Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Reputational Risk


Published on

Published in: Technology
  • Be the first to comment

Reputational Risk

  1. 1. IBM Global Technology ServicesFive IT risk management practices ofcompanies with excellent reputationsHow security and business continuity can shape the reputation andvalue of your company © 2012 IBM Corporation
  2. 2. Today’s speaker Philip Kibler IBM, GTS Director Cyber Security Assessment and Response Phil has 31 years of IT experience and has led IBM Professional Security Services business since 2007. Recently he has been focusing on Cyber Threats and Intelligence and marshaling the resources of the IBM Corporation to support clients globally to deal with the growing Cyber Storm. Definition of IT risk and reputational risk Findings from 2012 Reputational Risk Study Financial implications of security breaches Recovery from reputational damage Five characteristics of companies with excellent reputations Ten essential practices…how they can help2 © 2012 IBM Corporation
  3. 3. Reputational risk and IT:What is reputational risk and why you should care? Reputational risk: a type of risk related to the trustworthiness of business. Damage to a firms reputation can result in lost revenue or destruction of shareholder value, even if the company is not found guilty of a crime. Reputational risk can be a matter of corporate trust, but serves also as a tool in crisis prevention. Source: Equation taken from - International Centre for Financial Regulation3 © 2012 IBM Corporation
  4. 4. Reputational risk and IT:How do we define IT risk? IT risk is comprised of a number of core components: Security and privacy Business continuity and disaster recovery IT compliance Supply chain Business transformation Product assurance4 © 2012 IBM Corporation
  5. 5. Reputational risk and IT: introductionTo find out where and how IT makes its biggest impact onreputational risk, IBM conducted a worldwide study. #1 IT risks have a major impact on a company’s reputation #2 Companies have rising IT risk concerns related to emerging technology trends e.g cloud, social media #3 Companies are integrating IT risk and reputational risk management, with strongest focus on threats to data and systems Study demographics Conducted by Economist Intelligence Unit, paid for by IBM 427 respondents from around the world 23 industries 15 job titles Company sizes <$500M to >$10B5 © 2012 IBM Corporation
  6. 6. IBM factors reputational risk into the domain of IT security risk. Risk exists when … Threat Vulnerability Impact Can exploit And cause (Actor) (Weakness) (Loss)Security Risk Management is the application of control to detect and block the threat, to detect and fix a vulnerability, or to respond to incidents (impacts) when all else fails. Reputational risk becomes a factor in the evaluation of the potential impact © 2012 IBM Corporation
  7. 7. Reputational risk and IT: what you can do nowThe study identified the 5 key characteristics of companies reportingexcellent reputations. 1 Defining Characteristic: Have a special emphasis on reputational risk with the support of senior management and have effective escalation and reporting process 83%81% 84% 83% 78% 71% 64% 63% 59% 58% 42% 38% 2 36% 33% 3 28% 4 5 Integrate IT into Have strong/ Have adequate Very Are very confident/ reputational risk very strong IT risk strenuously confident in IT risk management IT risk management require supply management related management funding chain to match to data breach/data capacity standards theft7 Organizations reporting their reputation as: Excellent Very good Average or worse © 2012 IBM Corporation
  8. 8. Reputational risk and IT Study: security findingsIn the recent IBM reputational risk and IT study, security factors areranked #1 among IT risks that can cause reputational harm. of respondents included data breaches, data theft and cybercrime among the IT risks that are most harmful to reputation of respondents identify of respondents very and manage reputational strenuously require third- risk as part of their IT party sources to match security operations their level of IT security8 © 2012 IBM Corporation
  9. 9. Reputational risk and IT: perception vs. realityThere seems to be a mismatch between how well companies ratetheir reputation and how well they are protecting it. 80% rate reputation as excellent or very good17% rate their company’s overall ability to manage IT risk as very strong There is room for improvement in almost every organization © 2012 IBM Corporation
