Going Digital? For sure, but with Assurance please!

A holistic CIO Perspective on the necessary Risk assurance towards going Digital

#IoTDS

Luc Verhelst

Leading Digital and ISACA certified Risk Adviser

CIO at Metallo Group

Agenda

#IoTDS

• IIoT and Industry 4.0, where suddenly does this Fuss come from?

• But why should the CIO embrace going Digital?

• Why we should care about Risk when evaluating value?

• The Industry 4.0 Frameworks and Methodologies

• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this

• IT Risk in detail

• Wrap-up / Q&A

#IoTDS

Luc Verhelst is an experienced CIO, Digital Consultant and IT Risk Adviser .

Luc is currently holding the position as CIO for Metallo group.

Before that he was CIO of the EMA, the European Medicines Agency, based in London, responsible for the supervision of medicines inside Europe.

Previously Luc held different leading CIO roles in leading companies in finance, media, healthcare and logistics.

Luc is also the honorary chairman of MIT-Club, leading Belgian CIO community exchanging valuable CIO knowledge and experiences.

Luc is ISACA certified (CGEIT) and specialised inDigital Strategies with focus on IT governance, Architecture and specifically the IT Risk domain.

BIO: Luc Verhelst

Agenda

#IoTDS

• IIoT and Industry 4.0, where suddenly does this Fuss come from?

• But why should the CIO embrace going Digital?

• Why we should care about Risk when evaluating value?

• The Industry 4.0 Frameworks and Methodologies

• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this

• IT Risk in detail

• Wrap-up / Q&A

#IoTDS

54%

#IoTDS

Agenda

#IoTDS

• IIoT and Industry 4.0, where suddenly does this Fuss come from?

• But why should the CIO embrace going Digital?

• Why we should care about Risk when evaluating value?

• The Industry 4.0 Frameworks and Methodologies

• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this

• IT Risk in detail

• Wrap-up / Q&A

In the Industry 4.0 era the world of OT and IT are coming together

#IoTDS

#IoTDS

#IoTDS

#IoTDS

Data is your most important resource?

#IoTDS

The Challenge: The Amount of Data? Or the Risk?

#IoTDS

But why should we care about Risk?

Agenda

#IoTDS

• IIoT and Industry 4.0, where suddenly does this Fuss come from?

• But why should the CIO embrace going Digital?

• Why we should care about Risk when evaluating value?

• The Industry 4.0 Frameworks and Methodologies

• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this

• IT Risk in detail

• Wrap-up / Q&A

Organisations are changing… Fast… Faster than ever

• No Value without proper Risk Management

• We need to balance Value, Change andRisks

#IoTDS

Risk has many flavors

#IoTDS

Risk versus Agility and Speed

COBIT IT Risk and IT Security Framework as an example

“Denial is not a river in Egypt”

#IoTDS

Agenda

#IoTDS

• IIoT and Industry 4.0, where suddenly does this Fuss come from?

• But why should the CIO embrace going Digital?

• Why we should care about Risk when evaluating value?

• The Industry 4.0 Frameworks and Methodologies

• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this

• IT Risk in detail

• Wrap-up / Q&A

PWC

#IoTDS

#IoTDS

The McKinsey Digital Compass

#IoTDS

Bain & Company

#IoTDS

Often focused on prototyping, measuring and demonstrating value

Agenda

#IoTDS

• IIoT and Industry 4.0, where suddenly does this Fuss come from?

• But why should the CIO embrace going Digital?

• Why we should care about Risk when evaluating value?

• The Industry 4.0 Frameworks and Methodologies

• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this

• IT Risk in detail

• Wrap-up / Q&A

Enterprise Architecture Framework

#IoTDS

Business

Application Architecture

Technical Architecture

Infrastructure Architecture

Data

Risk

Pro

ject

Mgm

t Risk

#IoTDS

Not a lot of POC’s really become successfullWho do most IoT projects fail?

• People & culture• Poor collaboration between IT, OT and Business

• Culture that focuses too much on Technology

• Lack of Expertise

• Process – going it alone• What looks good on paper proves to be too difficult

• Tie success with the Business• Go with hard numbers, go for ROI within 1-2 years

• Provide easy systems, “operational centric”

• Get Value from Data and

• From the People…

• IT Risk – IT Security delays the project!

• We will solve this later!

• What about IT Risk bydesign?

Agenda

#IoTDS

• IIoT and Industry 4.0, where suddenly does this Fuss come from?

• But why should the CIO embrace going Digital?

• Why we should care about Risk when evaluating value?

• The Industry 4.0 Frameworks and Methodologies

• The Project Failure and Enterprise Architecture Challenges. How Risk fits into this

• IT Risk in detail

• Wrap-up / Q&A

#IoTDS

Overall IT security concept influenced by many different business inputs

Inputs for overall security concept

#IoTDS

• ISO standards• ISO 27.000 standards family for IT Security

• ISO 27.036 standard for external suppliers

• Other int’l standards• e.g. SOX…

• COBIT• ISACA Methodology applied by Auditors and Governance experts• Focus on IT Risk as one of the basic Pillars of Enterprise IT

• Regulatory• Existing regulatory obligations, e.g. GDPR

• Global Best Practices and vendor initiatives• Internal guidance

• Risk appetite and Board guidance• (Financial) feasability, internal culture• Internal audits

Start with your IT Security Policy

#IoTDS

• Security policy based on ISO 27.001

• Body text + practical appendices (Terminology, Procedures, Mobile Devices, Data Breach notification Process…)

• Policy based on international Standards (ISO 27.001)

• You can have different versions, followingyour implementation progress• Version 2016

• Version 2017

• Version 2018 …

• Version 2019 …

• Policy serves as the heart for YOURinterpretation and implementation ofIT Security within your Organization

• Your Policy contains many Chapters:• IT security policy overview

• Organization of Information Security

• (digital) Asset management

• Access control

• Encryption

• Policy & standards

• Communications

• Incident Management

• …

#IoTDS

A possible IT security framework

#IoTDS

Gradually implementing your IT Security Roadmap, be Pragmatic

#IoTDS

IT security roadmap implemented over time

Phase 1Foundation

Phase 2Growth

Phase 3FinalisePreparation phase

InitialiseAddress vulnerabilitiesSecurity PolicyInformation classificationOther initiatives Extended Policy

Initiative NInitiative N+1Initiative N+2

Further intitiatives………

#IoTDS

Questions?

Thank you