Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2012 IBM Corporation
Reputational risk and ITHow security and business continuity can shape the reputation and value of your company
IBM Global Technology Services
© 2012 IBM Corporation2
Introduction
Perception vs. reality
Security, continuity and social media
Who owns it?
Focus and funding
What you can do now
© 2012 IBM Corporation
Reputational risk is a growing topic of business conversation, with IT playing a major role.
3
How IT affects reputation riskReputation is built (and broken) inWebSocial media
Reputational risk and IT: introduction
© 2012 IBM Corporation
To find out where and how IT makes its biggest impact on reputational risk — and uncover any gaps — IBM conducted a worldwide study.
4
Respondents: 427
Company sizes: 5Job titles: 15
Industries: 23*
North America, 33%
Europe, 29%
Asia Pacific, 26%
Middle East/Africa,
8%
Latin America, 5%
Banking, 19%
IT/Tech, 15%
Energy/ Utilities, 13%Insurance,
11%
Financial Markets, 9%
Professional Services, 5%
All others, 28%
Other C-suite, 14%
CIO/CTO/ Tech director, 12%
CEO/President/ Managing Director, 13%
Other non-C-suite,
23%$500M or less, 37%
$500M to $1B, 13%
$1B to $5B, 16%
$5B to $10B, 9%
$10B or more, 27%
IT manager, 24%
*Top responding categories shown.
Reputational risk and IT: introduction
The study survey was conducted by the Economist Intelligence Unit on behalf of IBM
Respondents were asked questions about their companies’ reputational and IT risk efforts, plans and spending to provide a detailed picture of IT reputational risk management around the world
CRO/Risk Director, 3%
SVP/VP/ Director, 11%
© 2012 IBM Corporation
The study results revealed three key observations concerning IT’s impact on reputational risk.
#1 IT risks have a major impact on a company’s
reputation
#2 Companies have rising IT risk concerns related to
emerging technology trends
#3 Companies are integrating IT risk and
reputational risk management, with strongest focus on threats to data and systems
5
Reputational risk and IT: introduction
“IT and reputational risk can destroy your company in one night!”
© 2012 IBM Corporation6
Introduction
Perception vs. reality
Security, continuity and social media
Who owns it?
Focus and funding
What you can do now
© 2012 IBM Corporation
80%rate reputation as excellent or very good
There seems to be a mismatch between how well companies rate their reputation and how well they are protecting it.
7
17%rate their company’s overall ability to manage IT risk as very strong
There is room for improvement in almost every organization
Reputational risk and IT: perception vs. reality
Source: Q1: How would you rate your company’s current reputation within its industry?Q5: How would you rate your company’s overall ability to manage IT risk?
© 2012 IBM Corporation
IT risks strongly affect those factors that are most important to a company’s reputation — making IT risk integral to reputational risk.
8
Reputational risk and IT: perception vs. reality
78%include IT risk management as part of reputational risk management
Most important to reputation Strongly affected by IT risk
“IT is like the heart pumping blood to the whole body, so any failure could threaten the whole organization's survival.”
Source: Q2: Is IT risk management part of your organization’s overall reputational risk management strategy?Q6: Which of the following is the single most important factor driving your company’s reputation?Q3: In your estimation, how much do IT risks affect the following?
Best-in-class product/service
Trusted partner status
Customer engagement
Customer satisfaction
Compliance
Brand reputation
29%
24%
14%
46%
41%
40%
© 2012 IBM Corporation
Lack of attention to fundamentals such as planning, testing, skills and support is often the root cause of risk events.
Companies are most confident about security and event-driven IT risks; less confident about new technology and continuity risks.
9
Very confident or confident about
Less or not at all confident about
Reputational risk and IT: perception vs. reality
Source: Q4: How confident are you that your company has adequate procedures, processes and controls in place to manage IT risk related to the following?
System failures
Data breaches
Data loss 76%
70%
70%
IT skills/tech support
Business continuity plans
New technology (cloud)
Workforce mobility 21%
20%
14%
14%
© 2012 IBM Corporation
Data breach tops the list of IT risk factors that can cause the most reputational harm.
10
Reputational risk and IT: perception vs. reality
61616161%%%%
44444444%%%%
37373737%%%%
data breach
system failure
data loss
Top three IT risk factors harmful to reputation
Source: Q7: Which of the following IT risk factors do you think has the greatest potential to harm your company’s reputation? Select the top three.
