cio insight summit, june 2006 greg hughes executive vice president symantec global services
DESCRIPTION
CIO Insight Summit, June 2006 Greg Hughes Executive Vice President Symantec Global Services. Consolidation Opportunity (and Risk) Knock: Five Steps to Get from Current to Best Practice IT Risk Management. Take calculated risk. That is quite different from being rash. - PowerPoint PPT PresentationTRANSCRIPT
CIO Insight Summit, June 2006Greg HughesExecutive Vice PresidentSymantec Global Services
Consolidation Opportunity (and Risk) Knock: Five Steps to Get from Current to Best Practice IT Risk Management
3Symantec Confidential
Take calculated risk. That is quite different from being rash.
4Symantec Confidential
There are risks and costs to a program of action. But they are far less than the
long-range risks and costs of comfortable inaction.
5Symantec Confidential
A lot of people approach risk as if it’s the enemy, when it is really fortune’s accomplice.
6Symantec Confidential
Agenda
Increasing Challenge of IT Risk and Cost
Five Steps to Effective IT Risk and Cost Management
Symantec Global Services Capability
7Symantec Confidential
Top IT Spending PrioritiesTop IT Spending Priorities
Top CIO Priorities for 2006
1. Security
2. Application Integration
3. Compliance/risk management
4. Disaster Recovery / BC
5. ERP
1. Aligning IT and business goals
2. Risk management and business continuity
3. Controlling IT costs
Top Business PrioritiesTop Business Priorities
Sources:Goldman Sachs, Americas Technology, Improvements a Whisper, Not a Scream; State of the CIO Study, CIO Magazine, 2005.
8Symantec Confidential
Key IT Questions From the Board of Directors
Security Security Do we have adequate protection against denial of service attacks and hackers?
Incident ResponseIncident Response Are there fast-response processes in place in the event of an attack?
Data StorageData Storage Do we have management practices in place to ensure 24/7 levels, including tested backup?
Risk ManagementRisk Management Are there any possible IT-based surprises lurking out there?
Disaster RecoveryDisaster RecoveryHas anything changed in disaster recovery and security that will affect our business’s continuity planning?
Source: Harvard Business Review; Information Technology and the Board of Directors, October 2005
9Symantec Confidential
Unleash Greater Innovation by ReducingIT Costs and Risks
Source: McKinsey & Co. BTO Practice, IT cost survey
InfrastructureCost
Innovation
AdministrationApp. Maintenance
IT Cash Cost
InfrastructureCost
Innovation
AdministrationApp. Maintenance
IT Cash Cost0%
20%
40%
60%
80%
100%
10Symantec Confidential
Example: Themes From Wall Street
Concern about IT risk broadlyFocus on security
Expansion into IT risk management roleNarrow CISO role
Innovation around IT risk reportingUnmeasured risk
All applications-internal and externalExternal applications
Storage must be secureStorage is storage
Protecting the extended enterpriseProtecting the firm
Testing as a normal course of businessRunning tests
11Symantec Confidential
IT Risk Management
Incorporates an analytical, systems methodology Provides IT and business leaders robust decision supportEncourages protection of that which requires protectionManages cost while maximizing performance benefits
An enterprise-wide approach to improving processes, people and systems to achieve the organization’s preferred balance of IT costs and risks
12Symantec Confidential
Leading Companies Take 5 Steps to Manage IT Risks: In Framework of Business Risk Management
Develop IT risk awareness
Quantify Quantify business business impactimpact
Determine appropriate IT risk tools
Align Align costs to costs to IT risksIT risks
Build institutional capability
1. 2. 3. 4. 5.
13Symantec Confidential
Non-IT Risks IT Risks
Financial Risks
Operational Operational RisksRisks
Develop IT Risk Awareness to Business
ComplianceRisk
RecoverabilityRisk
ScalabilityRisk
PerformanceRisk
AvailabilityRisk
SecurityRisk
Business Risk
Develop IT risk awareness1.
14Symantec Confidential
Quantify Business Impact Starting with aBusiness Impact Assessment
Line managers, production leaders, functional managers
Business Impact AssessmentBusiness Impact Assessment
Critical Business FunctionsCritical Business Functions
Business Input
FinancialCosts
CustomerLosses
Legal/StatutoryPenalties
OperationalDependencies
Quantify business Quantify business impactimpact
2.
15Symantec Confidential
Quantify Business Impact: Stock Market Rewards Companies with Lower Risk
Stock Price Performance of Companies That Experience a Major Operational Disaster Sample size = 15: U.S. companies – 8, European – 6, Asian – 1
Trading Days after the Event
Cum
ulat
ive
Abn
orm
al
Ret
urn
%
Recoverers
-20
0
20
0 50 100 150 200 250
Non-Recoverers
-15%
+10%
2.
