mike trovato ernst & young: the value proposition for organisational resilience
DESCRIPTION
Mike Trovato, Partner, Advanced Security Centre, Ernst & Young delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed on solutions and counter cyber-attacks. For more information about the event, please visit the conference website http://www.informa.com.au/cybersecurityconferenceTRANSCRIPT
The value proposition for organisationalresilienceCorporate Cyber Security SummitMike TrovatoAsia Pacific Security Leader
13 November 2013
Page 2
Agenda
► Introducing our research► Why Organisational Resilience (OR) has emerged► Relationship of OR and management strategies► Principal concepts and attributes of OR► Cyber security and resilience► Value of resilience for cyber security► Summarising
Page 3
Introducing our research
► Critical Infrastructure Resilience Strategy (2010) led bythe Commonwealth Attorney-General’s Department► Strategic Imperative #2 – Develop an Organisational Resilience
Body of Knowledge► Research paper 1: CEO perspectives on organisational resilience
(2012)
► Value proposition for OR for business and society needed► 2012-13 research with the Commonwealth Attorney-
General’s Department - ‘Organisational Resilience: Therelationship with risk related corporate strategies’ (2013)► Global Practice insights► Extensive literature review
Page 4
Why Organisational Resilience has emerged
►Volatility of the economic anddemographic environment
►Velocity of innovation and information
►Visibility into everything thatorganisations do
Page 5
Why Organisational Resilience has emergedEconomic & demographic volatility
Financial uncertainty and instability
Emerging middle class in developing markets
Scarcity / imbalance of resources / political instability
Complexity of networks
Intensification of global competition
Plans need to be aggressive but risk adjusted
Page 6
Why Organisational Resilience has emergedVelocity of innovation and information
Speed to market Market awareness andresponsiveness is crucial
Virtual world with access toinformation anywhere anytime
Innovation is expected
Brand movement
60% of global population withaccess to smart devices by 2030
Knowledge of alternatives
Need to be able to move quickly and carefully
Page 7
Why Organisational Resilience has emergedVisibility into everything
Unprecedented access to information
Global village causing blurred lines
Visibility is globalFor the informed customer everythingis contextual
Need to be authentic
Accountability
Unrestricted global boundaries
Sustainability
Reputation needs to be real and managed
Page 8
Why Organisational Resilience has emergedThe opportunity
► These forces creates enormous opportunities and dauntingchallenges for government and business
► Risk and opportunities must be carefully balanced.► Grow and profit/manage costs► Protect performance► Innovate continuously► Optimise performance
► All these elements are uniquely combined in the organisationalresilience approach.
► Unlike traditional approaches, OR balances these “protect” and“perform” – focused approaches and strategies
Page 9
Why Organisational Resilience has emergedThe opportunity
► There are manystrategies andapproaches to selectfrom which align with andsupport organisationalresilience
► Selection of “perform”and “protect” focusedstrategies andapproaches consistentwith the organisationalcontext – internal andexternal
Figure 1: The Perform / Protect Matrix
Page 10
Relationship of OR and corporate strategies
Figure 2: The domain of risks includes ‘foreseeable’ and ‘unforseeable’ risksFigure 3: The Ernst & Young BCM Model
Figure 2 Figure 3
Page 11
Principal Concepts of OR
Figure 4: Principal concepts of resilience (identified through research commissioned by the Commonwealth Attorney-General’s Department).
Page 12
Principal Concepts of OR
► Resist disruptive influences to Business As Usual► React effectively when threats materialise► Reshape internal and external environments for growth
Figure 5
Figure 5: Resist, React, Reshape – core components of OR.
Page 13
Value of OR in practice
Figure 6: Four key attributes of OR.
Page 14
2013 EY Global Information Security SurveyClients are moving in the right direction
► Improving – theirdefences for cyber attack
► Expanding – takingbolder steps
► Innovating –continuously review,rethink and potentiallyredesign their securityframework
EY Global Information Security Survey 2013
Know
Proa
ctiv
eRe
activ
e
Don’t know
Awareness
Beha
vior
Page 15
The leaps that organizations are making The steps that organizations still need to take
Organizations are investing more ininformation security
Information security departments are stillfeeling the pinch
Organizations are shifting their focus fromoperations and maintenance to improvingand innovating
Despite the security improvementsorganizations have made, many remainexposed
Cybersecurity and resilienceAwareness of cyber threats propels improvements….
EY’s Global Information Security Survey 2013
Page 16
The leaps that organizations are making The steps that organizations still need to take
Organizations demonstrate alignmentamong strategies and drivers
A lack of alignment in other critical areasis still too common
Efforts to improve cyber security programsare growing
Threats are growing too, often at a fasterpace
Cybersecurity and resilienceThreats continue to increase, driving bolder actions
EY’s Global Information Security Survey 2013
Page 17
Value of OR in practiceResilience & Cybersecurity – bringing it together
Business As Usual Change and adapt Shape the environment
•Resilience leadershipCommits to continuousimprovement and resilientpractices for BAU
• Resilience cultureCommitment to excellenceand efficient operations atthe micro level. Mindfulwork
• Change readinessAvoids shortcuts, adapts tominor changes and failuresof process, detectsanomalies
•Resilience leadershipContinuous, visible top-levelnon-routine crisismanagement
• Resilience cultureMotivated actions bycommitted individuals
•Resilience partnershipsCollaboration to solvetechnical problems andrespond to disaster
• Resilience leadershipLong term adaption /complex adaptive systems
• Resilience culture‘One-in, all-in’ enthusiasmfor challenge, innovationand risk taking
• Change readinessPeople who innovatethrough trust and teaming.
Page 18
Summarising
► Organisational Resilience meets the needsof businesses that must :► Focus on taking risks intelligently in a world of increasing volatility, velocity,
and visibility► Must be organisationally ‘ambidextrous’ – must innovate for growth while
protecting operations► Rely on the committed, focused capabilities of all team members to
achieve long term prosperity and success
► Organisational Resilience is an outcomenot a system. This means:► It complements proven risk management methodologies► Leverages new and existing strategies to drive agile responses to threat
and opportunity, wherever it occurs.
Page 19
AG Organisational ResilienceEY 2013 Global Information Security Survey
Thank you