© 2012 IBM Corporation
The most harmful IT risk factors have different recovery times, each with significant short- or long-term impact on business value.
11
Reputational risk and IT: perception vs. reality
Even 6 months’ recovery time affects half an annual report’s figures
* **Risks that companies are least confident in their ability to manage — new technology, continuity plans and IT skills/tech support — are also those that can do the longest-term harm to business value
0-6 months 6-12 months 12+ months
Website outage
System failure
Workforce mobility
Insufficient disaster recovery measures
Data loss
Inadequate continuity plans
New technology
Data breach
Compliance failure
Poor IT skills/tech support
Source: Q9: In your estimation, how long on average has it taken for your organization’s reputation to recover from damage caused by the following?
© 2012 IBM Corporation
Companies may be opening themselves up to unintended reputational risk by ignoring the impact of their partners.
12
39% of companies are “very strenuously” requiring their vendors, partners and supply chain to match levels of risk control
Only
� How many outside sources does your company do business with on a regular basis?
� How thoroughly have you communicated your IT risk mitigation standards to these sources?
� How are you monitoring your sources’ compliance with your standards?
Reputational risk and IT: perception vs. reality
“A major deliverable was on a contractor’s laptop, and it was stolen. We missed an important client deadline and lost the source files for all the work.”
Source: Q16: How seriously do you require your vendors/partners/supply chain to meet the same levels of control that you require internally to manage risk ?
© 2012 IBM Corporation
In summary, companies may be overestimating their ability to manage reputational risk.
13
� More than two-thirds of companies include IT risk management in reputational risk management
� Only 17% rate their company’s ability to manage IT risk as very strong
� Companies are confident in their ability to manage security and event-driven risks
� Companies are far less confident in the areas of continuity, IT skills and tech support — fundamentalswith lengthier recovery times
� 4 out of 5 companies rate their reputation as good or very good
� Only 39% of the same companies require vendors, partners and supply chain to be properly vigilant
Perception Reality
Reputational risk and IT: perception vs. reality
© 2012 IBM Corporation14
Introduction
Perception vs. reality
Security, continuity and social media
Who owns it?
Focus and funding
What you can do now
© 2012 IBM Corporation
Most companies have security items in place to react to reputational threats, but this is only part of the picture.
15
Reputational risk and IT: security, continuity and social media
Top three security items currently in place
Companies are overlooking many of the items that can proactivityprotect their reputations before harm happens
But
Source: Q17: Which of the following procedures, processes and controls do you have in place?
Message to the CEO: “Penetration testing should be conducted at the project level to assess security standards compliance”
Firewall management
Internal audit
Identity/access controls
72%
79%
71%
Cloud security protection
Penetration testing/ethical hacking
Access to latest security threat intelligence
23%
32%
43%
© 2012 IBM Corporation
Emerging technologies represent both a continuity threat and an opportunity to proactive manage communications in a crisis.
16
Companies have the continuity basics in place
Reputational risk and IT: security, continuity and social media
Now
There is untappedpotential to use new tools to expand and enhance proactive risk management
Source: Q17: Which of the following procedures, processes and controls do you have in place?
Message to the CEO: “Being proactive and preventive is much more effective than being reactive.”
Backup/restore testing
Fully documented DR plan
Automated backup processes
68%
78%
67%
Social media guidelines for use in crisis
Change management
Include social media tools in DR plans 19%
27%
45%
© 2012 IBM Corporation
Companies are using social media tools to do business; now they need to use them to protect their reputations.
17
But only
27% 27% 27% 27% provide for employee social media use during crisis
19% 19% 19% 19% have incorporated social media into their disaster recovery plans
Companies are missing the opportunity to leverage social media to protect and recover their reputations
Social media used to communicate with customers
Reputational risk and IT: security, continuity and social media
Source: Q21: Which of the following channels does your organization use to communicate with customersQ17: Which of the following procedures, processes and controls do you have in place?
Company website
Text messaging (SMS)
Social media/networking tools
Company-branded mobile application
46%
50%
44%
87%
© 2012 IBM Corporation
Summary: To better protect their reputations, companies need to be proactive about security, continuity and social media use in a crisis.
18
� Protecting their reputations with reactive security measures
� Overlooking important proactive security measures, most importantly penetration testing
� Testing/automating backups as part of documented disaster recovery plans
� Leaving untapped new tools than can provide enhanced proactive continuity protection
� Incorporating social media into their communications with customers
� Missing the opportunity to mitigate reputational risk that social media can offer
Companies are: But companies are also:
Reputational risk and IT: security, continuity and social media
© 2012 IBM Corporation19
Introduction
Perception vs. reality
Security, continuity and social media
Who owns it?
