KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, ladies and gentleman, welcome to the a Cole webinar risk. The new compliance, this webinar is supported by Alliance. The speakers today will be me marking of a Cole and Dr. Toten GE of Alliance. Before we start some general information on some housekeeping, and then we directly we'll talk about the agenda and the content of today's webinar. So a couple of calls, an Analyst company focusing on enterprise it research advisory, decision support, and networking for it professionals through our subscription service for all our research, our advisory services and our events.
The main one we are doing is the European identity and cloud conference, which will be held again in April, 2012 in Munich, like every year, year in Munich, and suddenly the place to be around identity, QRC and related topics. You shouldn't miss this conference was a lot of, I think, very, very valuable information. So regarding the webinar itself, you are muted C you don't have mute or unmute yourself. You're controlling these features. We will record the webinar and the podcast recording will be available latest by tomorrow at the same website, like the event or information.
We also will publish the PDF versions of the presentations of today, so that you also can download these presentations. And then finally Q and a will be at the end. So you can ask questions using the Q and H the questions to at the right side, just go to webinar control panel, the right side of your screen at any time. Usually we will pick the questions at the end, in some cases, if our appropriate, we might also do during the webinar. I always recommend that you enter questions in this tool, right?
When they come to your mind so that we have a comprehensive list of questions where start the Q and a session at the end of this webinar. So that brings me to our agenda. And the agenda today is like most of, most of our webinars split into two, three parts. The first one will be a presentation by me. I will talk about syncing and risks. So the benefits of risk driven approach, and also how about using risks to close the communications gap, which frequently exists between business and it, the second part then Dr.
Toten GE Alliance will talk about how to implement risk concept and act upon risks to not only fulfill regulatory compliance, but to help organizations in better driving their business. So he's really looking even more also the implementation side, where I, I will I'll say spend the umbrella is a big picture. We are talking about the third part doesn't like I said, will be the Q and a session. Okay. So when we look at risks, what are risks about?
So what, what, what defines the risks? The risk is something. We have a threat, which has some probability to come an issue. We have an impact of this threats on assets, so we can do valuation. And we have an impact on business processes, which is, let's say tightly related, these assets are somewhere related to the business process. But I think a very important point is risks are about threats, what their impact and about the probability of, or likeliness of these things to happen. And we frequently talk about, let's say different types of risks.
So we have the strategic risks, the business risks, or the things which say, okay, if we do that type of product, there's risk in doing this, there might be the market might not accept it. And all these things also things which really can drive us out of business.
However, also operational it risk can drive organization out of business. Operational risks are the things which really happen as part of the business process as part of our continuous operations. So operational risks are banks losing a lot of money through road grading or other things. And a lot of other things, all the things which can happen around operational risks. And then we have the it risks and it risks are the things which we we see in it.
And one thing I will talk about later is that it's very important always to keep in mind it, risks are only relevant because they're associated to operational risks. So if there's not related operational risks for an it risk, if, if not, if it's not becoming operational, then we don't have to care about, or if it's not strategic, there are also it risks, which can be strategic risks at the end of the day. So another view on this is the big picture on GRC.
That's one element we have in our research note on the, which, which talks about the, the, the, let's say reference architecture, which GRCs just one of our, our reports is around it. And GRC reference architectural. I've just taken it out. And it again says, okay, it's about threats the assets, the business process. And for sure, we need, if you look at the lower part, we need controls then to understand how do these threats, or how is the status of these threats? And then we need to deal with this.
So we, we need to understand what are our threats and how, what is their likeness of impact? We have to investigate a status. We have to, to improvement activities, so to move forward and, and mitigating risks. And finally, we also have to have a crisis and incident management in place. So I won't talk that much about it, but it just shows the entire risk thing is for sure something which we need to implement in our organization, we can do in a standardized way. And that's what risks are about. So when we are E risks, what should we do then?
The first thing is, I think one of the questions is at which assets should we look and, or are these more the physical assets systems or business processes, information and services. And a lot of concept I'll talk about is a little bit more later, a lot of concepts are really focusing more on systems.
