Csarn 19 May 2010


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Csarn 19 May 2010

  1. 1. Ray Stanton Executive Global Head, Business Continuity, Security and Governance, BT Building Resilience for the 21st Century Organisation CSARN Wales Conference Cardiff Millenium Stadium, 19 May 2010
  2. 2. Agenda/ topics covered Who is BT Risks Facing National Governments Choosing your Business Continuity Strategy Public / Private Partnership in action case study; CockerMouth - One team in a Crisis! Key messages & take-aways
  3. 3. Introducing BT Group and its lines of business • Over 112,000 people delivering service to more than 170 countries • In the year end 31 March 2010 BT Group Revenue was £20,911 Million with EBITDA of £5,781 Million* For more information please visit www.bt.com/aboutbt Group CEO: Ian Livingston Group CFO: Tony Chanmugam BT Group plc BT Operate Operates and manages BT‟s network & BT customers from all lines of business CEO: Roel Louhoff BT Innovate & Design BT‟s R&D Research Facilities & “Design Factory” servicing all lines of business CEO and Group CIO: Clive Selley BT Retail IT and Comms services in the UK CEO: Gavin Patterson BT Wholesale Carrier and infrastructure services globally CEO: Sally Davis Openreach Provision of fair and equal network access CEO: Steve Robertson BT Global Services Provision of networked IT services globally CEO: Jeff Kelly Group strategy & operations Customer relationships *before specific items, leaver costs, net interest on pensions, and contract & financial review chargess
  4. 4. Risks facing national governments – an example An illustration of the high consequence risks facing the United Kingdom Relative Likelihood RelativeImpact Pandemic Influenza Attacks on Critical Infrastructure Coastal Flooding Major Industrial Accidents Major Transport Accidents Severe Weather Electronic Attacks Animal Disease Non-conventional Attacks Inland Flooding Attacks on Transport Attacks on Crowded Places
  5. 5. Relative Likelihood RelativeImpact Pandemic Influenza Attacks on Critical Infrastructure Coastal Flooding Major Industrial Accidents Major Transport Accidents Severe Weather Electronic Attacks Animal Disease Non-conventional Attacks Inland Flooding Attacks on Transport Attacks on Crowded Places Highlighting those risks most relevant to BT The threats, risks and issues – a BT perspective
  6. 6. Likelihood 3 2 4 5 6 1 1 2 3 54 Impact 6 Example Reporting Security & Continuity Risks within BT KEY Pandemic flu Industrial action Supplier/contractor failure Data security breach Theft of physical assets Network attack (physical) Accidental cable damage Fire/explosion/terrorist bomb Network attack (logical) Breach of contract Employee malice/corruption Revenue fraud Riot/political unrest Natural disaster or climate change Power failure System/equipment failure Product liability Attack on employees 1 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2
  7. 7. Security & Continuity Risks – Logical Grouping SERVICE INTERRUPTING Product Liability 17 System Failure 16 Natural Disaster 14 Cable Damage 7 Power Failure15 NON-MALICIOUS Pandemic Flu 1 Attack on Employees 18 Revenue Fraud 12 Employee Malice 11 Theft of Assets 5 MALICIOUS Logical Attack 9 Physical Attack 6 Fire/Expl‟n/Bomb 8 Political Instability 13 Data Security 4 Industrial Action 2 Supplier Failure 3Contract Fulfilment 10 NEGLIGENT INCREASINGIMPACT
  8. 8. Representing Risks on Impact vs. Likelihood Diagrams Very simple and subjective representation: The three zones of risk call for different approaches to risk management: 1. BaU zone 2. Managed risk zone 3. “Black Swan” zone 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 0 100 200 300 400 500 Impact (£m) Likelihood(%) More realistic, comprehensive and objective representation: “Risk Frontier” curve with distribution of values for Impact & Likelihood BaU zone High frequency incidents Efficiency and reliability issues CE / RFT problems Predictable Historical data available “Black Swan” zone “Tail” of the distribution Perceived threats & fears Worst credible scenarios No experience or data Managed Risk zone Major incidents Expert judgement Limited data (not just BT‟s)1 2 3 54 Net Impact 61 2 3 54 Net Impact 6 NetLikelihood 3 2 4 5 6 1 NetLikelihood 3 2 4 5 6 1 X Single point and values of Impact & Likelihood
  9. 9. BT‟s Risk Register Hierarchy S&C Risk Register RISK 1. Pandemic flu S&C Risk Register RISK 15. Power failure S&C Risk Register RISK 6. Industrial action S&C Risk Register RISK 9. Network attack (logical) Info Ass‟ce Risk Register RISK 1. Power source disruption Info Ass‟ce Risk Register RISK 3. Overloading C&C infrastructure Info Ass‟ce Risk Register RISK 2. Electronic interference Risk Mitigation ACTION 1. Protected dual power supplies Risk Mitigation ACTION 3. Improved site security measures Risk Mitigation ACTION 2. Standby generator upgrade Group Risk Register RISK 6. Failure of Corporate Resilience Group Risk Register RISK 7. Threat of Industrial Action Group Risk Register RISK 5. Funding of the Pension Scheme
