Shire Pharmaceuticals Drives Into the Future of Healthcare

Some would say that there is nothing more gratifying than helping people in need. In the case of Shire Pharmaceuticals, helping people with life-altering conditions to lead better lives is core to their business and their culture. Based nearby in Lexington, Massachusetts, Shire focuses on developing treatments for conditions in neuroscience, rare diseases, gastrointestinal, internal medicine and regenerative medicine. The need to stay on the cutting edge of healthcare is paramount to the organization and information security has played a key role in that mission.

Shire’s Senior Director of Information Risk Management & Security, Bob Litterer, came to the company tasked with developing a world class information security function aligned to their business goals. Like so many CISOs today, Bob knew the importance of information security as a business enabler, but needed to drive awareness and create a security culture that embraced their business. In his words, “we didn’t want perform security for security’s sake”. He was also tasked with reducing costs associated with changing compliance requirements, drive-up efficiency, and managing acceptable risk tolerances so the organization could continue to innovate and stay competitive. Quite a tall order when there is so much on the line.

Like any good leader, Bob knew he needed a great team behind him – so he brought in one of our alliance partners OpenSky who helped build a comprehensive Governance, Risk and Compliance (GRC) platform based on RSA Archer.

As you heard from Peter Ridgley, Lead Consultant from OpenSky, explain in the video, Shire was able to quickly spotlight where there was a need for improvement as well as areas where they were successfully hitting the mark. The visibility through RSA Archer allows Shire to do a drill down review of each area to determine how they can improve driving credibility into the management of the program as well as demonstrates its depth.

Additionally, Shire is now able to continue that assessment on a regular basis to report progress, showcase how the information security organization is aligned with the goals of the business, and ensure they are always able to meet changing business needs and compliance requirements.

While this project is impressive in and of itself I am happy to share with you that Shire has earned an important industry accolade as well. Just last week, the company was awarded the OCEG GRC Achievement Award at the 2013 Compliance Week Conference which recognizes organizations that make great strides in improving and integrating their approaches to governance, risk management and compliance. Working with OpenSky, Shire leveraged the OCEG Redbook to provide a framework for managing the GRC Program and it has been paying off in spades. Thanks to the dedication of Shire and OpenSky as well as the power of RSA Archer, Shire gets to take home this honor and we couldn’t be happier.

RSA Archer GRC Summit – 10th Year!!

I am happy to announce that RSA will be hosting the 10th annual RSA Archer GRC Summit in Washington D.C., June 12-14, 2013 at the Omni Shoreham Hotel.

As I have actively helped plan these events since 2006  I am humbled at the continued momentum these events have achieved and is driven by the premier GRC community with over 10,000 active members. The momentum continues this year with a record number of attendees (800+) and an agenda that includes over 35 client led presentations on GRC implementation strategies and best practices, 15 technical breakout sessions on the RSA Archer GRC Platform, over 10 birds of a feather round table discussions and executive collaboration from over 500 global organizations.

In addition to the great line up of content for both technical and business GRC practitioners within the IT, Finance, Operations and Legal domains there will be three outstanding  keynotes during the three day event. One of the keynotes that I have had the pleasure to meet and listen to is Bruce Bueno de Mesquita. Bruce is a Silver Professor of Politics, New York University; Senior Fellow, Hoover Institution, Stanford University. Coauthor of The Dictator’s Handbook and author of The Predictioneer’s Game.

Bruce has been on The Daily Show, The Cobert Report and has performed in numerous Ted Talks including a great presentation titled: Predicts Iran’s Future 

Why is Bruce Bueno de Mequita the perfect person to keynote at the 2013 RSA Archer GRC Summit? Risk Analytics of course!!

Over his long tenure as a professor and political consultant, Bruce has conferred with experts on all the world’s most pressing issues and fed their knowledge into a vast and highly sophisticated computer model of global affairs.

This combination of wide-ranging expertise and high-power analytics allows him to make strikingly accurate predictions of world events and speak with authority on the
power dynamics of everything from office politics to international summits.

I will continue to provide updates on the most valuable, highly anticipated and attended GRC event in the industry.

Until then…..keep thinking GRC.

