Shire Pharmaceuticals Drives Into the Future of Healthcare

Some would say that there is nothing more gratifying than helping people in need. In the case of Shire Pharmaceuticals, helping people with life-altering conditions to lead better lives is core to their business and their culture. Based nearby in Lexington, Massachusetts, Shire focuses on developing treatments for conditions in neuroscience, rare diseases, gastrointestinal, internal medicine and regenerative medicine. The need to stay on the cutting edge of healthcare is paramount to the organization and information security has played a key role in that mission.

Shire’s Senior Director of Information Risk Management & Security, Bob Litterer, came to the company tasked with developing a world class information security function aligned to their business goals. Like so many CISOs today, Bob knew the importance of information security as a business enabler, but needed to drive awareness and create a security culture that embraced their business. In his words, “we didn’t want perform security for security’s sake”. He was also tasked with reducing costs associated with changing compliance requirements, drive-up efficiency, and managing acceptable risk tolerances so the organization could continue to innovate and stay competitive. Quite a tall order when there is so much on the line.

Like any good leader, Bob knew he needed a great team behind him – so he brought in one of our alliance partners OpenSky who helped build a comprehensive Governance, Risk and Compliance (GRC) platform based on RSA Archer.

As you heard from Peter Ridgley, Lead Consultant from OpenSky, explain in the video, Shire was able to quickly spotlight where there was a need for improvement as well as areas where they were successfully hitting the mark. The visibility through RSA Archer allows Shire to do a drill down review of each area to determine how they can improve driving credibility into the management of the program as well as demonstrates its depth.

Additionally, Shire is now able to continue that assessment on a regular basis to report progress, showcase how the information security organization is aligned with the goals of the business, and ensure they are always able to meet changing business needs and compliance requirements.

While this project is impressive in and of itself I am happy to share with you that Shire has earned an important industry accolade as well. Just last week, the company was awarded the OCEG GRC Achievement Award at the 2013 Compliance Week Conference which recognizes organizations that make great strides in improving and integrating their approaches to governance, risk management and compliance. Working with OpenSky, Shire leveraged the OCEG Redbook to provide a framework for managing the GRC Program and it has been paying off in spades. Thanks to the dedication of Shire and OpenSky as well as the power of RSA Archer, Shire gets to take home this honor and we couldn’t be happier.

Leading GRC Platform Used as a CIO Dashboard

During this year’s EMC World in Las Vegas the leading GRC platform was presented during a record attended keynote with Jeremy Burton and Jason Rader who shared GRC from the perspective of a CIO.

This example is one of many use cases that a GRC platform can enable executives to have a clear “real-time” picture of their risk posture.

GRC – A Performance Management Platform or A Success Management Platform?

On May 1st French Caldwell posted a blog titled GRC Will be a Performance Platform in which he references a blueprint that provides a practical approach for identifying the goals of ERM programs in terms of strategic business objectives, and linking that to an underlying GRC architecture that can drive business performance benefits. But isn’t that too limiting?

Performance Management is merely a solution category and doesn’t do GRC platforms justice! When considering how GRC platforms span across Finance, Operations, Legal and IT providing organizations ways to manage risks, demonstrate compliance and ensure governance business performance benefits is only one output and to me only represents how an organization has done historically against business objectives. This is important but not all the benefits that a GRC Platform can and should provide a company.

When organizations use GRC platforms that also includes Big Data Risk Analytics not only will they be able to report on past performance to various levels, domains and to different audiences but they will also be able to predict the future. Future performance, future risks, future efficiencies, and most important future opportunities for success. Big Data risk analytics within a GRC Platform should model out opportunities for growth that drive success within each domain. So I think that GRC platforms will not be performance management but  “Success Management Platform”. Might this be a new category?

PS – I would have really enjoyed the panel with Paul Proctor and Network Frontier’s Dorian Cougias. Not only do I find business predictive and risk management conversations interesting I also am equally if not more fascinated by conversations with “the security geeks” of the world as they save our businesses every day. We should all find them fascinating!

imagesCAH4BEPD

RSA Archer GRC Summit – 10th Year!!

