going digital? for sure, but with assurance please! · going digital? for sure, but with assurance...
TRANSCRIPT
Going Digital? For sure, but with Assurance please!
A holistic CIO Perspective on the necessary Risk assurance towards going Digital
#IoTDS
Luc Verhelst
Leading Digital and ISACA certified Risk Adviser
CIO at Metallo Group
Agenda
#IoTDS
• IIoT and Industry 4.0, where suddenly does this Fuss come from?
• But why should the CIO embrace going Digital?
• Why we should care about Risk when evaluating value?
• The Industry 4.0 Frameworks and Methodologies
• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this
• IT Risk in detail
• Wrap-up / Q&A
#IoTDS
Luc Verhelst is an experienced CIO, Digital Consultant and IT Risk Adviser .
Luc is currently holding the position as CIO for Metallo group.
Before that he was CIO of the EMA, the European Medicines Agency, based in London, responsible for the supervision of medicines inside Europe.
Previously Luc held different leading CIO roles in leading companies in finance, media, healthcare and logistics.
Luc is also the honorary chairman of MIT-Club, leading Belgian CIO community exchanging valuable CIO knowledge and experiences.
Luc is ISACA certified (CGEIT) and specialised inDigital Strategies with focus on IT governance, Architecture and specifically the IT Risk domain.
BIO: Luc Verhelst
Agenda
#IoTDS
• IIoT and Industry 4.0, where suddenly does this Fuss come from?
• But why should the CIO embrace going Digital?
• Why we should care about Risk when evaluating value?
• The Industry 4.0 Frameworks and Methodologies
• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this
• IT Risk in detail
• Wrap-up / Q&A
#IoTDS
54%
#IoTDS
Agenda
#IoTDS
• IIoT and Industry 4.0, where suddenly does this Fuss come from?
• But why should the CIO embrace going Digital?
• Why we should care about Risk when evaluating value?
• The Industry 4.0 Frameworks and Methodologies
• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this
• IT Risk in detail
• Wrap-up / Q&A
In the Industry 4.0 era the world of OT and IT are coming together
#IoTDS
#IoTDS
#IoTDS
#IoTDS
Data is your most important resource?
#IoTDS
The Challenge: The Amount of Data? Or the Risk?
#IoTDS
But why should we care about Risk?
Agenda
#IoTDS
• IIoT and Industry 4.0, where suddenly does this Fuss come from?
• But why should the CIO embrace going Digital?
• Why we should care about Risk when evaluating value?
• The Industry 4.0 Frameworks and Methodologies
• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this
• IT Risk in detail
• Wrap-up / Q&A
Organisations are changing… Fast… Faster than ever
• No Value without proper Risk Management
• We need to balance Value, Change andRisks
#IoTDS
Risk has many flavors
#IoTDS
Risk versus Agility and Speed
COBIT IT Risk and IT Security Framework as an example
“Denial is not a river in Egypt”
#IoTDS
Agenda
#IoTDS
• IIoT and Industry 4.0, where suddenly does this Fuss come from?
• But why should the CIO embrace going Digital?
• Why we should care about Risk when evaluating value?
• The Industry 4.0 Frameworks and Methodologies
• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this
• IT Risk in detail
• Wrap-up / Q&A
PWC
#IoTDS
#IoTDS
The McKinsey Digital Compass
#IoTDS
Bain & Company
#IoTDS
Often focused on prototyping, measuring and demonstrating value
Agenda
#IoTDS
• IIoT and Industry 4.0, where suddenly does this Fuss come from?
• But why should the CIO embrace going Digital?
• Why we should care about Risk when evaluating value?
• The Industry 4.0 Frameworks and Methodologies
• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this
• IT Risk in detail
• Wrap-up / Q&A
Enterprise Architecture Framework
#IoTDS
Business
Application Architecture
Technical Architecture
Infrastructure Architecture
Data
Risk
Pro
ject
Mgm
t Risk
#IoTDS
Not a lot of POC’s really become successfullWho do most IoT projects fail?
• People & culture• Poor collaboration between IT, OT and Business
• Culture that focuses too much on Technology
• Lack of Expertise
• Process – going it alone• What looks good on paper proves to be too difficult
• Tie success with the Business• Go with hard numbers, go for ROI within 1-2 years
• Provide easy systems, “operational centric”
• Get Value from Data and
• From the People…
• IT Risk – IT Security delays the project!
• We will solve this later!
• What about IT Risk bydesign?
Agenda
#IoTDS
• IIoT and Industry 4.0, where suddenly does this Fuss come from?
• But why should the CIO embrace going Digital?
• Why we should care about Risk when evaluating value?
• The Industry 4.0 Frameworks and Methodologies
• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this
• IT Risk in detail
• Wrap-up / Q&A
#IoTDS
Overall IT security concept influenced by many different business inputs
Inputs for overall security concept
#IoTDS
• ISO standards• ISO 27.000 standards family for IT Security
• ISO 27.036 standard for external suppliers
• Other int’l standards• e.g. SOX…
• COBIT• ISACA Methodology applied by Auditors and Governance experts• Focus on IT Risk as one of the basic Pillars of Enterprise IT
• Regulatory• Existing regulatory obligations, e.g. GDPR
• Global Best Practices and vendor initiatives• Internal guidance
• Risk appetite and Board guidance• (Financial) feasability, internal culture• Internal audits
Start with your IT Security Policy
#IoTDS
• Security policy based on ISO 27.001
• Body text + practical appendices (Terminology, Procedures, Mobile Devices, Data Breach notification Process…)
• Policy based on international Standards (ISO 27.001)
• You can have different versions, followingyour implementation progress• Version 2016
• Version 2017
• Version 2018 …
• Version 2019 …
• Policy serves as the heart for YOURinterpretation and implementation ofIT Security within your Organization
• Your Policy contains many Chapters:• IT security policy overview
• Organization of Information Security
• (digital) Asset management
• Access control
• Encryption
• Policy & standards
• Communications
• Incident Management
• …
#IoTDS
A possible IT security framework
#IoTDS
Gradually implementing your IT Security Roadmap, be Pragmatic
#IoTDS
IT security roadmap implemented over time
Phase 1Foundation
Phase 2Growth
Phase 3FinalisePreparation phase
InitialiseAddress vulnerabilitiesSecurity PolicyInformation classificationOther initiatives Extended Policy
Initiative NInitiative N+1Initiative N+2
Further intitiatives………
#IoTDS
Questions?
Thank you