There’s rapid payback for organizations that automate GRC

It never ceases to surprise me how many organizations still use manual processes and unstructured documents to handle their GRC activities. Relying on spreadsheets, presentations and other documents to manage all that information takes a huge amount of time and effort, but delivers very little in the way of consistency or scalability.

On top of that, there’s no ability to aggregate risks organization-wide. This makes it practically impossible to present risk in meaningful ways, and to respond effectively to audit findings and compliance requirements.

Automation changes everything

Organizations that use a software solution, such as RSA Archer, to automate GRC processes tend to see a very rapid payback. Typically, IT is the first user group, the initial aims often being to improve the rate at which secure IT projects are delivered, and to support policy management processes for information risk management.

Because IT provides the underlying infrastructure for other domains, the initial investment in the software will often provide a strong foundation for adoption by other functions, such as finance, operations, legal and HR.

Everyone starts using a common GRC vocabulary. And you get visibility of collective issues, so groups can collaborate on understanding the aggregate issue, rather than fragmenting their efforts across two or more overlapping issues.

What’s the ROI?

Information risk management staff can be more productive and do more analysis work. IT security expenditure will be better directed. The organization will be able to lower its risk exposure and reduce incidents. And ensuring regulator-ready, accurate and timely output becomes a piece of cake.

A recent Forrester Consulting report, The Total Economic Impact of RSA Archer IT-GRC, indicates a 572% return on investment within a three-year period. One company interviewed said that 97% of the ROI they calculated was based on the reporting tool alone.

RSA is hosting a webcast with Forrester on May 22nd, 2012. The webcast will feature Jeff North, Principal Consultant, from Forrester who will discuss the report findings. Also featured during this discussion will be the VP of Security and Privacy from a F500 Media and Entertainment company who will provide insight into real-world benefits they have been able to achieve using a GRC Platform. Sign up for the webcast.

If you’ve already automated your GRC processes, what have been the payback and benefits of doing so? If you’re ready to automate, where do expect to see the greatest efficiency gains, and what ROI are you counting on?

The pressure’s on for IT security

Pressure is on for IT Security

 

 

 

 

I was speaking to a board member of a large investment advisory firm recently about his expectations of the company’s IT security function. He said: “I just need to know that our data is protected, that IT risks are tied back to the business, that we can maintain the continuity of our business operations, and that we can effectively manage our regulatory risks.”

No pressure, then, right!?

The fact is, a lot of senior management teams and boards are getting wise to the fact that they need more closely linked security, risk management and compliance activities. This is why IT security is linked to GRC and their relationship is so important from both a top-down and bottom-up perspective.

Here are some more expectations I’m hearing from C-level executives and board members:

  • We want to understand how security events, and our responses to them, tie to our risk profile and remediation efforts at the enterprise level.
  • We want to know that our security/IT risk assessments are clearly connected to, and consistent with, our enterprise risk assessment processes.
  • We want to understand how security risks are developing so that the future doesn’t take us completely by surprise. And to minimize the chance of a ‘black swan’ event.
  • We want to be able to put meaningful metrics against security risks and controls; and define key risk indicators, key compliance indicators, key performance indicators for our security team.

In the end, GRC matters to IT security functions because to meet these expectations you need a level of visibility and control, top-down and bottom-up, that only a sustainable eGRC program can deliver. I’ll take a brief look at what eGRC can mean for IT security in a follow-up blog.

Don’t we all work for the same company? Part 2

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Yesterday’s blog started talking about how important collaboration is to eGRC issues such as privacy of information. I asked you to consider any kind of information breach and looked at why IT and legal will inevitably be involved and have to work together. I recently spoke to Barb Mosher about the Ponemon Survey and she wrote a great article titled: GRC Initiatives Critical, Yet Enterprise Strategy, Collaboration Lacking which outlines the key issues I have described in this blog series. Let’s now look at the other two key functions to get drawn in: operations and finance.

Operations in the firing line

The effect of a breach on an organization’s operations will very much depend on the nature of the breach and the organization’s business. As data-breach notification laws become more common, every breach will at least require customers to be informed — especially those customers directly affected. Many breaches will also have a direct effect on the organization’s ability to continue to deliver its products or services, whether because a network or website must be taken offline, product functionality must be reengineered, or a back-office process must be suspended until the issues have been investigated and remediated.