Focus and funding
What you can do now
© 2012 IBM Corporation
When asked who was most accountable for the company’s reputation, respondents put responsibility squarely in the C-suite.
20
80%
CEO
31%
CFO
27%
CIO23%
CRO22%
CMO
CEO:CEO:CEO:CEO: Best able to drive reputational risk management throughout an organization but has less time to devote to the task
CFO:CFO:CFO:CFO: Possibly a reflection of old organizational structure, when most risk was financial in nature
Source: Q10: Which functions within your organization are most accountable for the company’s reputation? Select the top three.
Reputational risk and IT: who owns it?
© 2012 IBM Corporation
Respondents also agreed that the C-suite needs to know about risk exposures before they become risk events.
21
73% yes
27% no� Are “timely” and “effective” clearly defined in IT and
reputational risk management plans?
� Are default action plans in place for most common types of IT risk affecting reputation?
� Do the people in charge have the expertise and authority to formulate the right responses? (CIO yes; CFO possibly not)?
� Do the people in charge have the bandwidth to respond quickly?
Reputational risk and IT: who owns it?
companies agreeing that risk exposures are escalated in a timely and effective manner
But “timely” and “effective” can be subjective
Source: Q19: Do you believe that IT risk exposures are escalated to the board and C-level management in a timely and effective manner so as to protect your company’s reputation?
© 2012 IBM Corporation22
Introduction
Perception vs. reality
Security, continuity and social media
Who owns it?
Focus and funding
What you can do now
© 2012 IBM Corporation
New technologies and social media are leading factors behind an increased focus on reputational risk.
23
Reputational risk and IT: focus and funding
64% will increase focus on reputational risk compared to five years ago
New technology/ social media, 43%
Previous event harmful to competitor/industry, 20%
Previous event harmful to company, 18%
Board of directions/C-suite mandate, 10%
Other, 7%Shareholder pressure, 3%Among those who
will be reducing or keeping their focus on reputational risk the same, top reason is competing priorities within the organization
Why increase?
Source: Q11: How much will your organization focus on managing its reputation going forward as compared to five years ago?Q11a: What is the primary reason your company will focus more on managing its reputation going forward as compared to five years ago?
© 2012 IBM Corporation
Often as a result of increased spending, companies are reporting adequate funding to manage reputational risk.
24
Reputational risk and IT: focus and funding
60606060%%%%
say they have adequate funding to provide the level of IT risk management needed to protect the organization’s reputation
For many organizations, adequate funding means increased funding
have increased spending up to 20% over the past 12 months
46%will increase spending
up to 20% over the next 12 months
45%
Message to the CEO: “Underestimating the cost of reputational risk greatly exceeds the cost of protection.”
Source: Q12: Do you think you have adequate funding to provide the level of IT risk management required to protect your organization’s reputation?Q13: Over the past 12 months, how much has your IT budget increased due to concerns over reputational risk?Q14: Over the next 12 months, how much will your IT budget increase due to concerns over reputational risk?
© 2012 IBM Corporation25
Introduction
Perception vs. reality
Security, continuity and social media
Who owns it?
Focus and funding
What you can do now
© 2012 IBM Corporation
Managing reputational risk: best practices for IT.
26
Reputational risk and IT: what you can do now
� Do a reality check
� Think continuity and resilience
� Focus on the fundamentals
� Confirm partners’ compliance with your standards
� Build an up-to-date reporting and escalation process
© 2012 IBM Corporation
Get your own copy of the full study report — and take the survey yourself — at the IBM booth (38/39).
27
Reputational risk and IT: what you can do now
Full study report includes all you’ve seen today, plus
other important findings and insights
www.ibm.com/services/riskstudy
Make your voice heard!
Take the reputational risk survey online and get a complimentary copy of the upcoming expanded report
Get a free iPad case when you complete the survey in the IBM booth (while supplies last)
© 2012 IBM Corporation28
Thank youyouyouyou for attending!
© 2012 IBM Corporation29
© Copyright IBM Corporation 2012
IBM Corporation IBM Global ServicesRoute 100 Somers, NY 10589 U.S.A.
Produced in the United States of AmericaAugust 2012
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.