However, it's what we do with the systems, which is really at risk. So the information, the business process is using these systems and in fact systems are, which helps us, especially when we look at the cloud are in fact sort of a set of service system, looking at it more granular at services, doing things with information definitely helps us. We have to think about which are the threats we are facing. So that's the second big question. So we have to understand for these assets, which are relevant to our business, which threats are we facing?
There, there might be things which we have some experiences because experience in, because it's happened before, there are things which have some likeliness, but we didn't have an incident there. So we need to understand it, to look at it and really try to, to figure out what are our threats.
We, what are all the things we have might have to deal with? We have to understand what are the realistic probabilities and that's something which I find particularly interesting because what we frequently observ is that when companies look at probabilities and also the impact, they tend to not with realistic well use in many cases, it's sort of, let's say talking a, a risk small sort of trying to say, okay, oh, it's not that big a risk. And I think it's, it's very important to be, to be a realistic. You shouldn't be too afraid of things, but you also shouldn't try to ignore things here.
That's the same, same as true with the impact. So what, what, which is the realistic impact and which business assets and process are impact, and you should also work with standardized impacts. So when you do this, you should have a list of impacts where you say, okay, I checked this asset and I think about, could this be one of the impacts? Could that be one of the impacts that really helps in doing these things? And there are direct impacts.
So yes, you have lost money by trading. There are indirect impacts. For example, you had to do a breach notification, which results and, and image losses and all these things. So dealing with standardized types of impacts, suddenly something which is helpful. And so what to look at, and as I've said, one of the, the typical things you find, and a lot of standards today is really more about, we look at systems.
So we really have sort of a system governance that not even a service governance, which I have here, it's really a system governance, but we look at it and say, what are the threats and what are the risks for this system? However, that is only limited of limited value because information might be used by a lot of systems. There might be only few things which are really at higher risk in the system, only very few services dealing with very specific information. And so I'm looking at these things in tendency turns out to be two core screen.
And also it's not adequate for cloud service world where, where you're thinking services instead of systems, because you might change the service providers much more flexible. So if you do it a little bit more advanced and you at least have a look at not only the systems, but the information used by the systems and what is done with this information.
So that's, that's one layer of let's say detail, and then definitely brings things forward. Even better. If you look at services, because that allows you to deal with everything you have on premise, as well as everything which might pop up on the cloud, it's sort of a cloud basics approach. And then you also might look at which services are used or tied to which process and which information is used to which process then you are even more granular. And the most important things definitely are around processes, information, and all these things are related.
But I think it's very important to, to go beyond what is typically found, for example, in Germany and the Schutze that least in the typical isms approaches, because there are two systems that in most cases, and then you need to, to have sort of a risk rating. So this is one of the typical forms in which this down. So you have a table, a spreadsheet, and if it's a low, low probability and a low impact, then it's not, not a high risk. And then you go up to higher or very high risks.
The, I think there are a few which are in the, in my case, in the lower right corner. And then you have to do it for information, processes, services, and maybe systems. But I tend to look at information, processes and services, and what you need is really, you need some standardized approaches and when you have it, it's really fairly simple.
It's, it's a it's work to do, but it's fairly simple to do it in a very consistent, standardized way, if you have prepared it, right? And then you better understand where are the risks? Where are the higher risks? Where are the lower risks, which types of risks do you have, where, and how to react on this. And for sure, going back to the systems, you can map information, you can map services, you can map processes back to systems, but then you have a much more granular view.
And we can, as a better decide on how to protect, how to react, which controls to implement which, which actions to take to mitigate things. Because usually it's not about the entire system. It's about specific things which happened there, and granularity definitely helps here.
So, and then on the other hand, so going away from, from the pure risk view towards compliance, we have the situation that when looking at compliance, we have many regulations. We have many approaches to do it. We have many players. So we have regulations like SOS, the term bun, starting Schutze cause that's. And a lot artists, we have different types of supporting GRC requirements. So we might use sea security information about management. We might use business GRC suites. We might use audit the tools. We have a lot of things.
And I, I think it's close to three years ago that I've blocked about too many GRCs out there. And I think that's one of the things we have to keep in mind, and we have too many players in the organization frequently. So we have the CEO, the CFO.