If an organization is lucky, any disruption to business-as-usual will be brief; but we’ve seen that it can take weeks to restore affected services, giving customers more to complain about and reporters and bloggers more to write about. Collaboration between IT and operations is critical to managing the timelines for service restoration or product remediation, and for the related task of managing customer expectations.

Customer (and media) communications following a breach are fast becoming a minefield for organizations, with the potential to explode no matter what they do. Pressure is mounting for notification to happen as soon as an organization becomes aware of a breach, whereas even a year ago it was not unusual for months to pass between breach identification and notification. This new demand is perfectly understandable: if private information relating to you has been compromised, you’d rather know sooner than later. But it means that organizations may not have time to understand what’s really happened before they have to tell customers; which in turn may necessitate embarrassing corrections as the picture becomes clearer. It’s really not unusual for the investigation of a breach to reveal that it’s more serious than the organization first realized.

If pressure continues to mount to speed up the notification process, it will become more vital than ever for IT, operational and legal teams to work together to clarify understanding across the organization of what’s known, what isn’t known, and what might be subject to further discovery and possible revision.

Finance in the command center

Ultimately, organizations need to know what the total financial implications of a breach are, because risk management is ultimately about weighing the cost to prevent a risk against the likelihood of it happening and the cost to the organization if it does. When a breach happens, the finance department needs accurate information in order to validate the organization’s approach in relation to this kind of risk, or to adjust it going forward.

Reporters will pounce on any movement of a company’s stock price in the days and weeks following a breach. If the price drops, it will be loudly proclaimed as a sign that the company’s brand has suffered as a result of the breach. We may never know how far that is true. Just as one cold winter doesn’t imply anything one way or the other about the reality of global warming, so a momentary stock price movement can’t really tell us anything about whether a company’s reputation has been significantly or permanently damaged. But in measuring the true financial cost of a breach, organizations do need to find ways to measure the effect on customer, investor and shareholder perceptions and behavior; as well as the more obvious costs of investigating, reporting on and remediating the breach, financing legal battles or settlements, and meeting the cost of fines or other sanctions.

To be able to accurately assess these costs, the finance department needs to be able to see and clearly understand what effect the breach is having on IT, legal, operations and other functions across the business.

So what department do you work for?

Thinking through the implications of any privacy-related incident, it becomes apparent that privacy is no longer (if indeed it ever was) purely a legal issue or an IT issue — no matter who is regarded as being its ultimate ‘owner’ from an organizational point of view. And as with privacy, so it is with most eGRC issues.

So the next time you need to talk to someone in another part of the organization to respond to an eGRC initiative, and someone asks what department you’re from, say you’re from the ‘legal unification department’ or the ‘IT unification department’ and your responsibility is to work across the organization to get everyone headed in the direction the organization as a whole needs you to go.

Further reading:
1. The Ponemon survey


 [S1]Or ‘My last blog’ or ‘Tuesday’s blog’ or whatever. And link to it.

Don’t we all work for the same company? – Part 1

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Have you ever been in a situation of having to ask yourself: ‘Don’t we all work for the same company? Why can’t we work from the same playbook, speak the same language and head in a similar direction that gets us closer to the destination we’re all supposed to be aiming for?’

IT vs. Legal? Operations vs. IT? Finance vs. Legal?

Collaboration between divisions within an organization has never been more necessary. In fact, why do we call them divisions? It’s a divisive word; we should call them ‘unification departments’ and put people in charge of doing just that: unifying!

Why is unifying so important? Let’s take the example of information privacy. In a recent survey by the Ponemon Institute that polled over 190 eGRC professionals, it was found that the number-one owner of privacy issues in companies is the legal team, with IT coming in a close second. It was also found that collaboration is the number-one issue organizations have when setting out to achieve a goal or execute against a program such as privacy. Given the importance of such programs today, it’s never been more important for the teams that play a major role in achieving them to collaborate.

There are four key business domains that need to work together systematically to achieve eGRC objectives: IT, legal, operations and finance. Let’s stay with the issue of privacy to see why this is the case. I’ll cover legal and It in this blog; operations and finance tomorrow.