I am happy to announce that RSA will be hosting the 10th annual RSA Archer GRC Summit in Washington D.C., June 12-14, 2013 at the Omni Shoreham Hotel.

As I have actively helped plan these events since 2006  I am humbled at the continued momentum these events have achieved and is driven by the premier GRC community with over 10,000 active members. The momentum continues this year with a record number of attendees (800+) and an agenda that includes over 35 client led presentations on GRC implementation strategies and best practices, 15 technical breakout sessions on the RSA Archer GRC Platform, over 10 birds of a feather round table discussions and executive collaboration from over 500 global organizations.

In addition to the great line up of content for both technical and business GRC practitioners within the IT, Finance, Operations and Legal domains there will be three outstanding  keynotes during the three day event. One of the keynotes that I have had the pleasure to meet and listen to is Bruce Bueno de Mesquita. Bruce is a Silver Professor of Politics, New York University; Senior Fellow, Hoover Institution, Stanford University. Coauthor of The Dictator’s Handbook and author of The Predictioneer’s Game.

Bruce has been on The Daily Show, The Cobert Report and has performed in numerous Ted Talks including a great presentation titled: Predicts Iran’s Future 

Why is Bruce Bueno de Mequita the perfect person to keynote at the 2013 RSA Archer GRC Summit? Risk Analytics of course!!

Over his long tenure as a professor and political consultant, Bruce has conferred with experts on all the world’s most pressing issues and fed their knowledge into a vast and highly sophisticated computer model of global affairs.

This combination of wide-ranging expertise and high-power analytics allows him to make strikingly accurate predictions of world events and speak with authority on the
power dynamics of everything from office politics to international summits.

I will continue to provide updates on the most valuable, highly anticipated and attended GRC event in the industry.

Until then…..keep thinking GRC.

New RSA Archer Community and Exchange are live

 
At EMC we want to empower you to grow your GRC program according to your organization’s unique governance, risk and compliance processes—and of course, help you get the best out of the RSA Archer Suite.

So we’ve injected fresh energy into our online forums, the RSA Archer Community and Exchange, and moved them onto a new platform. You’ll find they offer more intuitive navigation that makes participation more straightforward, and powerful new features that make collaboration even easier.

Between them, the Community and Exchange provide an active user community and an online exchange of applications, content, services, and integrations. They sit under the umbrella of the new EMC GRC Ecosystem that addresses your broader GRC issues and offers more strategic-level discussions around GRC as a practice.

As a member of the RSA Archer Community, you can achieve value sooner by taking a more direct role in the direction of the RSA Archer product roadmap, and using a platform that’s continually being improved by its most innovative users. You’ll significantly reduce your learning curve by sharing ideas with your peers, as well as getting advice from GRC specialists about strategies and best practice around Archer product use and configuration.

The RSA Archer Community and Exchange are not just places you go, but things you do; participation in them becomes a way of life for GRC professionals.

Discover the RSA Archer Community now >>>

Discover the RSA Archer Exchange now >>>

Your business. Your solution. Your community.

RSA Archer Community

‘I don’t understand what you’re trying to tell me’: Why taxonomy is so important to eGRC

Taxonomy, the science or practice of classification, is all about specifying the relationships between entities and giving them agreed names.

I can’t count the number of times that clashing taxonomies have caused me difficulties: mis-interpreting what a friend is telling me, a boss not being on the same page, my direct reports looking at me like I’m from Mars. I remember a time when I was four years old, around the holidays, asking over and over again for ‘milk yolk’ while my mom tried desperately to figure out what I wanted. After 10 minutes of trying everything, she finally got it when I described what the drink looked and tasted like. I was after eggnog, of course.

As I explained in my last blog, when it comes to eGRC it’s critical to create common processes. A big part of this is providing consistent naming conventions so that everyone is talking the same language and there’s less chance of miscommunication. I gave the simple example of an ‘incident’ management process and an ‘issues’ management process that were identical except for what the stages in the process were called (largely just a difference in using ‘issue’ vs ‘incident’). But of course many taxonomy differences won’t be as obvious or straightforward as that example.

