Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
GRC TO INTEGRATED RISK MANAGEMENTLooking Around the Corner
Hassan Al-Helo
RSA Archer
@RSAsecurity
@RSA_Archer
THE RISK CHALLENGE
D I G I TA L I T W O R K F O R C E S E C U R I T Y
TRANSFORMATION
4
In a 2018 survey, 70% of
Security/Risk professionals
surveyed agreed that Business
Risk and IT security personnel
tend to use different tools and
language, making
communications between
these groups challenging.
– RSA/ESG Survey
Survey data from March
2017 indicates that risk data
regularly influences the
decisions of 78% of
organizations' boards of
directors.
– Gartner
69% of Security/Risk
professionals surveyed
agreed that the relationship
between business risk and IT
security can be difficult to
coordinate.
.- RSA/ESG Survey
78%
By 2020, 60% of digital
businesses will suffer major
service failures, due to the
inability of IT security teams
to manage digital risk.
– Gartner
69% 70%
60%
R I S K &
C O M P L I A N C EI T S E C U R I T Y
? ??
C E O /
B O A R D
M A L I C E M A N D AT E SM O D E R N I Z AT I O N
1st Line of Defense
EVOLUTION OF RISK MANAGEMENT
INEFFECTIVE RISK MANAGEMENT PROCESSES…
8
Lack of ownership
or skills
Outdated reporting
Manual processes
Inconsistent controls
Information silos
Limited risk visibility
…CAN LEAD TO MORE RISK IN THE BUSINESS.
9
Unresolved issues
Inaccurate insights &
misinformation
High costs & inefficiency
Holes & gaps
Disconnected data & lack of
context
Poor business decisions& missed
opportunities
R I S K &
C O M P L I A N C EI T S E C U R I T Y
R I S K
? ??
C E O /
B O A R D
VISIBILITY
VINSIGHTS
IACTION
A
INTEGRATED RISK MANAGEMENT
11
STRATEGIC RISK
OPERATIONAL RISK
SECURITY RESILIENCY COMPLIANCE3RD PARTYIT AUDITORM
THE RSA PERSPECTIVE
B O A R D o f D I R E C T O R SE X E C U T I V E M A N A G E M E N TSTAKEHOLDERS
S a l e s
F r o n t L i n e
M a r k e t i n g
O p e r a t i o n s
S e c u r i t y
F i n a n c e
R i s k M a n a g e m e n t
C o m p l i a n c eA u d i t
1 s t 2 n d 3 r dL i n e s o f D e f e n s e
IT & SECURITY
RISK MANAGEMENTOPERATIONAL RISK
MANAGEMENTAUDIT
MANAGEMENT
REGULATORY &
CORPORATE
COMPLIANCE
BUSINESS
RESILIENCY
THIRD PARTY
GOVERNANCE
PROGRAMS
RISK MANAGEMENT LIFECYCLEI D E N T I F Y
A S S E S S E V A L U A T E T R E A T
M O N I T O R
BUSINESS TRANSACTIONS and INFRASTRUCTURE
BUSINESS PERFORMANCE OPTIMIZATION
ACCOUNTABILITY COLLABORATION VISIBILITYANALYTICS EFFICIENCY
INTEGRATED RISK MANAGEMENT
BREADTH ACROSS ALL DIMENSIONS OF RISK
14
MATURITY BASED
1. 3rd Party Catalog
2. 3rd Party Assessment
3. 3rd Party Engagement
Management
4. 3rd Party Governance
Business Impact
Analysis
SEQUENCED
• Data Governance
• Privacy Program Management
THEN
• Policy Program Management
• Controls Assurance
• …
PERSONA ORIENTED
CISO
• Cyber Risk Quantification
SECURITY OPERATIONS
• IT Security Vulnerability
Program
Issues Management
FULL PROGRAM APPROACH
• Risk Catalog
• Bottom-up Risk Assessment
• Key Indicator Management
• Loss Event Management
• Top-down Risk Assessment
• Operational Risk Management
TAKE COMMAND OF YOUR JOURNEY
15
SiloedStreamline compliance, Build business context & reporting
MeetCompliance requirements
Transition
Risk
ManagedExpand risk focus, Improve
analysis & metrics
Addressknown & unknown Risks
RiskBusiness
AdvantagedConnect risk and the business with cross functional processes
Enablenew business Opportunities
Transform
The Maturity Journey
Matu
rity
Time
ROI
16
17
FINAL THOUGHTS
Create and execute on an Integrated
Risk Management Vision
Anticipate the Digital
Plan your Journey
Quantify your needs vs. the investment
19