However, if you look at these things, so at this situation where we have a lot of players, a lot of regulations, a lot of approaches to do this. There is one very important link, one common element, and this element is risk. And that's true as well. If you look at the regulations spoil part. So the number of regulations is growing. They are pretty different, but at the end of the day, it's always about risk. As the common element, risk us goes beyond regulations. So we have many regulations that deal with risks. So most of the regulations in fact have deal in some way or another with risks.
They say, okay, you have to do it because you have risks here. Auditors. In addition beyond regulations, they look at risks where you can say, because there are some implicit things which are related to risks, they are looking at us and not fulfilling regulations is a risk as well. So if you look at what happens when, when you don't comply, then you are at risk. So compliance from that perspective is trust or being not compliance is trust one form of risk.
However, there are a lot of things which are not necessarily directly within regulation, especially if you look at operational risk or also some aspects of the, let's say operational risk side of it, risks. Many of these things are not necessarily part of an part of a regulation. So there are things which you can so guarantee.
Yeah, you might be fully complying to all regulations, but there are still an operational risks around guarantees, many risks beyond regulations like I've said. So if you look at risks, the interesting point is that you will cover regulatory compliance aspects as part of it. So if you start with risks, then you always end up with, okay, regulatory compliance, if done, right, is something I will start off more or less automatically if you do it right.
However, if you only look at regulations, you never, ever will cover the entire world of risks you're facing. And then the other thing is, how does this help us? So if you say, okay, risk is something which helps us risk is sort of the bigger, it's bigger than compliance, sort of it's like we've had in the title.
It's the, the new compliance. Then the other question I I have in my presentation right now is a little bit about how does it help to close the communication gap, which we frequently have to between it and business. And I think there are some points and I will go through some slides, which focus on these aspects. So one of the things is delivering more strategic value and supporting business performance. So risk mitigation also helps by saying, okay, we are, we have lower strategic risks. We have frequently when we do it right, looking at risk.
We also end up with a deeper insight into what happens in the business. And we have the ability to quickly analyze issues in depth. So we are getting better in a lot of things we need, for example, to improve our business processes. And then we have the business performance aspect. We really get better in understanding where business doesn't operate well, where business control rooms aren't met.
So if you built on this thing, we ultimately end up with a lot of knowledge around these things and tier C what the things we we do around managing risks has to provide a lot of things which are also around. For example, if effectiveness and efficiency of operations are reliable, your financial reporting, early warnings, strong forensics, all these things are, are elements, which are very tightly related to things which we have identified as a risk. So if we do it, we automatically end up with things which really help the business to get better.
And so to do it, a continuous world land structured GRC was focused or centered around risk is the key thing we need to do it continuously automated and manual controls. And so we really need to build a framework, build on risk and risk, as I've said, is sort of this element, which clues all these things together. And it also helps us to move from reactive to preventive. So not looking anymore at what has gone wrong. And that's also something where, where we make business better. When we look at it, not reactive, but proactive or preventive, then we, we can look at, okay, what are the risks?
How can we avoid them? Instead of dealing with all the issues, once something has happened, once we had an incident, and that also leads to the conclusion that separating different tiers, the approaches is sort of about ignoring risks. So we need to understand relationship of different risks. Operational risk can turn to strategic risk. It risks are only relevant if they affect operations in somewhere or another, if they cost us money, if they cost us image because we have lost PII or whatever, and we can't ignore these risks.
So we, we need to have a, a good approach which supports a risk view. And which also helps us to, to manage all these risks with a combination of automated and manual controls. And we do it need to do it in a consistent way. So looking at all the different things. And that also means if we, if we started it from, from an it perspective, if we look at it from the, the perspective of it, then we are in a situation where we really need to, to map what we are doing in it, the risks we, we are facing it, we need to map this to our, let's say next level of things we are doing to the business.
So what we need to do to close this gap is we, we need to translate the it initiatives into a risk view. So we need to understand how do it initiatives help to mitigate risks. For sure you could claim that is a sort of a negative inhibitor if you, because we are only looking at avoiding things. Nevertheless, I think there are a lot of things where we also make things better because we provide better information in our things. We don't need to map it, risks, separational, and sometimes also strategic risks.
