GRC TO INTEGRATED RISK MANAGEMENTLooking Around the Corner

Hassan Al-Helo

RSA Archer

@RSAsecurity

@RSA_Archer

THE RISK CHALLENGE

D I G I TA L I T W O R K F O R C E S E C U R I T Y

TRANSFORMATION

4

In a 2018 survey, 70% of

Security/Risk professionals

surveyed agreed that Business

Risk and IT security personnel

tend to use different tools and

language, making

communications between

these groups challenging.

– RSA/ESG Survey

Survey data from March

2017 indicates that risk data

regularly influences the

decisions of 78% of

organizations' boards of

directors.

– Gartner

69% of Security/Risk

professionals surveyed

agreed that the relationship

between business risk and IT

security can be difficult to

coordinate.

.- RSA/ESG Survey

78%

By 2020, 60% of digital

businesses will suffer major

service failures, due to the

inability of IT security teams

to manage digital risk.

– Gartner

69% 70%

60%

R I S K &

C O M P L I A N C EI T S E C U R I T Y

? ??

C E O /

B O A R D

M A L I C E M A N D AT E SM O D E R N I Z AT I O N

1st Line of Defense

EVOLUTION OF RISK MANAGEMENT

INEFFECTIVE RISK MANAGEMENT PROCESSES…

8

Lack of ownership

or skills

Outdated reporting

Manual processes

Inconsistent controls

Information silos

Limited risk visibility

…CAN LEAD TO MORE RISK IN THE BUSINESS.

9

Unresolved issues

Inaccurate insights &

misinformation

High costs & inefficiency

Holes & gaps

Disconnected data & lack of

context

Poor business decisions& missed

opportunities

R I S K &

C O M P L I A N C EI T S E C U R I T Y

R I S K

? ??

C E O /

B O A R D

VISIBILITY

VINSIGHTS

IACTION

A

INTEGRATED RISK MANAGEMENT

11

STRATEGIC RISK

OPERATIONAL RISK

SECURITY RESILIENCY COMPLIANCE3RD PARTYIT AUDITORM

THE RSA PERSPECTIVE

B O A R D o f D I R E C T O R SE X E C U T I V E M A N A G E M E N TSTAKEHOLDERS

S a l e s

F r o n t L i n e

M a r k e t i n g

O p e r a t i o n s

S e c u r i t y

F i n a n c e

R i s k M a n a g e m e n t

C o m p l i a n c eA u d i t

1 s t 2 n d 3 r dL i n e s o f D e f e n s e

IT & SECURITY

RISK MANAGEMENTOPERATIONAL RISK

MANAGEMENTAUDIT

MANAGEMENT

REGULATORY &

CORPORATE

COMPLIANCE

BUSINESS

RESILIENCY

THIRD PARTY

GOVERNANCE

PROGRAMS

RISK MANAGEMENT LIFECYCLEI D E N T I F Y

A S S E S S E V A L U A T E T R E A T

M O N I T O R

BUSINESS TRANSACTIONS and INFRASTRUCTURE

BUSINESS PERFORMANCE OPTIMIZATION

ACCOUNTABILITY COLLABORATION VISIBILITYANALYTICS EFFICIENCY

INTEGRATED RISK MANAGEMENT

BREADTH ACROSS ALL DIMENSIONS OF RISK

14

MATURITY BASED

1. 3rd Party Catalog

2. 3rd Party Assessment

3. 3rd Party Engagement

Management

4. 3rd Party Governance

Business Impact

Analysis

SEQUENCED

• Data Governance

• Privacy Program Management

THEN

• Policy Program Management

• Controls Assurance

• …

PERSONA ORIENTED

CISO

• Cyber Risk Quantification

SECURITY OPERATIONS

• IT Security Vulnerability

Program

Issues Management

FULL PROGRAM APPROACH

• Risk Catalog

• Bottom-up Risk Assessment

• Key Indicator Management

• Loss Event Management

• Top-down Risk Assessment

• Operational Risk Management

TAKE COMMAND OF YOUR JOURNEY

15

SiloedStreamline compliance, Build business context & reporting

MeetCompliance requirements

Transition

Risk

ManagedExpand risk focus, Improve

analysis & metrics

Addressknown & unknown Risks

RiskBusiness

AdvantagedConnect risk and the business with cross functional processes

Enablenew business Opportunities

Transform

The Maturity Journey

Matu

rity

Time

ROI

16

17

FINAL THOUGHTS

Create and execute on an Integrated

Risk Management Vision

Anticipate the Digital

Plan your Journey

Quantify your needs vs. the investment

19

THANK YOUHassan Al-Helo

Hassan.al-helo@rsa.com

@RSAsecurity

@RSA_Archer