  10. 10. Choosing your strategy: Where to deploy Business Continuity? Colocation of critical IT systems, back-up, mirrored data centres. Often built-into BPO contracts, with additional hardware Redundant (often virtual) space for disaster or contingency planning, relocation services and emergency contact centres Mirrored and alternative bandwidth and connectivity plans, including mobilised and distributed capability Distributed workforce, but also multi-skill staff crossing-over workloads to ensure resilience. Defined lines of responsibility Redundancy in systems and processes. Understanding of prioritisation in service delivery Source: IDC Research for BT; November 2007 IT Connectivity Physical Processes People
  11. 11. Remember basic principles – the Business Continuity Lifecycle • Logical methodology • Ensures appropriate solutions • Accepted best practice • Framework for continual improvement • Continual engagement with customer • Solutions not products BCM Programme Management
  12. 12. Benchmark against Best Standard: eg. BS25999 • Worldwide standard for business continuity management • Widely accepted • Is the only BC standard that can be certified against • Full range of complimentary professional services
  13. 13. Public / Private Partnership in action
  14. 14. How does BT discharge its Civil Contingency Obligations as a Category 2 Responder? 2 Senior Managers and a virtual team of 80+ liaison managers (Regional and Senior Operational managers) Responsible for: ▬ Attending local (54 LRFs UK wide) and Regional (12 RRFs UK wide) Resilience meetings where appropriate (Chief Constable/ CEO level); ▬ Attend exercises where appropriate at Regional or Local level ▬ Information share where appropriate (BCM resilience opportunity); and, ▬ Attend Multi Agency „GOLD‟ commands during and incidents (85% of the BT liaison manages are trained at GOLD command level)
  15. 15. „One Team in a Crisis‟ Cumbria – November 2009
  16. 16. BT Initial Response & Establish Control Lead by BT most senior „on call‟ executive • Initiated a Threat assessment and Response Group (TARG) comprising of key Business Unit leads (Network Management, Incident Management, Market facing Units, Media Ops, HR, Legal, Property, BCM) Initiated a BT Gold Coordination Group • As a result of the TARG formed and Chaired BT Gold throughout BT‟s response. Linked into the Multi Agency Strategic Coordination Group (SCG) • Directed the brief and deployment of the BT Liaison Manager to Cumbria SCG by the Civil Resilience Duty Officer
  17. 17. BT Recovery & Return to Normality BT Incident Management Team (BT Silver) • Initiated traffic rerouting round the damaged network to restore service ASAP, assembled teams of fibre optic and copper cable specialist to divert or build temporary network around Northside bridge area (three months work concluded in seven days); BT Liaison Manager - secured support from Cat 1 & 2‟s • Specifically Cumbria County Council and Network rail allowing temporary network to be constructed over the rail bridge to the west of the collapsed Northside bridge; Support to Responders by BT Bronze Teams • In addition to repairing the devastated network in Working ton BT technicians also provided specialist communications support in Cockermouth and across Cumbria supporting agencies by restoring lost services or provision of temporary service to aid their response; Support to the Community by BT Bronze Teams • Provided return to Premises support to communities across Cumbria by testing internal network and equipment before allowing use .
  18. 18. Solutions from BT addressing organisations BC/DR needs • Recovery of voice, IT, premises and communications in the event of disaster within agreed recovery time objectives • BT Commsure in UK providing full voice and data recovery services • Provision of secure mobile communications, enabling location independent operation • Flexible working and home-working solutions to enhance pandemic preparedness • Secure and highly dependable IP infrastructure • BT‟s WAN provides basis for next generation converged solutions with quality of service and reliability • Secure and resilient hosting of client systems in BT data centres • Fail-over service – full client system duplicated in BT facility • Storage (e mail archiving, data vaulting etc) • Full end-to-end lifecycle based on emerging (BS 25999) standards • Business case and benchmarking against industry best practices • Process embedding, not just a one-off, box-ticking exercise Business Continuity Consulting Resilient Data Centre Services Resilient Communications Mobile and Flexible Working IT and Disaster Recovery
  19. 19. In summary, our opinion and take-a-ways In our opinion • The risk environment is more volatile, not less; • Your stakeholders will demand protection of their assets and proof that your business is resilient; • Strong business continuity strategies, following basic principles, are the best way to protect your organisation. Take-a-ways/ food for thought: • Look to share technology and operational risks with trusted, qualified partners and similar organisations on common ground! • Introduce common Risk Management standards now to deal with the continuing convergence of networks and the applications that depend on them; • Risk is not going away, embrace it now! • Plan, plan and plan again, but get on with the execution now – but remember, fail to plan, plan to fail! “There cannot be a crisis next week. My schedule is already full” Henry Kissinger
  20. 20. In the end – it‟s all about avoiding problems before they happen!
  21. 21. ray.stanton@bt.com www.bt.com/security