Again, for sure. It's sort of the, the negative inhibitor you, nevertheless, I think it helps to translate things because when we do this translation process and when we start to really thinking about what is the operational thing, we affect it. And when we mitigate this, it risk, what does it mean for the business? Then we are seeking much more business terms that helps us to communicate with the business. It also helps us to discuss the risk valuation with the business. So asking the business about, if we do that, how would you do the valuation for that?
Because the business usually know that, that we in the it, or you in the it and thinking and risks have, but for sure, I think that's one element. We also have to keep in mind, you need to look at business benefits as well. Nevertheless, if you think at risks, we are much closer to the business because every let's say, well done isms automatically on every risk scoring risk identification, risk, valuation approach automatically leads to a mapping of things we are doing in the it area, in these systems and these services for data information to the business.
So we automatically will sync and talk much more in business terms. That's what I wanted to present a lot of information. I know for some 20 minutes, feel free to ask for more details via yeah. Email or whatever. And I right now want to end over to Dr. Toon for his part, the presentation, like I've said, he will talk about how to implement a risk concept and not only fulfill regulatory requirements. So I will make him oops, the wrong person, just a second, make him presenter. I try to make me myself presenter again, which didn't work. Okay. Mr. It's your Thank you Martin.
I appreciate you laying the foundation for today's topic risk, the new compliance. So over the next half hour, I will review with you the top myth around governance, risk and compliance. And I will also share with you some market research data with you, as it relates to August this organizational trends, technology and changes in the ecosystem, which truly trigger this new concept that risk now is the new compliance.
And we will round up the webcast with really some customer insights and recommendations, how to avoid pitfalls when putting a security risk management strategy at your forefront as part of your business strategy. As Martin mentioned, please submit your questions via the go to meeting interface, and we will answer them at the end. So let's get started.
I wanted to spend a brief moment about agile Alliance for those that have not heard about us founded in late 2005, who are seen as the leading provider of security and operational risk management solutions for governance, risk and compliance programs. Our purpose built software platform enabled global 2000 companies and government agencies to automate their governance policy and risk management processes.
The same platform helps also to orchestra incident threat and vulnerability actions, which in times of increase cybersecurity attack is extremely important by leveraging these capabilities, organizations are able to make risk visible, measurable, and actionable based on these advantages edge Alliance does not only receive praise from existing customer, but is also seen as the leader in the industry, which for example, is reflected by the strong, positive rating, the highest possible one in the 2011 market scope report for it, GRC solutions by Gartner and our solution also won a lot of other industry accts.
We hold three patterns and that reflects the innovative character of our platform where headquartered in San Jose, California, and have worldwide offices, including offices in Europe. We're also having the pleasure to serve really a broad range of my key customers. This slide just shows a few examples ranging from financial services companies, the public sector, energy retail and technology companies, as well as healthcare companies.
So you can see those customers take advantage of our security and operational risk management solution to really help them to survive in today's very hostile environment of cybersecurity attacks, but at the same time increase their compliance posture. So enough about us. Let's let's really dive into details. And first of all, I wanted to address some misconceptions about governance, risk and compliance that often lead also to failure when you try to implement these programs. So the first one is about that.
A lot of people understand governance, risk and compliance as a software category, but that's not really adequate reality is that GRC management are ultimately processes. There's no software package that can provide GRC in steps.
An organization has to set its people in motion to govern, assess, and manage risk and comply with essential regulation mandates as Martin described earlier, however GRC tools can help to automate a variety of important functions, increase the accuracy of reporting, and most importantly increase the visibility into remediation and prioritization of your mitigation actions. And that's very important that this is being done across different stakeholders.
Martin pointed out, we are dealing with a lot of people that are involved in this process, and it's important to provide information to all of these stakeholders in different types and shapes. And that's where a GRC tool can help you do that. The second myth is around that E GRC and it GRC can be addressed in a single platform. That's something that we hear quite often. That's something we're, we're definitely, there's from a point of the organization, the need for a unified solution.