Naming conventions are important because they frame people’s understandings of what’s happening and what they need to do. They let people identify the context quickly and hand off information and activities without going through the palaver that my mom and I went through.

The issue of taxonomy often comes to the fore when you’re assigning labels to elements and workflow activities within software applications that are part of your eGRC strategy. People need to be comfortable with what things are called if they’re to use technology effectively; and it can take months to negotiate these naming conventions. Make sure you allow for this in your planning. Dealing with taxonomies effectively is a critical success factor for eGRC.

Good GRC taxonomy website:
Open Compliance & Ethics Group

Why GRC matters to IT security teams

 

 

 

 

 

Expectations of IT security have never been higher. I talked about this a bit in my last blog . But if you don’t believe me there’s a great paper by Enterprise Strategy Group (ESG) that nicely sums up why businesses are calling for much more sophisticated, business-oriented approaches to IT security. You can find it here (look under ‘white papers’ in the right-hand navigation area)

So if you’re in charge of IT security in your organization, what do you do to meet these expectations?

If you said ‘convince the business to invest in eGRC’ then you’re ahead of the innovation curve and are taking your program to the next level.

What happens without eGRC?

Organizations that haven’t invested in eGRC are typically mired in manual processes, trying to manage security using Word documents, spreadsheets and email. They can’t connect anything to anything and have to duplicate work all the time. One IT security manager told me that his team asks the operations team to answer questions specific to FFIEC regulations in January; and then in February asks the same questions of the same people for the purposes of SOX compliance.

This kind of thing is happening in a million different ways all the time. A recent article from Computerworld, titled “Feds want uber cybersecurity compliance standard”, illustrates this as well.

It quotes Jerry Archer, CISO at Sallie Mae, who is presenting his IT-GRC strategy at the RSA Archer eGRC Roadshow in Indianapolis tomorrow (October 13). Speaking at the SINET Innovation Summit in Boston, Jerry said his agency spent 40% of its budget on complying with regulations. “What is needed is automating compliance to reduce the bite it takes from the budget,” he said.

The kicker is the response that Jerry’s remark got from Josh Corman, director of security intelligence at Akamai. He congratulated Jerry on the 40% figure, saying: “For some it’s 100%.”

The article goes on to note that “the trouble with regulations is that they drive security architectures and prevent data loss that may have little real impact, while ignoring thefts that could be devastating.”

What happens with eGRC?

So how does GRC help? For one thing, it helps you automate compliance processes and efforts so security teams can focus attention, budget and strategy on the threats that truly matter to their business.

Organizations that have invested in eGRC (assuming they’ve adopted best practices and made careful strategy and technology choices) can:

  • Automatically map policies, control standards, control procedures, authoritative sources and assessment questions to one another and see the relations between any and all
  • Track the whole life-cycle of security incidents, reliably prioritize incidents in line with business impact and objectives, automatically assign actions to respond to incidents, and report on incidents in a way that provides meaningful business context to senior management
  • Identify gaps in compliance and satisfy common compliance requirements with a ‘one-to-many’ approach

I’ve said it before and I’ll say it again: eGRC is about enterprise-wide collaboration, visibility and control. It’s time for IT security functions to lead the charge to achieve these things. Not only is it the only way to deliver value to the business, but it will make life so much easier for you!

Recommended Reading:

The ESG Information Security Management Maturity Model, a paper by Jon Oltsik, Senior Principal Analyst, ESG (July 2011)

The pressure’s on for IT security

Pressure is on for IT Security

 

 

 

 

I was speaking to a board member of a large investment advisory firm recently about his expectations of the company’s IT security function. He said: “I just need to know that our data is protected, that IT risks are tied back to the business, that we can maintain the continuity of our business operations, and that we can effectively manage our regulatory risks.”

No pressure, then, right!?