IT caught in the headlights

Think of any recent data breach to hit the headlines. The initial focus of news stories is on the number of people whose personal information has been leaked, the type of information leaked, and the technological or process failures that allowed the breach to happen (a security loophole exploited by hackers, third-party vendor negligence, a lost computer or other device holding data).

Internally, most of the initial action will probably occur in the IT and legal departments. Even if the breach isn’t a compromise of network defenses — maybe it’s due to an employee losing a backup tape or someone in operations inadvertently sending customer information to the wrong recipient — the incident may well highlight a failure of IT security policy and will have the department scrabbling to identify what happened and pull out all the stops to fix it and ensure that it doesn’t happen again.

Legal under the spotlight

Either in the same breath as reporting the breach, or immediately after, the news will be full of calls for more to be done to protect people’s rights to privacy. Opinion pieces will focus on how this breach will drive further regulatory activities relating to data protection and breach notification in the relevant country/ies or industry.

Internally, IT finds that it can’t just focus on the breach from a technological, process or policy point of view, but needs to be able to help the legal team figure out what’s happened from a compliance perspective and how the company must legally respond. As well as responding to regulators, legal teams will increasingly find that they need to defend their organization against official sanction as governments start issuing fines for data breaches. The legal ramifications of the incident may last for years as it becomes more and more common for lawsuits to be filed on behalf of individuals whose privacy has been compromised during a breach.

Further reading:
The Ponemon Survey

Next time:
Part 2 of ‘Don’t we all work for the same company?’

Unpicking the concept of eGRC

By Alex Bender, Director, eGRC Programs and Strategy, EMC

I was reading an article in The Economist today titled “Taking Credit”, which at one point says: “Rules are now in the works resulting from the Dodd-Frank financial regulation law which will require a bank, which would in the past routinely sell off 100% of a newly-originated mortgage, to keep at least 5% of it unless the customer, among other things, manages a down payment of at least 20%.”

How do you stay upright in a shifting landscape?

This sentence leapt out at me because of the words ‘Dodd-Frank’. Those words have a lot of banks and financial institutions wanting details that they’re not getting yet. They’re left filling in the blanks with guesswork while lawmakers are still drafting the rules of an Act that represents the most sweeping change to financial regulation in theUSsince the Great Depression.

This situation perfectly illustrates an all-too-common business challenge: how do companies position themselves as government regulators continue to assert control upon organizational practices through tighter regulation? How do they respond to an ever-shifting regulatory landscape without continually spending time and money that they can ill-afford? It’s even harder for companies that act on the global stage, which introduces more points of vulnerability and exposure. And no organization is an island; growing regulatory oversight makes demands on business partnerships that call for stronger controls within business relationships.

eGRC as a business strategy

It’s in response to these kinds of pressures that the concept of enterprise governance, risk management and compliance (eGRC) comes to the fore. In my previous blog I laid out my philosophy about eGRC; I said that eGRC is about an organization’s ability to manage enterprise risk and compliance issues as closely related strategic initiatives that have a direct impact on business objectives. I hold this view for at least two reasons:

Firstly, governance, risk management and compliance are clearly closely related issues. As such, taking a siloed or ad-hoc approach to them is highly likely to result in wasteful duplication of effort and spending, unresolved conflicts, and gaps in coverage.

Secondly, although eGRC first became a ‘hot topic’ with the passing of Sarbanes-Oxley, focusing too narrowly on compliance as the driver for eGRC ignores the potential for creating business value through improved decision-making and strategic planning. It’s only through a wider strategic approach to eGRC that organizations can change compliance from a burden — and one that can only grow as the regulatory landscape shifts about — into an opportunity to add value.

That’s why I believe that successful governance requires clear definition and communication of business objectives, not just applicable regulations, polices, procedures and standards. Managing risk requires identification, prioritization and remediation to protect the organization from excessive risk, but should also remove barriers to growth. And demonstrating compliance should not just be about the ability to prove adherence to laws, regulations, policies, contractual obligations and industry standards, but should be about assuring partners, customers and investors that their trust in your organization is well placed.

