CIO Insight Summit, June 2006 Greg Hughes Executive Vice President Symantec Global Services

CIO Insight Summit, June 2006Greg HughesExecutive Vice PresidentSymantec Global Services

Consolidation Opportunity (and Risk) Knock: Five Steps to Get from Current to Best Practice IT Risk Management

3Symantec Confidential

Take calculated risk. That is quite different from being rash.


There are risks and costs to a program of action. But they are far less than the

long-range risks and costs of comfortable inaction.


A lot of people approach risk as if it’s the enemy, when it is really fortune’s accomplice.


Agenda

Increasing Challenge of IT Risk and Cost

Five Steps to Effective IT Risk and Cost Management

Symantec Global Services Capability


Top IT Spending PrioritiesTop IT Spending Priorities

Top CIO Priorities for 2006

1. Security

2. Application Integration

3. Compliance/risk management

4. Disaster Recovery / BC

5. ERP

1. Aligning IT and business goals

2. Risk management and business continuity

3. Controlling IT costs

Top Business PrioritiesTop Business Priorities

Sources:Goldman Sachs, Americas Technology, Improvements a Whisper, Not a Scream; State of the CIO Study, CIO Magazine, 2005.


Key IT Questions From the Board of Directors

Security Security Do we have adequate protection against denial of service attacks and hackers?

Incident ResponseIncident Response Are there fast-response processes in place in the event of an attack?

Data StorageData Storage Do we have management practices in place to ensure 24/7 levels, including tested backup?

Risk ManagementRisk Management Are there any possible IT-based surprises lurking out there?

Disaster RecoveryDisaster RecoveryHas anything changed in disaster recovery and security that will affect our business’s continuity planning?

Source: Harvard Business Review; Information Technology and the Board of Directors, October 2005


Unleash Greater Innovation by ReducingIT Costs and Risks

Source: McKinsey & Co. BTO Practice, IT cost survey

InfrastructureCost

Innovation

AdministrationApp. Maintenance

IT Cash Cost

InfrastructureCost

Innovation

AdministrationApp. Maintenance

IT Cash Cost0%

20%

40%

60%

80%

100%


Example: Themes From Wall Street

Concern about IT risk broadlyFocus on security

Expansion into IT risk management roleNarrow CISO role

Innovation around IT risk reportingUnmeasured risk

All applications-internal and externalExternal applications

Storage must be secureStorage is storage

Protecting the extended enterpriseProtecting the firm

Testing as a normal course of businessRunning tests


IT Risk Management

Incorporates an analytical, systems methodology Provides IT and business leaders robust decision supportEncourages protection of that which requires protectionManages cost while maximizing performance benefits

An enterprise-wide approach to improving processes, people and systems to achieve the organization’s preferred balance of IT costs and risks


Leading Companies Take 5 Steps to Manage IT Risks: In Framework of Business Risk Management

Develop IT risk awareness

Quantify Quantify business business impactimpact

Determine appropriate IT risk tools

Align Align costs to costs to IT risksIT risks

Build institutional capability

1. 2. 3. 4. 5.


Non-IT Risks IT Risks

Financial Risks

Operational Operational RisksRisks

Develop IT Risk Awareness to Business

ComplianceRisk

RecoverabilityRisk

ScalabilityRisk

PerformanceRisk

AvailabilityRisk

SecurityRisk

Business Risk

Develop IT risk awareness1.


Quantify Business Impact Starting with aBusiness Impact Assessment

Line managers, production leaders, functional managers

Business Impact AssessmentBusiness Impact Assessment

Critical Business FunctionsCritical Business Functions

Business Input

FinancialCosts

CustomerLosses

Legal/StatutoryPenalties

OperationalDependencies

Quantify business Quantify business impactimpact

2.


Quantify Business Impact: Stock Market Rewards Companies with Lower Risk

Stock Price Performance of Companies That Experience a Major Operational Disaster Sample size = 15: U.S. companies – 8, European – 6, Asian – 1

Trading Days after the Event

Cum

ulat

ive

Abn

orm

al

Ret

urn

%

Recoverers

-20

0

20

0 50 100 150 200 250

Non-Recoverers

-15%

+10%

2.