The fact is, a lot of senior management teams and boards are getting wise to the fact that they need more closely linked security, risk management and compliance activities. This is why IT security is linked to GRC and their relationship is so important from both a top-down and bottom-up perspective.

Here are some more expectations I’m hearing from C-level executives and board members:

  • We want to understand how security events, and our responses to them, tie to our risk profile and remediation efforts at the enterprise level.
  • We want to know that our security/IT risk assessments are clearly connected to, and consistent with, our enterprise risk assessment processes.
  • We want to understand how security risks are developing so that the future doesn’t take us completely by surprise. And to minimize the chance of a ‘black swan’ event.
  • We want to be able to put meaningful metrics against security risks and controls; and define key risk indicators, key compliance indicators, key performance indicators for our security team.

In the end, GRC matters to IT security functions because to meet these expectations you need a level of visibility and control, top-down and bottom-up, that only a sustainable eGRC program can deliver. I’ll take a brief look at what eGRC can mean for IT security in a follow-up blog.

Business continuity as an element of GRC. An illustration

In my last blog,  I promised to bring you a case study that illustrates the benefits of applying the best practices of eGRC to business continuity management. So here it is.

We’re looking at a financial institution that provides insurance, retirement and investment products, mainly to cooperatives, credit unions and their members worldwide. As a leader in its industry, this company takes risk management and data protection very seriously. Both its own high standards and the requirements of the regulations that it must adhere to make risk management a company priority.

Why doing the right things isn’t always enough
The company was doing the right things. It was carrying out vendor assessments to evaluate the risks presented by some 250 partners. It recorded policy exceptions, such as applications that wouldn’t support new standards for robust passwords. It was also conducting annual business continuity business impact analyses and had disaster recovery plans for all of its key applications.

Sounds pretty robust, right?

The catch is that all of these activities were standalone processes with outputs held by relevant business owners in emails, filing cabinets or limited fileshares. The company’s IT security and risk management team had little visibility of any of this documentation and had no easy way to identify emerging IT or business risks that might affect business continuity or disaster recovery plans. There was also limited collaboration between the IT disaster recovery team and the company’s business continuity team within its corporate risk function.

Senior business executives had even less insight. They just assumed that IT could get a data center up and running again in a few hours. They didn’t appreciate what might happen if a natural disaster struck. They didn’t really understand the risk or potential impact of a data breach, whether through a vulnerability of the company itself or a partner.

The company knew it could do better. It wanted to remove the various disconnects between business users, IT and senior management. “Our focus was to transition from standalone processes to a more complete company-wide view so that we could make better decisions based on the bigger picture without digging into details first,” says the company’s chief information security officer.

What happens when you integrate and share?
So now the company has implemented a central solution that supports both business continuity and other risk management activities.*  It has an integrated tool through which to gather, process, store and report on risk- and infrastructure-related information, including business impact analysis surveys and disaster recovery plans.

Everything is in one place and consistent processes and workflows can be applied to all business areas. Vendor assessments, policy exceptions and other risk-related documentation can all be accessed, reported on, and used to inform business continuity teams and risk management activities. Data from business impact analysis surveys can be combined with metadata about systems gathered through a different process, enabling the company to tie together its system, server and database dependencies. Disaster recovery plans developed with application owners are consistent and, instead of being treated as independent items, can be orchestrated into an overriding plan with priority given to applications based on their criticality.

Senior executives have direct access to a reporting dashboard and can quickly see open risks, vulnerabilities and whether disaster plans have passed their tests. There’s no longer a gap between their perceptions and reality. This visibility has given the IT security and risk management team the ability to justify appropriate investment to fix problems.

And there’s more

The impetus for this company was always the desire to protect its customers and prove itself a trustworthy partner. But it’s also saving a lot of time: a couple of hundred hours from efficiencies in conducting impact analysis surveys; and a 75% reduction in the number of people needed to perform vendor assessments.

So I hope I’ve illustrated my point from the previous blog: a siloed approach to business continuity or risk management is not the way forward; an integrated approach is the only way to get your organization into a best-in-class status among the business elite.