And that's very desirable to cover controls monitoring, which entailed segregation of duties and internal controls. Then the financial controls and compliance, which is normally known as EG C as well as it and operational controls for risk and compliance, which is known as it GRC. But the reality is that the expertise and knowledge just between EG C and it GRC that would be required, differs significantly. And therefore it would require tremendous investments from vendors to capture all capabilities in the single platform and make the platform almost not affordable.
There might be some overlap in operational risk management between each ERC and it E it GRC. But in general, what we see is that a lot of clients that pursued initially the past to have a unified solution came quickly to the realization that they should implement an E GRC tool and an it GRC tool and interconnect them. And the figure here on the slide really shows the interconnectivity.
So you have an information management system that you leverage, you have security risk management on the right hand side, and then you have the other elements that make up your business application system, financial risk management system, which is known as E G C. And you have E R P system EPM system.
And as a overlay, you have really key performance indicators and key risk indicators that report up into the business intelligence systems, the security risk, which is really something that does the button up approach is, should be interconnected with all your other business application and take the data feed from these applications, correlate the information and not only with the criticality of the assets within an organization, but also map it back into the controls and help you to be compliant. So that's really an approach that you should be looking at.
The threat myth is really about that. People believe if I check off the checkbox and show to an auditor that I'm compliant, that automatically my organization will be secure. Everybody in this business knows that this is really just the myth. Why is it the myth? Well compliance, lacks the correlation to risk there's lack of real time visibility to compliance and risk posture, and the lack of actual data as a result, security requires actionable data security requires immediate reaction, immediate mitigation.
So this is a thing that needs to be addressed on the security side, not on the compliance side. Also compliance is disconnected from security. What I mean with that is really a lot of times we get data locks and it tells me, Hey, there might be gaps, but it does not give me any prioritization on remediation actions. And it increases the risk to the business. What is a required here's really approach where you take the criticality of your assets into account, which helps you prioritize and align your resources to address these issues.
And then the difference between compliance and security is also that compliance is conducted periodically. We all know we're, we're spending six months to get to a certification that we have a short breathing period, and then we start all over again. But security is something that needs to apply continuously. So our advice to you is to focus your activities on security and compliance will happen.
As a result, we understand that security operations often does not get the funding to apply this approach, but if you would follow a security risk management strategy, which combines security aspects and governance and compliance aspects into one platform, you can go to your compliance team and jointly fund this project and really come to a better outcome for your organization. Okay. Let's quickly take a brief look at where we are right now, as it relates to it. GRC solutions. Over last few years, there have been dramatic advancements being made to it, GRC tools.
And so features include for instance, organizational security policy management. So the capability to collaborate between different business unit, be it, it security operations or business unit is, is definitely enhanced. We have nowadays tools that can come with best practice templates. We have version control and workflows for approvals. The distribution capabilities among employees with acceptance capabilities have improved dramatically, and you can even quiz your employees.
And most importantly, again, going back to more risk based approach, the reporting capabilities definitely have advanced dramatically. Other features that are very important for organization is really the knowledge base of regulation and controls. So here it's about the interpretation of regulations and the cross mapping between control objectives, security mechanism, and manual controls. The D derivative of technical non-technical controls and building a common control framework, which allows companies to test ones and comply to many regulations has become something that's very powerful.
That saves organization, a lot of resources, a lot of time and a lot of money. Another thing that's really the controls and policy mapping. So here taking data feeds, import of surveys and, and other data collection methods and, and centralize it have an audit trail for it. It's very important and has become a standard feature to it.
GRC tools, the same applies to technical infrastructure assessments. So nowadays you find support of fully automated technical control assessments, partially automated controls, and non-technology controls. And that's very important. This is normally an area where your employees spend a lot of time to do that in a menu fashion.
Nowadays there's automated technology that really streamlines that process and can help you reduce the time that you spend on that from on average, 90 days down to 30 days, the other functionality is that play a role is really the it control self assessment and measurement. So here you can do self assessments. You can do ready testing just prior to the auditor coming in. So you're avoiding to kinda get spent by the auditor. You already know what your posture is upfront.
And then a very important component that is emerging right now is really that it, GRC tools are also covering remediation and exception management. And here it's about built and workflows interconnectivity with the ticketing system, exception management system to really make sure that if the security operation team has found vulnerabilities and they throw it over the fence to the it team, then it doesn't get lost in the black hole that we normally see, but really that it can be tracked that it's visible.
