Intelligent CIO Middle East Issue 47 | Page 71

POWERED BY INTELLIGENT BRANDS // Enterprise Security GCC needs stronger resilience strategies in place, says Booz Allen Hamilton ///////////////////////////// Annual spend on data security breaches is far ahead of global average, however GCC organisations take longer than European counterparts to contain a breach, a report from Booz Allen Hamilton says. O across the entire organisation and to help with the implementation of risk management strategies. A sustainable risk management programme covers eight focus areas, including governance; organisation and decision process; strategy and policy; risk appetite and tolerance; processes and tools; culture and communication; performance monitoring; and business intelligence. rganisations in the GCC must make resilience an integral part of their threat mitigation strategy to ensure that essential functions are restored after disruptive events, a report by Booz Allen Hamilton has revealed. GCC organisations are already spending approximately US$3.5million per year on identifying and restraining data security breaches, far ahead of the global average of US$2.1million. Despite such enormous spends, GCC organisations take longer than their European counterparts to contain a breach, with the average reported time in the GCC standing at 260 days, compared to 138 days in Europe. could reduce organisations’ exposure to threats that result in untoward incidents. GCC governments have recognised this and, over the past decade, have begun to implement systems and programmes to help navigate uncertainty and enhance preparedness and response capabilities. But they need to take this a step further and make it part of the strategic corporate and national agenda.” To reduce this gap, GCC governments are equipping organisations in the region with the necessary tools to build resilience across industries. For example, the UAE’s Regulation and Supervision Bureau (RSB) published a set of business continuity management regulations relating specifically to drinking water, wastewater and electricity services in Abu Dhabi. The UAE has also developed several plans to manage emergencies, such as the National Emergency Plan for the Telecom Sector. Booz Allen Hamilton outlines the following well-conceived ‘resilience equation’ that protects organisations against potential shocks; focuses on being proactive; helps to explore options for dealing with surprises and changes; and defines resilience objectives and guiding principles. The resilience equation comprises Risk Management (RM), Continuity Management (CM) and Testing and Exercises (T&E). Together they provide a holistic view for organisations to thrive and grow through changes and disruptions. Jay Townsend, Principal at Booz Allen Hamilton, said: “Investing in robust threat mitigation strategies and resilience response 1. Robust risk management programme. Organisations must consider an RM programme to identify and assess risks Rosa Donno, Senior Associate at Booz Allen Hamilton 2. Continuity management. A CM system is capable of absorbing disruption and provides backups and fail-safes, including mechanisms for rapid response designed to restore operating capacity. It covers the following key areas – emergency management plan; crisis management plan; continuity of operations plan and IT Disaster Recovery plan. 3. Testing and Exercises. These are T&E plans and procedures that are capable of revealing weaknesses and gaps and that improve organisational co-ordination, clarify roles and responsibilities, and create a unique learning environment. The best way to prepare for the unforeseen is by assessing strategic options and tactical plans through testing and exercises. T&E unlock benefits associated with building preparedness and sustaining performance. Rosa Donno, Senior Associate at Booz Allen Hamilton, said: “GCC organisations are already on the right track to building resilience, but they need to be more aware of their future threats and current weaknesses, so that they can take informed strategic and tactical decisions that can be applied across the full spectrum of sectors and industries region-wide, in order to prepare for risks and respond effectively to internal and external events.” n INTELLIGENTCIO 71