Presentation is loading. Please wait.

Presentation is loading. Please wait.

Turning IT Risk Management into Business Value

Published byJuana Salinas Fidalgo Modified over 6 years ago

Similar presentations

Presentation on theme: "Turning IT Risk Management into Business Value"— Presentation transcript:

1 Turning IT Risk Management into Business Value
Increasing the Value and Profile of InfoSec to the Business Case Study from LockPath Customer

2 What You Will Learn How to tie IT operations and IT risk to business operations and business value How compliance and risk data needs to be messaged differently across the organization How efficient and effective IT risk management and InfoSec operations moves from ‘checking the box’ to organizational value and increased prestige Good morning My name is Sam Abadir. I am the Director of Product at LockPath. LockPath makes a software platform called Keylight that helps users manage Governance, Risk and Compliance or GRC across their enterprise. I will tell you a little more about Keylight at the end of the presentation today. What we are going to talk about today is how other infosec operations have solved the problem of effectively and efficiently communicating geek speak metrics across the organization while effectively and more efficiently managing IT risk. We will talk about how customers are getting the attention and funding they need from business managers, from the C suite and from the board and how infosec teams are reacting faster to their most important problems. Instead of talking about vulns, threats, configurations and SIEM alerts in techno terms they are using GRC platforms to instantly transform and communicate that message a message telling of specific business impacts, potential process slowdowns or stoppages, and to dollars at risk – while also remediating the most important threats impacting their business. 11/13/2018

3 IT Risk Management And Business Value
IT risks are those within the scope and responsibility of IT, the IT department or IT dependencies that create uncertainty in daily tactical business activities, as well as IT risk events resulting from inadequate or failed internal IT processes, people or systems, or from external events. 11/13/2018

4 Disparate Data Throughout the Business
Vuln Scanner Tactical and Strategic Activities Threat Feed One of our customers is a large international company which makes them a prime target for attacks on their infrastructure. As threats from threat detection feeds like iSight and vulnerability scans from tools like Qualys are coming in, the organization was having a difficult time understanding what to prioritize at the IT level, how to best manage the information at the IT level, and how to explain and justify the expense to the board. [CLICK] This customer had these two feeds – they actually bring in more data feeds but we are just focusing on these two in this example – to manage. The vulnerability feed seemed pretty straight forward to manage in Qualys. Threats were critical, high, medium, or low. What they did not know was how critical the assets were that had vulnerabilities. Additionally they did not know if the vulnerability was new or if it had already been reported. This made it difficult to prioritize how to fix the vulnerabilities found. Trying to get ahead of threats and harden or monitor systems before breeches happened, this bank bought a threat monitoring service. Their subscription gave them hundreds if not thousands of threats a day…all in pdf form by . Reading the threats and seeing if they were applicable to the organization was time consuming if not impossible to do in a timely basis. IT knew why they wanted to do this. They wanted to protect their systems, keep their name out of the bad part of the news, and make sure they were meeting their service level agreements with the operational part of the business. They knew that risks to IT meant that the business could not operate or bring reputational harm. IT was challenged internally on how to manage vulns and threats and challenged by their management on how to justify the high costs for data and high costs to manage the data. They were also challenged on how to better prioritize threats to the business. Business Priorities 11/13/2018

5 Business Operations Supported by Technology
Operational Risks Value Operations IT Supports Business IT Infrastructure In order to solve both of these issues what the bank had to do was look at their asset base and understand which assets support which business processes and how did the business prioritize those business processes. With this information they could identify the value the process brings to the organization. They could identify the potential loss of value because of a vulnerability on a process supporting system and they could identify the potential loss of an imminent threat to an IT system that supports a business process. In order to solve both of these issues, what IT had to do was [CLICK ON BULLETS] Identify how the operations of the company created value Then identify which assets supported which operational processes. This gave them the direct tie between assets and value created The business already identified and quantified the value of operational risks This mapping and risk identification by the business laid out the plan for explaining IT risks in business terms IT Risks 11/13/2018

6 Risk to Value Threats to Processes Put Value At Risk
Threats to Supporting Technology Put Value At Risk CRM System Marketing Systems CRM System Account Management Credit Systems CRM Systems Accounting Systems CRM Systems Account Systems CRM Systems Trading Systems What the IT organization did was work with the business to identify the processes that the organization supported and the value to those processes. Internally they were able to map IT assets and supporting information to the processes. Therefore they were able to understand the value that each IT asset supported and how much was at stake when a threat or a vulnerability was found on a supporting asset. They could now begin to prioritize threats and they could prioritize vulnerabilities based on business operations, not just severity. Poor execution Reputation Expensive compliance Etc. System vulnerabilities Application vulnerabilities Inadequate security Etc. 11/13/2018