And every day you can look at it as a security ops person, and you can see what happened with that ticket. And so it's very important to look at it, TRC tools that can fulfill a broad range of integration capabilities with third party systems. Another thing that's important, the more you go up the letter, meaning C level people, it's the it compliance dashboard and reporting capabilities here. It's a role based approach, depending what role you're taking on in the organization.
You can see different type of information, different grand reality of C might not wanna see all the listed vulnerabilities, but he's more interested to see the overall risk posture of the organization. Well, if you're more down in, in, in the weeds, you really wanna see which assets are impacted by a particular level of abilities. And so drill down functionality is also very important and then everything needs to be customizable and flexible to accommodate your specific needs. And that needs to be done without touching the code.
So you should not be bringing in professional service people that every time you wanna look at the new report, have to build that for you. You should be able to do that yourself. And there are tools out there that are doing that then last but not least in that time, back to today's topic is really it risk valuation, making risk, visible to the business, making it measurable and actionable. And that's very, very important for many organization nowadays. And so today's topic is risk the new compliance.
So this is a trend that we see it's according to our own experience, but also market research conducted among secure the experts. We're seeing three key threats, risk becomes the new compliance.
So it's, it's really driving decision making process at the same time. It's decentralized due to the fact that there's the understanding that the best knowledge of risk resides in the individual business units course, if you ask somebody in headquarters, what they believe has the biggest impact on the particular business units, they might not even know. It's really the people that work in that business unit that have the best way to assess that. And then there's an emergence of the role of the business information security officer. And that ties back in into the second point decentralization.
So it's not the surprise. Then when we take these three key trends to see that in the state of the CSO survey, a majority of respondents puts more value behind risk management. So about 61% of people say that over the last 12 months, they really change towards a risk driven approach. And you can see that 57% of respondents organization use nowadays formal enterprise risk management process or methodology. And that's up dramatically from prior years. That's a more than 20% increase in that area. And this is cross functional. So it's not that that one function like it is just driving this.
But as you can see on this slide, it's, it's across the board information. Security definitely is still kind of the champion here, but you can see business continuity disaster recovery is definitely a major impact, financial risk place, role, physical corporate security, even the general counsel, the legal implication human resources, if marketing, believe it or not plays a big role here.
So this, this is really something that, that is the new trend. And so when we tie this back to the technology trends, if you now wanted to move towards a risk based security management approach, what do you see from the technology vendors out there? First of all, they, they understood that it GRC projects are quite complex and that they have to help you in your efforts to implement the tools. So there are now simpler deployment methodologies out there that really reduce the expenses.
As I touched upon earlier, there's also emerging capabilities that are addressing the need for a more holistic view of what we call security risk management. And here it's about the visibility of business processes rather than just it infrastructure assets. So it's the business risk. It's the organizational security policy. These are non-technical control assessments. And then another thing is that you have to marry the bottom up and top down approach in the single platform.
Again, you wanna connect different stakeholders within your organization. And to do that, you have to take the button up approach, which is more risk based driven approach.
And the, the top down approach is more risk based approach. The button up approach is more really looking at the nitty gritty details, automating your compliance, automating your assessment of vulnerabilities and threats. And here we talk about it. Incident threat and vulnerability management is extremely important and more, more vendors are realizing that. So again, risk, why are we looking at risk?
Well, there are specific market trends that are really driving this over the last 12 months. The threat landscape has changed dramatically. Advanced persistent threats are not only dangerous, but are increasingly common. They're more types of attackers. We're not just dealing with state sponsor hacker. We're not just dealing with criminal organization, but really now also with heists, more vertical markets are included no longer just financial industry. It's critical infrastructure players, it's social network sites, it's government agencies.
So it's across the board yet a few organizations are prepared to combat it. The 2012 global state of information security survey, which was conducted by Pricewater as Coopers us in conjunction with CIO and CSO magazines among more than 9,600 security executives from hundred 38 countries reveals that only 16% of respondents believe their organizations are prepared and have security policies that are able to confront and advanced persistent threat. That's that's quite scary, but it ties back into risk to security rather than compliance. And it's not surprising.
