Csarn 19 May 2010

Building Resilience for the 21st Century Organisation CSARN Wales Conference Cardiff Millenium Stadium, 19 May 2010 Ray Stanton Executive Global Head, Business Continuity, Security and Governance, BT

Agenda/ topics covered Who is BT Risks Facing National Governments Choosing your Business Continuity Strategy Public / Private Partnership in action case study; CockerMouth - One team in a Crisis! Key messages & take-aways

Introducing BT Group and its lines of business • Over 112,000 people delivering service BT Group plc to more than 170 countries Group CEO: Ian Livingston Group CFO: Tony Chanmugam • In the year end 31 March 2010 BT Group Revenue was £20,911 Million with EBITDA of £5,781 Million* Customer relationships For more information please visit www.bt.com/aboutbt BT Retail Openreach IT and Comms Provision of fair services in the UK and equal network access CEO: Gavin Patterson CEO: Steve Robertson BT Wholesale BT Global Services Carrier and Provision of networked IT infrastructure services globally services globally CEO: Sally Davis CEO: Jeff Kelly Group strategy & operations BT Innovate & Design BT Operate BT‟s R&D Research Operates and manages Facilities & “Design Factory” BT‟s network & BT customers servicing all lines of business from all lines of business CEO and Group CIO: Clive Selley CEO: Roel Louhoff *before specific items, leaver costs, net interest on pensions, and contract & financial review chargess

Risks facing national governments – an example An illustration of the high consequence risks facing the United Kingdom Pandemic Influenza Coastal Flooding Relative Impact Major Industrial Accidents Inland Attacks on Attacks on Flooding Critical Crowded Infrastructure Non-conventional Places Major Transport Attacks on Accidents Attacks Transport Severe Weather Animal Disease Electronic Attacks Relative Likelihood

The threats, risks and issues – a BT perspective Highlighting those risks most relevant to BT Pandemic Influenza Coastal Flooding Relative Impact Major Industrial Accidents Inland Attacks on Attacks on Flooding Critical Crowded Infrastructure Non-conventional Places Major Transport Attacks on Accidents Attacks Transport Severe Weather Animal Disease Electronic Attacks Relative Likelihood

Example Reporting Security & Continuity Risks within BT 12 KEY 6 5 Pandemic flu Likelihood Industrial action Supplier/contractor failure 5 Data security breach 3 Theft of physical assets Network attack (physical) Accidental cable damage 4 18 Fire/explosion/terrorist bomb 17 6 10 Network attack (logical) Breach of contract 3 Employee malice/corruption 4 Revenue fraud Riot/political unrest 15 9 Natural disaster or climate change 2 14 Power failure 7 16 8 System/equipment failure 13 Product liability 11 Attack on employees 1 2 1 1 2 3 4 5 6 Impact

Security & Continuity Risks – Logical Grouping Revenue Fraud 4 12 10 Data Security Contract Fulfilment 3 Supplier Failure Employee Malice Pandemic Flu 11 1 8 System Failure Fire/Expl‟n/Bomb 16 MALICIOUS Natural Disaster 14 6 Physical Attack 15 Power Failure Industrial Action 2 7 INCREASING IMPACT Cable Damage Logical Attack 9 NON-MALICIOUS SERVICE INTERRUPTING 13 Political Instability NEGLIGENT 18 Attack on Employees Product Liability 17 Theft of Assets 5

Representing Risks on Impact vs. Likelihood Diagrams Very simple and subjective representation: The three zones of risk call for different approaches to risk Single point and management: values of Impact 1. BaU zone 6 & Likelihood 2. Managed risk zone 3. “Black Swan” zone Net Likelihood 5 More realistic, comprehensive and objective representation: 4 BaU zone X 100% High frequency incidents Efficiency and reliability issues 3 90% CE / RFT problems 80% Predictable 2 Historical data available 70% Likelihood (%) Managed Risk zone 1 60% Major incidents 50% Expert judgement 1 2 3 4 5 6 Limited data (not just BT‟s) Net Impact 40% “Black Swan” zone 30% “Tail” of the distribution Perceived threats & fears 20% Worst credible scenarios 10% No experience or data “Risk Frontier” curve with 0% distribution of values for 0 100 200 300 400 500 Impact & Likelihood Impact (£m)

BT‟s Risk Register Hierarchy Group Risk Group Risk Group Risk Register Register Register RISK 5. Funding of RISK 6. Failure of RISK 7. Threat of the Pension Scheme Corporate Resilience Industrial Action S&C Risk S&C Risk S&C Risk S&C Risk Register Register Register Register RISK 1. Pandemic RISK 15. Power RISK 9. Network RISK 6. Industrial flu failure attack (logical) action Info Ass‟ce Risk Info Ass‟ce Risk Info Ass‟ce Risk Register Register Register RISK 1. Power source RISK 2. Electronic RISK 3. Overloading disruption interference C&C infrastructure Risk Mitigation Risk Mitigation Risk Mitigation ACTION 1. Protected ACTION 2. Standby ACTION 3. Improved dual power supplies generator upgrade site security measures