Collaboration and control

When you take a strategic approach to eGRC you also realize that it’s about multiple roles and responsibilities across the organization — legal, risk, audit, compliance, IT, ethics, finance, lines of business and others — working with a high degree of collaboration to provide visibility and control. It’s about sharing information, assessments, metrics, and responsibility for dealing with risks, investigations and preventing losses. It’s about recognizing the complex nature of risk and compliance in today’s distributed business environment and being able to understand and manage this complexity. These themes are explored in an EMC paper that gives a great overview of the emergence of eGRC as a strategic business imperative and what you should be thinking about in addressing eGRC. I’ll also be further addressing them in my next two blogs.

Further reading:
EMC white paper: Enterprise Governance, Risk and Compliance: A New Paradigm to Meet New Demands

Next time:
Don’t we all work for the same company?

What have years of exploring eGRC taught us?

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Those of you who know me from the world of enterprise governance, risk management and compliance (eGRC) will know that I have a particular view of eGRC, which is rooted in what I’ve learned from the hundreds of customers I’ve worked with over the course of my career. For those of you who don’t know me, I’d like to introduce myself by sharing my overall philosophy with you and giving you an idea of what I want to achieve with my blogs.

eGRC: led by technology or strategy?

There are many vendors who are using the phrase ‘enterprise governance, risk management and compliance’ as a catch-all to create a market for their technologies. Let me put my stake in the ground: eGRC can’t just be about technology. To be effective, it needs to be a tightly woven strategy for leveraging people, processes and technology to achieve business objectives.

Specifically, we’re talking about business objectives shared predominantly by four enterprise domains: IT, finance, operations and legal. Focusing on technology is not a bad approach, but is myopic when considering how people and processes across the enterprise need to be engaged in the program.

Is your organization struggling with eGRC silos?

Here are some typical indications that your organization hasn’t yet taken a strategic approach to eGRC:

If you’re in IT, do you find yourself thinking: “I’m so busy with day-to-day IT activities, I have no idea whether my role provides business value; I just hope it does”; or “I work in IT; how can I truly affect our business objectives or increase shareholder value”?

If you’re outside IT do you find yourself thinking: “the key objectives on my plate don’t pertain to IT. Sure I use systems, applications and devices; and IT is great at supporting me. But when we’re opening a new site or trying to launch a new product, IT gets in the way.”

If you’re outside IT and engaged in some form of risk management, do you believe something like: “For me to do my job in the financial risk management group, IT needs to do what IT is meant to do…serve us!”

In most cases, views like these indicate a complete disregard from senior management for the importance of investing in both top-down and bottom-up eGRC objective-setting. They reflect a lack of visibility of how the work of different business functions links together — or should link together — to drive towards the end game. They show a distinct lack of collaboration, which is a theme I’ll return to in later blogs. This is particularly evident in the view of IT having no strategic role to play in risk management, which is isolationist (and in many cases egotistical) thinking that just gets in the way of the business achieving its objectives.

Or are you doing it right?

For those of you who do know me and have already taken the initiative within your organization to transform your business, much of what I’ve just described has already been sent to the waste-basket or kicked to the corner. I know so many companies who’ve done it right and who are well on their way to true strategic and collaborative eGRC across the domains of IT, finance, operations and legal. And when we asked Ovum to research the status of eGRC across seven countries in North America and Western Europe, their results agreed.

eGRC is personal

The great thing about this approach is that the people I’ve worked with have created an amazing upward professional path for themselves and can point to their eGRC efforts as game-changing in their career. Ultimately eGRC is all about you! It’s about enabling you to have the right visibility and control so that you can make better decisions, act faster and ultimately spend less.

eGRC is about trust

I look forward to sharing with you many of my stories and will hopefully provide a forum for us to really get things out on the table. I would like this blog to be about trust. Trust between you and me. Trust that we can agree to disagree. Trust that when I’m wrong, you’ll be constructive in your feedback. Isn’t that ultimately what eGRC is all about? Trust.

GRC Resources:
EMC eGRC resources

www.emc.com/grc
RSA eGRC resources  

http://www.rsa.com/node.aspx?id=3732

Next time:
Unpicking the concept of eGRC