I mean, we all know after three years of budget constraints and cuts, it's it's, we have experience of degradation and core security capabilities, those chart kind of outlines to kind of see how the cuts occurred across the different security tools and considering the current fears of another economic crisis. It appears that this situation will not change anytime soon. So a more proficient and holistic view might be something to consider whereby you take existing security tools.
You already invested in them, but you now feed their data into a security risk management tool that aggregates data, it correlates to the assets criticality of your business business. It also ties it back to the controls. It allows you to run risk reports so you can see your risk posture. And then at the same time, it interconnects you with the ticketing system with a remediation system, patch management and others that allows you to streamline your mitigation efforts, which allows you to really proactively attack the threats that you're facing in cybersecurity.
Mark mentioned earlier, cloud computing and cloud computing is, is really putting more oil into the fire cloud computing add only to your head course as this research result shows here that really the uncertain ability to enforce provider site security policies is another thing that increases risk for the organization. And that takes over the aspect of compliance.
If, if an auditor reviews you nowadays and you have outsourced your it environment into the cloud, you can't just rely on, Hey, here's a service level agreement I have with my cloud service provider. It's not enough. Your reputation is on the line. And we had incidences like Lon and they got breached and nobody is looking at Epsilon. Everybody's looking at the company that serves the clients. And so if you're reputation on the line, it represents a huge risk for your organization.
And again, here risk is nowadays driving your strategy, your approach within the organization. So wanted to share with you some customer perspectives. So if you wanted to now use it GRC tools or, or in our case, we could rather call it security, risk management tool. What are realistic expectations?
What, what have customers seen, what, what they have to do to really be successful? First of all, you have to always anticipate change management. GRC is all about reviewing existing processes and policies as part of the overall program. It's not like you're putting a tool into place and everything that's working. It gives you an incentive as an organization to look into the mirror and decide what is working. What's not working, what do we have to adjust? What do we have to do better? And this is something that you have to take into account. It takes time.
Another thing is a lot of companies still conduct by versus built decisions, but you have to understand automation of control assessment and evidence collection enable to, to free up resources, realign them and make them work on tasks that have high priority for your organization. That address existing risk rather than letting them fill out exo spreadsheets. And then as part of the implementation process, it's really that you have to start planning. You have to start reviewing and you have to bring in stakeholders very early and not just one stakeholder.
You, you should really bring in all of the stakeholders and that includes end users. And once you start rolling out your it GRC program, it's very important to conduct training and enforcement. That's especially applicable for the end users.
If, if they get the right training, they will use the tools, they will welcome the tools, and they were really embrace that and will help your organization to be more successful to increase your business performance. So our recommendations are really think big. Think about business continuity, disaster recovery planning, think holistic, not just about IP addresses that you want to cover.
It's, it's really about thinking about the whole process. Thinking about governance compliance risk, which we talked about today is far more important than ever before and security and bringing all of these elements together. Don't focus just on one piece of it and then include everybody include all stakeholders early in the implementation and planning. This should also include end users.
That's, that's a common mistake, a common pitfall that we, that we see that end users are being left out in the planning process. And then later on, companies are struggling to get their buy in or, or they have to adjust their implementation to really meet the needs of the end users. Another big thing is if you look at tools that also come with content, you have to evaluate the original of the content. There are some companies out there that leverage community, build content, others have dedicated resources that provide that content.
If you go with somebody that offers community based content, you always have to question who is really updating that content on an ongoing basis, who is monitoring controlling that content. If you have dedicated resources, definitely offers major advantages, and then last but not least reach out to your peers and consultants and co John Cole can help here a lot. Talk with Martin before we started the webinar. They're the springboard.
You, you can bounce off ideas. You can see what they hear in the field.
You can, can really openly talk without having to fear that they have a specific vendor specific methodology in mind. They're, they're quite flexible. They're quite open. And so you should talk with, with them, you should talk with other peers that already have implemented it, GRC and security risk management to really see what, what they have done, what pitfalls you can avoid going forward. And so with that, I I'm concluding my, my section. So Martin and I are now open to any questions. Yes. Thank you for your presentation and pro insight you've provided and Mr.