Choosing your strategy: Where to deploy Business Continuity? Colocation of critical IT systems, back-up, mirrored data centres. IT Often built-into BPO contracts, with additional hardware Mirrored and alternative bandwidth and connectivity plans, Connectivity including mobilised and distributed capability Redundancy in systems and processes. Understanding of Processes prioritisation in service delivery Redundant (often virtual) space for disaster or contingency Physical planning, relocation services and emergency contact centres Distributed workforce, but also multi-skill staff crossing-over People workloads to ensure resilience. Defined lines of responsibility Source: IDC Research for BT; November 2007

Remember basic principles – the Business Continuity Lifecycle • Logical methodology • Ensures appropriate solutions • Accepted best practice • Framework for continual improvement BCM • Continual engagement with customer Programme • Solutions not products Management

Benchmark against Best Standard: eg. BS25999 • Worldwide standard for business continuity management • Widely accepted • Is the only BC standard that can be certified against • Full range of complimentary professional services

Public / Private Partnership in action

How does BT discharge its Civil Contingency Obligations as a Category 2 Responder? 2 Senior Managers and a virtual team of 80+ liaison managers (Regional and Senior Operational managers) Responsible for: ▬ Attending local (54 LRFs UK wide) and Regional (12 RRFs UK wide) Resilience meetings where appropriate (Chief Constable/ CEO level); ▬ Attend exercises where appropriate at Regional or Local level ▬ Information share where appropriate (BCM resilience opportunity); and, ▬ Attend Multi Agency „GOLD‟ commands during and incidents (85% of the BT liaison manages are trained at GOLD command level)

„One Team in a Crisis‟ Cumbria – November 2009

BT Initial Response & Establish Control Lead by BT most senior „on call‟ executive • Initiated a Threat assessment and Response Group (TARG) comprising of key Business Unit leads (Network Management, Incident Management, Market facing Units, Media Ops, HR, Legal, Property, BCM) Initiated a BT Gold Coordination Group • As a result of the TARG formed and Chaired BT Gold throughout BT‟s response. Linked into the Multi Agency Strategic Coordination Group (SCG) • Directed the brief and deployment of the BT Liaison Manager to Cumbria SCG by the Civil Resilience Duty Officer

BT Recovery & Return to Normality BT Incident Management Team (BT Silver) • Initiated traffic rerouting round the damaged network to restore service ASAP, assembled teams of fibre optic and copper cable specialist to divert or build temporary network around Northside bridge area (three months work concluded in seven days); BT Liaison Manager - secured support from Cat 1 & 2‟s • Specifically Cumbria County Council and Network rail allowing temporary network to be constructed over the rail bridge to the west of the collapsed Northside bridge; Support to Responders by BT Bronze Teams • In addition to repairing the devastated network in Working ton BT technicians also provided specialist communications support in Cockermouth and across Cumbria supporting agencies by restoring lost services or provision of temporary service to aid their response; Support to the Community by BT Bronze Teams • Provided return to Premises support to communities across Cumbria by testing internal network and equipment before allowing use .

Solutions from BT addressing organisations BC/DR needs • Full end-to-end lifecycle based on emerging (BS 25999) standards Business Continuity • Business case and benchmarking against industry best practices Consulting • Process embedding, not just a one-off, box-ticking exercise • Secure and resilient hosting of client systems in BT data centres Resilient Data • Fail-over service – full client system duplicated in BT facility Centre Services • Storage (e mail archiving, data vaulting etc) • Secure and highly dependable IP infrastructure Resilient • BT‟s WAN provides basis for next generation converged solutions Communications with quality of service and reliability • Provision of secure mobile communications, enabling location Mobile and independent operation Flexible Working • Flexible working and home-working solutions to enhance pandemic preparedness • Recovery of voice, IT, premises and communications in the event of IT and Disaster disaster within agreed recovery time objectives Recovery • BT Commsure in UK providing full voice and data recovery services

In summary, our opinion and take-a-ways In our opinion Take-a-ways/ food for thought: • The risk environment is more volatile, not less; • Look to share technology and operational risks with trusted, qualified partners and similar organisations • Your stakeholders will demand protection of their on common ground! assets and proof that your business is resilient; • Introduce common Risk Management standards now • Strong business continuity strategies, following basic to deal with the continuing convergence of networks principles, are the best way to protect your and the applications that depend on them; organisation. • Risk is not going away, embrace it now! • Plan, plan and plan again, but get on with the execution now – but remember, fail to plan, plan to fail! “There cannot be a crisis next week. My schedule is already full” Henry Kissinger

In the end – it‟s all about avoiding problems before they happen!

ray.stanton@bt.com www.bt.com/security

Csarn 19 May 2010

by Larry Taylor

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Csarn 19 May 2010 Presentation Transcript