  10. 10. Reputational risk and IT Study: security findingsWe also found critical discrepancies between confidence level andavailability of security threat intelligence to support that confidence. Perception are very confident or confident they can manage IT risks related to data breaches, Have access to the latest data theft and cybercrime security threat intelligence Are proactive in the management of latest security threats Reality “IT… is like the heart pumping blood to the whole body, so any failure could threaten the whole organization’s survival.” — IT manager, French IT and technology company10 © 2012 IBM Corporation
  11. 11. Reputational risk and IT: perception vs. realityCompanies may be opening themselves up to unintendedreputational risk by ignoring the impact of their partners. Only 39 % of companies are “very strenuously” requiring their vendors, partners and supply chain to match levels of risk control How many outside sources does your company do business with on a regular basis? How thoroughly have you communicated your IT risk mitigation standards to these sources? How are you monitoring your sources’ compliance with your standards?11 © 2012 IBM Corporation
  12. 12. IT security industry analysts are quantifying and tracking the actualcosts of a data breach. Source: Ponemon Institute LLC, “The Impact of Cybercrime on Business,” May 201212 © 2012 IBM Corporation
  13. 13. Reputational risk and IT Study: security findingsWell publicized scenarios of financial and reputational impact due tosecurity breaches are in the news every day. Payment Online gaming Retailer processor communityHackers intrude core Community and Customer data stolenline of business. entertainment sites over more than 18 hacked. months.Nearly 130 million Around 100 million At least 45 millioncustomers affected. customer records records stolen. compromised. Estimated costs: Estimated costs: Estimated costs: up to $500M $3.6B up to $900M Illustrative purposes only. The actual facts and damages associated with these scenarios may vary from the examples provided. Estimated, based on publicly available financial information, published articles. © 2012 IBM Corporation
  14. 14. Reputational risk and IT: perception vs. realityThe impact on “reputation recovery” is measured in months, nothours or days. 0-6 months 6-12 months 12+ months Website outage 78% 14% 8% System failure 72% 17% 10% Workplace compromise 71% 18% 11% Data loss 70% 17% 12% Failure to align continuity plans with business 65% 21% 13% Insufficient DR measures 63% 24% 12% Data breach 65% 19% 16% Compliance failure 64% 22% 14% © 2012 IBM Corporation
  15. 15. IBM uses a ten essential practice approach to better manage IT Riskand protect client reputations. 1 Risk-aware culture and management Control network access 6 2 Manage incidents with intelligence Maturity-based approach S Address cloud and complexity 7 int ecu ell rit ige y nc e Automated O 3 Defend mobile Manage third- 8 pt im and social space party compliance iz ed Pr of ic ie Manual nt B as 4 Security-rich Secure data, 9 ic services, by design Reactive Proactive protect privacy 5 Automatic security “hygiene” Manage the identity lifecycle 10 © 2012 IBM Corporation
  16. 16. Reputational risk and IT: what you can do nowWhat can you do now? Be aware. Do a Risk Security Assessment for visibility and prioritization for proper risk management strategy Be proactive. Manage against vulnerabilities for real- time protection against sophisticated attacks Be prepared. Have an incident response plan in place to quickly respond and remediate against a breach16 © 2012 IBM Corporation
  17. 17. Reputational risk and IT: what you can do nowLearn more about the reputational risk and IT connection, and howIBM can help you protect the reputation and value of your company. Download the full study report includes all you’ve seen today, plus other important findings Add your voice to the discussion Take the reputational risk survey online and get a complimentary copy of the upcoming expanded report Scan the code or go to Learn more about IBM’s Ten Security Essential Practices © 2012 IBM Corporation
  18. 18. Thank you for attending!18 © 2012 IBM Corporation
  19. 19. © Copyright IBM Corporation 2012 IBM Corporation IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America August 2012 IBM, the IBM logo and are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.19 © 2012 IBM Corporation