7 IT and Business Data Are Inputs to Risk Management
Managing this data and information and the rate of change of this data and information however was another logistical nightmare that could have added more cost, more time, and more uncertainty. The increased amount of data only increased the number of questions they had about their data and about their threats. That is where a Governance, Risk and Compliance – or GRC – platform [K] comes in. [K] GRC platforms takes metrics and inputs from across the business, from third parties and from IT scanning tools such as Qualys, Nexpose, WhiteHat, Veracode, Tripwire, etc. GRC platforms [K] then automatically correlates this information and helps users prioritize threats and vulnerabilities. 11/13/2018

8 GRC Architecture Incidents KPIs Other Business Records
Besides managing this data and the rate of change of data, [K] GRC platforms manage the messaging of information to different parts of the company. With many fewer resources. This company today is able to automatically collect and manage data from across the business. They are able to work with the business to identify risks and what metrics are used to measure the risks and [K] GRC platforms are taking that information and presenting pertinent information to people throughout the organization. Incidents KPIs Other Business Records Vulnerability Scanners Web App Scanners Config Scanners Syslog SIEM Risk Register Risk Thresholds Workflow Reporting Dashboards Staff Reports Management Reports Board of Director Reports 11/13/2018

9 IT Risk Management Across the Organization
Operational Reports Management Reports BOD/Audit Reports Which assets are most at risk to Vulns findings Scanner findings SIEM findings etc Asset prioritization What do I fix first? Asset risk history How healthy are assets that support the business? Who needs the most help? Is shadow IT/BYOD creating a threat? Are assets enriched with business information? How much value is at risk? Do I need to make additional investments to manage risk? Are current risk management efforts effective? Today the company we have been discussing is using [K] a GRC platform to pull in data from across the organization. That data is measured and analyzed in the platform and reported to IT operations, to IT and Business Management, and to the C Suite, Board of Directors, and Audit Committees. Said differently, [K] GRC platforms are telling front line IT through live reports and dashboards of prioritized IT threats delivered in geek speak. Front line IT using [K] GRC platforms are now able to better prioritize vulnerabilities and incidents – in real time. [CLICK] [K] GRC platforms are telling management of the effectiveness of front line operations. It’s using scanning technology to identify new assets in the environment and correlating IT data such as encryption levels of assets with business data sensitivity to see if there is exposed data. Its also consuming the hundreds or thousands of daily threats that were previously delivered by , instantly correlating that information with existing assets to see if the threats are even relevant, and then deploying resources to battle the threat. These follow up activities have included updating mail filters to block known phishing activity, monitoring web traffic for predicted DDoS attacks, or updating configurations to block other types of attacks. Management is given the best information at the right time from sources across the enterprise to develop the right strategy to more efficiently and effectively protect the organization from IT Threats. [K] GRC platforms are trending metrics and KPIs and converting techno-speak into dollars and value at risk, or other messages that senior level management understands. Information presented this way helps IT departments quickly get budget, resources, and tools to manage risks before they become a real problem for the business. Being able to automatically use the same data to inform the right people of risks, opportunities and issues in the language they speak, using their relevant metrics enables the business to efficiently manage risk. Coordinated and timely messaging keeps the business spending focused on creating value instead of reacting to aging problems. The end result for the IT organization has been Greater respect from management and senior management More efficient and effective IT operations And these have lead to the business giving higher priority to IT budget and resource requests. 11/13/2018

10 Summary GRC takes inputs from across the enterprise and even third parties to efficiently manage different areas of risk, including IT risk GRC automates messaging of IT risk and compliance data to stakeholders across the organization in a efficient, effective, and risk specific manner GRC tools should remove the complexity of compliance and allow the business to focus on its core objectives. To summarize, GRC platforms [K] help organizations effectively manage risk to the business by automatically correlating and managing data from across the enterprise – including from most of the tools you see here at Data Connectors. Organizations using GRC platforms [K] can battle risks to value tactically and strategically by sending the right messages to the right people at the right time. GRC platforms [K] creates huge efficiencies in data management and creating actionable messages. These efficiencies often allow organizations to better focus their resources on value creating activities. And lastly, GRC platforms provide a mechanism for the entire business to agilely manage risks – whether they are IT, Compliance, Operational, or Third Party – and manage messages as business conditions, business strategies, technologies and threats change. 11/13/2018