Quantify business Quantify business impactimpact
Source: The Oxford Executive Research Briefing, The Impact of Catastrophes on Shareholder Value
16Symantec Confidential
Determine Appropriate IT Risk Tools: Understand Range of Tools Available to Manage IT Risks
Managing IT Risks
IT Best PracticeIT Best PracticeProcessesProcesses
Technology for IT Technology for IT Risk ManagementRisk Management
Organization & Organization & EducationEducation
Information Information SourcesSources
Determine appropriate IT risk tools
3.
17Symantec Confidential
Causes of IT Failure
People
Process
Tech-Tech-nologynology
Insufficient crisis management plansWeak IT project execution rigorInconsistent enforcement of policies and standards Lack of plans to support increasing capacity and changing business needs Poor internal communications across functions and regions
Poor fit between product functionality and requirementsEnvironmental performance limitations Incompatible versions/patches/technologies
Causes of Failure Frequency
60%53%53%
40%
60%60%47%
40%
33%
47%
33%27%
Lack of proper architecture expertiseWeak functional product knowledgeInsufficient training in troubleshooting and resolutionFragmented/incomplete skill sets
Determine appropriate IT risk tools
3.
18Symantec Confidential
A Call to ActionTop Three Things to do Tomorrow
1. Plan before you act Establish escalation paths and crisis plans ahead of time Thoroughly test in development and staging environments Allocate proper time and resources for upgrade events Have a contingency plan and rollback option
2. Ensure your IT organization has the right skills Inventory and assess your staff’s skill set Build or engage external expertise up-front to properly design and
architect your systems against business needs Provide training on operating and troubleshooting the infrastructure
3. Create and enforce global policies and standards Define security policies Set hardware, software, patch/upgrade standards and policies Create mechanisms to share best practices and learnings
Determine appropriate IT risk tools
3.
19Symantec Confidential
Align Costs to IT Risk By Segmenting Service Levels
“Gold” Service Level
(e.g., Partner Extranet)
“Platinum” Service Level
(e.g., ERP)
Risk
Cost“Bronze” Service Level(e.g., Intranet)
Align costs to IT risksAlign costs to IT risks4.
20Symantec Confidential
Service ClassService Class Example Example ApplicationApplication
Service LevelsService Levels
Platinum TV Transmission Support Systems
24*7 Scheduled99.99% AvailabilityRTO= 2 Hrs RPO = 0 Hrs
Gold Supply Chain Management, Email
24*6¾ Scheduled99.5% AvailabilityRTO = 8 Hrs RPO = 4 Hrs
Silver Enterprise Back Office Systems
18*7 Scheduled99.0% AvailabilityRTO = 3 Days RPO = 1 Day
Bronze Departmental Functions
18*7 Scheduled98.0% AvailabilityRTO = 5 Days RPO = 1 Day
Copper Standalone Systems
12x5 Scheduled98.0% AvailabilityRTO=10 Days RPO = 1 Day
Example: Define Recovery Service Levels
Align costs to IT risksAlign costs to IT risks4.
21Symantec Confidential
Overall Strategy and Risk Posture Governance New or Expanded Leadership Roles Reporting and Information Systems Skills Building Awareness and Culture Changes Planning and Testing
Build Institutional Capability
Build institutional capability
5.
22Symantec Confidential
4 Common Issues Customers Face –Managing Risks
Lack of Insight and Lack of Insight and Misaligned PrioritiesMisaligned Priorities Unreliable Processes Unreliable Processes
Critical Gaps in People Critical Gaps in People Expertise Expertise
Inflexible Technology Inflexible Technology Foundation Foundation
23Symantec Confidential
Symantec Global ServicesWe help organizations reduce IT cost and risks and achieve rapid, significant and lasting value from Symantec solutions Deep technology expertise
Real-world implementation understanding
Cross-platform capabilities
Unique proprietary insight into nature of IT risks
Global ReachNorth & South America, Asia Pacific & Japan, Europe, Middle East, Africa700 Consulting200 Education1900 Enterprise Support1900 Consumer Support
24Symantec Confidential
Symantec Customers Managing Risk
Healthcare IndustryHealthcare Industry
Managing risk: SecurityManaging risk: Security
Retail IndustryRetail Industry
Managing risk: PerformanceManaging risk: Performance
Automotive IndustryAutomotive Industry
Managing risk: AvailabilityManaging risk: Availability
Pharmaceutical IndustryPharmaceutical Industry
Managing risk: RecoverabilityManaging risk: Recoverability
25Symantec Confidential
IT risk is a new part of our role
IT risk can be managed
Symantec can help
Q&A