Quantify business Quantify business impactimpact

Source: The Oxford Executive Research Briefing, The Impact of Catastrophes on Shareholder Value


Determine Appropriate IT Risk Tools: Understand Range of Tools Available to Manage IT Risks

Managing IT Risks

IT Best PracticeIT Best PracticeProcessesProcesses

Technology for IT Technology for IT Risk ManagementRisk Management

Organization & Organization & EducationEducation

Information Information SourcesSources


3.


Causes of IT Failure

People

Process

Tech-Tech-nologynology

Insufficient crisis management plansWeak IT project execution rigorInconsistent enforcement of policies and standards Lack of plans to support increasing capacity and changing business needs Poor internal communications across functions and regions

Poor fit between product functionality and requirementsEnvironmental performance limitations Incompatible versions/patches/technologies

Causes of Failure Frequency

60%53%53%

40%

60%60%47%

40%

33%

47%

33%27%

Lack of proper architecture expertiseWeak functional product knowledgeInsufficient training in troubleshooting and resolutionFragmented/incomplete skill sets


3.


A Call to ActionTop Three Things to do Tomorrow

1. Plan before you act Establish escalation paths and crisis plans ahead of time Thoroughly test in development and staging environments Allocate proper time and resources for upgrade events Have a contingency plan and rollback option

2. Ensure your IT organization has the right skills Inventory and assess your staff’s skill set Build or engage external expertise up-front to properly design and

architect your systems against business needs Provide training on operating and troubleshooting the infrastructure

3. Create and enforce global policies and standards Define security policies Set hardware, software, patch/upgrade standards and policies Create mechanisms to share best practices and learnings


3.


Align Costs to IT Risk By Segmenting Service Levels

“Gold” Service Level

(e.g., Partner Extranet)

“Platinum” Service Level

(e.g., ERP)

Risk

Cost“Bronze” Service Level(e.g., Intranet)

Align costs to IT risksAlign costs to IT risks4.


Service ClassService Class Example Example ApplicationApplication

Service LevelsService Levels

Platinum TV Transmission Support Systems

24*7 Scheduled99.99% AvailabilityRTO= 2 Hrs RPO = 0 Hrs

Gold Supply Chain Management, Email

24*6¾ Scheduled99.5% AvailabilityRTO = 8 Hrs RPO = 4 Hrs

Silver Enterprise Back Office Systems

18*7 Scheduled99.0% AvailabilityRTO = 3 Days RPO = 1 Day

Bronze Departmental Functions

18*7 Scheduled98.0% AvailabilityRTO = 5 Days RPO = 1 Day

Copper Standalone Systems

12x5 Scheduled98.0% AvailabilityRTO=10 Days RPO = 1 Day

Example: Define Recovery Service Levels

Align costs to IT risksAlign costs to IT risks4.


Overall Strategy and Risk Posture Governance New or Expanded Leadership Roles Reporting and Information Systems Skills Building Awareness and Culture Changes Planning and Testing

Build Institutional Capability

Build institutional capability

5.


4 Common Issues Customers Face –Managing Risks

Lack of Insight and Lack of Insight and Misaligned PrioritiesMisaligned Priorities Unreliable Processes Unreliable Processes

Critical Gaps in People Critical Gaps in People Expertise Expertise

Inflexible Technology Inflexible Technology Foundation Foundation


Symantec Global ServicesWe help organizations reduce IT cost and risks and achieve rapid, significant and lasting value from Symantec solutions Deep technology expertise

Real-world implementation understanding

Cross-platform capabilities

Unique proprietary insight into nature of IT risks

Global ReachNorth & South America, Asia Pacific & Japan, Europe, Middle East, Africa700 Consulting200 Education1900 Enterprise Support1900 Consumer Support


Symantec Customers Managing Risk

Healthcare IndustryHealthcare Industry

Managing risk: SecurityManaging risk: Security

Retail IndustryRetail Industry

Managing risk: PerformanceManaging risk: Performance

Automotive IndustryAutomotive Industry

Managing risk: AvailabilityManaging risk: Availability

Pharmaceutical IndustryPharmaceutical Industry

Managing risk: RecoverabilityManaging risk: Recoverability


IT risk is a new part of our role

IT risk can be managed

Symantec can help

CIO Insight Summit, June 2006 Greg Hughes Executive Vice President Symantec Global Services

Documents

Transcript of CIO Insight Summit, June 2006 Greg Hughes Executive Vice President Symantec Global Services