risk compared to five years ago “Technology is Shareholder pressure, 3% Other, 7% an amplifier in all it touches, Board of directions/ C-suite mandate, 10% for better and worse. If we use New technology/ it, we must Why social media, 43% manage it increase? rigorously.” Previous event harmful CIO, Barbados to company, 18% professional services firm Previous event harmful to competitor/industry, 20% Source: Q11: How much will your organization focus on managing its reputation going forward as compared to five years ago? Q11a: What is the primary reason your company will focus more on managing its reputation going forward as compared to five years ago? 17 © 2012 IBM Corporation
  • 18. Reputational risk and IT: focus and funding Often as a result of increased spending, companies are reporting adequate funding to manage reputational risk. 60 % For many organizations, adequate funding means increased funding say they have adequate funding to 57% 59% provide the have increased spending will increase spending level of IT risk management over the past 12 months over the next 12 months needed to protect the organization’s reputation “Underestimating the cost of reputational risk greatly exceeds the cost of protection.” Finance manager, American financial services company Source: Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation? Q13: Over the past 12 months, how much has your IT budget increased due to concerns over reputational risk? Q14: Over the next 12 months, how much will your IT budget increase due to concerns over reputational risk? 18 © 2012 IBM Corporation
  • 19. Reputational risk and IT: what you can do now Start a reputational risk dialogue across your enterprise. Have the reputational risk conversation — the sooner, the better Elevate your discussion — lead with reputational risk to justify IT investments X Team up with your risk colleagues Confirm partners’ compliance with your standards Extend your reporting and escalation process to include reputational risk impact 19 © 2012 IBM Corporation
  • 20. Reputational risk and IT: what you can do now Incorporate the key characteristics of companies reporting excellent reputations. 1 Companies with excellent reputations see stronger links between IT threats and reputation—especially customer satisfaction and brand reputation 83% 81% 84% Organizations 78% reporting their reputation as: 64% 63% Excellent 59% 58% Very good Average or 2 36% 38% worse 3 28% 33% 4 5 Integrate IT into Have strong/ Have adequate IT Very strenuously reputational risk very strong IT risk management require supply management risk management funding chain to match capacity standards Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy? Q5: How would you rate your company’s overall ability to manage IT risk? Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation? 20 Q16: How strenuously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk? © 2012 IBM Corporation
  • 21. Reputational risk and IT: what you can do now Learn more about the reputational risk and IT connection, and how IBM can help you protect the reputation and value of your company. Download the full study report includes all you’ve seen today, plus other important findings ibm.com/services/riskstudy Add your voice to the discussion Take the reputational risk survey online and get a complimentary copy of the 2013 expanded report Scan the code or go to bit.ly/ibmrisksurvey Get the experts’ views on managing IT risk The Reputational Risk Webcast Series features industry and IBM experts exploring the relationship between reputation and IT risk ibm.com/services/riskstudy/webcasts Explore how IBM can help you with: Request to Security speak with an IBM specialist about Business continuity your business needs Technical support services 21 © 2012 IBM Corporation
  • 22. Thank you for your interest 22 © 2012 IBM Corporation
  • 23. © Copyright IBM Corporation 2012 IBM Corporation IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America November 2012 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. 23 © 2012 IBM Corporation