* In case you’re wondering: the solution referred to, which holds all the company’s critical disaster recovery information, is itself backed up to an active offsite instance so that it remains accessible in the event of a disruption taking out the primary tool.

Resources:

Large Financial Services Business Continuity Case Study
Large Telecommunicaitons Company Business Continuity Case Study

What the board of advisors really want from IT

By Alex Bender, Director, eGRC Programs and Strategy, EMC

As many of you know the Gartner Security and Risk Summit was held this week in Washington D.C. at the Gaylord National. The event was excellent with many great sessions/discussions on business continuity, privacy in the enterprise, advanced persistent threats and security in the cloud. One of the best session was held on Wednesday titled: Enterprise and Operational Risk Management: What the Board Wants which was moderated by Dale Kutnick and French Caldwell. In this session there were 4 board members representing different perspectives due to their past experiences as well as the industries they serve. The concept was to provide the members in the audience, comprised mostly of IT professionals, a chance to hear what the board perceives as the value of IT to an organization and the information that IT needs to provide a board to make strategic decisions.  Here are a few highlights as to why I thought the session was so great:

During the session a poll was given to the audience that provided real-time feedback capability via text. There were over 110 people in the audience that responded to the question: What IT risks should be communicated to the board?

The category and results of the poll were very revealing:

  • Data Protection – 30%
  • IT Risk to the Business Strategy – 23%
  • Continuity of Operations – 21%
  • Regulatory Risks – 16%
  • IT Investment – 5%
  • Mobility Risks – 4%

I interpret these results in a variety of ways. The most obvious is that the fact that data protection topped the list is due to the numerous privacy issues that have dominated the world over the last several years and that IT thinks too much about ……. well IT. Shocker right? The conversation that ensued was that the board didn’t think that data protection was the top issue. They wanted to know about IT risk to the business. In fact one of the board members stated “is our data backed up and protected? Great…that is your job and that is all I need to know.” They also mentioned how IT wants to talk speeds and feeds about how they protect data and the board could essentially care less. All the board wanted to hear was how IT protected data to keep the name out of the headlines which brings me to the following two additional observations which are…

  1. IT Wants to Talk about the Complexities of Their Job vs. Providing Business Context: One of the board members stated they don’t care about the complex nature of how data are stored, the technology behind securing the data and what the day-to-day tasks are in IT. There is a huge language barrier at play and it has existed over the last 11 years that I have been in security, risk and compliance industry which is we always want to make things so complex/complicated. IT leaders need to put their responsibilities and organizational efforts in simple terms that mean something to the business decision process. The organizations that address the language barriers between IT and the business are starting to be the most successful in their approach to solving real problems for the business.
  2. Top Down vs. Bottoms Up Approach: Organizations as a whole that take a top down approach to driving awareness in the organization on security, risk and compliance issues are the ones that struggle the most. A bottom up approach is needed. If everyone in the organization embraces and understands the risks then the company as a whole will be able to manage, mitigate and preempt risks more efficiently. In many cases avoid major risks all together. This is where an extremely powerful training and awareness program can make or break a security, risk and compliance program. Also when you couple the training program with a simple yet effective communication program you can gain critical mass with your most valuable assets….your people.

I recommend to everyone in IT to seek out all the material you can on what a board wants to hear about and how to understand the value that IT brings in business terms. Also, know how your organization can work with the leaders in business to deliver against the broad set of corporate objectives and not think so much about the complexities of IT. Because if you align IT to the broader set of strategic objectives that are important to the enterprise and communicate the value and risks effectively you are actually delivering what your boss and the board really wants.  I also recommend the board of advisors for all companies start learning more about the value IT can bring vs. thinking “it is too technical”. You are supposed to be a smart set of individuals and want to ensure shareholder value is increasing. By learning more about technology and what IT is doing to support the business you will fund it appropriately and appreciate that part of the business a lot more that you do today.

Recommended Reading:

Bridging the CISO-CEO Divide

Ponemon Institute Research – The Role of Governance, Risk Management & Compliance in Organizations