11 About Keylight Keylight is a fully integrated suite of seven management applications designed to manage all facets of compliance and risk programs It provides the most efficient and effective path to compliance and audit readiness Helps organizations achieve competitive advantage through confidence, trust, and effective management Keylight consists of a fully integrated suite of management applications designed to manage all facets of compliance and risk programs, including IT Risk Management, Operational Risk Management, Vendor Risk Management, Audit Management, Business Continuity Management and Corporate Compliance. Our Keylight platform is used to automate business processes, reduce enterprise risk, eliminate redundancy, and demonstrate regulatory compliance. In short, Keylight provides the most efficient path to compliance and risk management. Keylight allows an organization to house its entire list of activities, processes and information in one platform. Keylight consists of seven apps, connectors to third-party data sources and a user-friendly interface. All of this is accompanied by LockPath's award-winning support. 11/13/2018

12 The Keylight Ecosystem
Keylight’s seven applications work together to help users analyze data from multiple sources. You can use any combination of applications and add apps as your needs change. LockPath will work with you to understand your needs and identify the applications needed to solve enterprise issues such as Compliance management Risk Management IT Risk and Asset Management Third Party Risk Management and Operational Risk Management All configurations of Keylight include workflow, dedicated GRC reporting and dashboarding, and the advanced data management required to solve the complex risk and compliance issues organizations face. 11/13/2018

13 Questions? LockPath Corporate Headquarters College Boulevard #200 Overland Park, KS lockpath.com/company/contact If you have any questions, please feel free to ask. Thank you – you should be receiving a follow up from LockPath in the next day or two which includes a link to the recording of this presentation. If you have other questions, please use the contact information here to reach out to us. Again, my name is Sam Abadir and thank you for attending today.

Download ppt "Turning IT Risk Management into Business Value"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Strategic Initiatives for Implementing Competitive Advantage Great products—Innovative products Doesn’t matter---Bad processes—no perceived value 1) You.

Strategic Initiatives for Implementing Competitive Advantage Great products—Innovative products Doesn’t matter---Bad processes—no perceived value 1) You.
Governance, Risk, and Compliance Bill Greene Senior Industry Director.

Governance, Risk, and Compliance Bill Greene Senior Industry Director.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Copyright © 2015 Risk Decisions. All rights reserved | www.riskdecisions.com Project Risk Management – confidence to deliver: on budget, on time, every.

Copyright © 2015 Risk Decisions. All rights reserved | Project Risk Management – confidence to deliver: on budget, on time, every.
Managing Regulatory Changes June 24, 2011. Regulatory Change Management Critical Component of successful overall regulatory compliance risk management.

Managing Regulatory Changes June 24, Regulatory Change Management Critical Component of successful overall regulatory compliance risk management.
Www.infotech.com Impact Research 1 Enabling Decision Making Through Business Intelligence: Preview of Report.

Impact Research 1 Enabling Decision Making Through Business Intelligence: Preview of Report.
GRC: Aligning Policy, Risk and Compliance

GRC: Aligning Policy, Risk and Compliance
Plan for Application Consolidation. Successful application consolidation relies on assessment of the application portfolio to determine the best candidates.

Plan for Application Consolidation. Successful application consolidation relies on assessment of the application portfolio to determine the best candidates.
Despite of spending high on digital information security, organizations still remain exposed to external threats. However, data center providers are helping.

Despite of spending high on digital information security, organizations still remain exposed to external threats. However, data center providers are helping.
Telephone : +234 (0) 1 815 8152 | Website : Registered company : 985937 Telephone : +234.

Telephone : +234 (0) | Website : Registered company : Telephone : +234.
Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.

Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.
CUSTOMER RELATIONSHIP MANAGEMENT

CUSTOMER RELATIONSHIP MANAGEMENT
SAP Trade Repository Reporting by Virtusa

SAP Trade Repository Reporting by Virtusa
Describe the responsibilities of financial-information management in an organization

Describe the responsibilities of financial-information management in an organization
TOPdesk Service Management Software on Azure

TOPdesk Service Management Software on Azure
Managed Services.

Managed Services.
Avenues International Inc.

Avenues International Inc.
Challenges and opportunities for the CFO

Challenges and opportunities for the CFO
Christian Carter Performance For University of Bristol

Christian Carter Performance For University of Bristol

Similar presentations

Ads by Google