We are now ready to take questions. And so in the meantime, until we have some more questions here, I'd like to, to start with some things, some, one of the points you brought up is the, the BSO. So the business information security officer, how does the BISO relate to the CSO, the chief information security officer in your experience?
What we have seen so far is that they're reporting into the CSO, but they're really the subject matter experts as it comes to really the risk in particular business units, how to apply specific methodologies in their business units and they know best what are critical assets, what needs to be protected. And they're also very familiar with the particular regional or even local regulation center requirements. And it's often very tough from a global perspective to gain that regional understanding what, what these regulations really mean.
You need to have the cultural background a lot of time to understand that. And that's where we see really this role emerge. And what we have seen primarily is that they report back into the season. So if you focus more strongly, like I've proposed on, on information centric and on business process centric approach, probably most of the organization below the CISO will be the, the regional or departmental piso layer. Yeah.
I, I agree. I mean, we have to have seen this over the last two years decentralization it's, it's always kind of, it's the bouncy ball every, every five years, we kind of see it gets pulled back into central, then it gets pushed back out. But over the last two years early, it, it it's gone back into the regions. Yeah. Another question I have here is how would you, you see the ratio between, so you've talked about this before, where you said, okay, you have to keep in mind.
It's not, not only tool. In fact, these are only two, our only organizations.
So, but if you look at your project experience and the ratio of technology and, and organizational efforts, how would you rate this? On average? I would say for, for ideal deployments, I would say it's probably 40% organizational efforts. 60% technology reality is that that currently in the market, if you take the global 2000 companies, only 15% kind of are following that ratio. The remaining number is still at about 90% organizational efforts and only 10% technology. Okay.
You've talked about cloud computing a little, and you you've shown some figures from, from service where, where a lot of people claim that cloud computing improves their, their information security, however, can cloud computing really increase security as long as we don't have insight into the real risks of cloud service and what cloud providers are doing. I agree with, with that. I think it's, it's again, it's another myth. It's a misconception that if I move my it infrastructure into the cloud, I'm more secure.
I've heard that around the current movement in the us government, they will be moving a lot of their data centers into the cloud and, and say that this is reducing the risk. It's increasing security, cuz they're limiting the tax surface. But I think we're a little bit blindsided here based on the fact that we're heavily relying on secure on, on service level agreements. A lot of times we don't really know what the security practices of our cloud security service provider is.
And that's something where the cloud security Alliance and, and other organizations are really trying to work on new standards, how to approach that. Yeah. And the fir and the first step, I think you have to look at cloud readiness assessment, really doing a deep dive into what a Sierra cloud security service provider doing. And then secondly, and that's difficult from a privacy data privacy perspective.
I think at one point we have to come to a way that organizations can on an ongoing basis monitor the, the security practices, the reation actions, the vulnerabilities and threats of the cloud security service provider course, if you're, if you're completely staying out of it, the risk that you're facing, if there's a data breach is tremendous. As I pointed out, cause the end user, your customer doesn't care. If you outsourced your environment to a data center, they're, they're your customer and they will blame you not the data center. Yeah.
They probably even blame you more when you say you have outsource it and something that something's gone wrong. You know, I think that's, that's far the points. And I think the other thing which I, I see around clouding a sales, what you also need is as a way to, to quick, easily standardized evaluate Western, we know sufficient about a security of a cloud provider to, to select this service. So that's probably reducing what CSA provides with their 100 something questions lists to, to, to sort of the, the tool approaches I have been talking about quickly.
So really saying, okay, how can we put us into a standard risk measurement if you, if we put in all the standard, the things we have to look at, and I think we will end up with a, a realistic view of cloud services, which might then say, okay, it's the better choice or not instead of saying, okay, cloud appears to be more secure because that's again, two core screens out of. And so I think that's what you really should look at. So I think we are, we are approaching the end of the hour. We are close to the top of the hour.
So if there are no first questions, it's up to me to say thank you to all the attenders of this cooking and cold webinar and to say thank you to you, Mr. Georgie, for presenting this webinar. Thank you. Thank you, Martin. And for everybody on the line, I wish you happy holidays and prosperous new year. Thank you. Bye. Thanks.