royal dutch shell

CUSTOMER Q + A
ROYAL DUTCH SHELL
Royal Dutch Shell Gains A Competitive Advantage
By Deploying RSA For GRC
AT-A-GLANCE
Challenges
Results
– Many manual legacy GRC processes
– Inconsistent implementation of GRC controls
– Inability to consistently measure GRC compliance
– More cost-effective and efficient GRC processes
– End-to-end GRC platform provides Royal Dutch Shell
with a competitive advantage
“We're introducing RSA Archer to project managers. The day they walk in the door and are told
‘this is your new project’, they can do their business impact assessments and leverage work
flow to contact our risk and control staff to review the work that they've done. This way, they
can better understand the risks. They can take controls that have been agreed at an enterprise
level and, using Archer, bring them straight into their project.”
KEITH HERNDON, MANAGER OF COMPLIANCE & INCIDENTS
Royal Dutch Shell, commonly known
What is your role at Royal Dutch Shell?
as Shell, is a multi-national oil and
My name is Keith Herndon and I'm the
manager of compliance and incidents for
Royal Dutch Shell. I work in the global
information risk management department.
We're responsible for our IT assets and
services.
gas company headquartered in the
Netherlands and incorporated in
the United Kingdom. Created by the
merger of Royal Dutch Petroleum and
UK-based Shell Transport & Trading, it
is the second largest company in the
world, in terms of revenue, and one of
the six oil and gas "supermajors".
What are your main business
objectives and how does GRC impact
them?
Governance, risk and compliance, or GRC, is
a critical element for us. We are operating in
very difficult environments, and legal and
regulatory requirements are important. It’s
important for us to know what our risk
posture and appetite are, and to be able to
communicate them.
What challenges were you facing
before RSA, and what was the primary
business need behind the deployment?
ABOUT RSA
RSA’s Intelligence Driven Security
solutions help organizations reduce
the risks of operating in a digital
world. Through visibility, analysis,
and action, RSA solutions give
customers the ability to detect,
investigate and respond to
advanced threats; confirm and
manage identities; and ultimately,
prevent IP theft, fraud and
cybercrime. For more information
on RSA, please visit www.RSA.com.
CONTACT US
To learn more about how RSA
products, services, and solutions
help solve your business and IT
challenges contact your local
representative or authorized reseller
— or visit us at www.RSA.com
Before we deployed RSA Archer, we were
living in a world of slide decks and
spreadsheets. We are a global organization
with global challenges, and yet were trying
to use a common IT-controlled framework.
So the question that we had was, were we
implementing our controls consistently?
Were we able to measure our compliance
consistently? Were we able to make sure
that we had the same processes being rolled
out globally? We needed a common
platform that worked across multiple
businesses and multiple geographies.
What is the typical GRC process now
that you have implemented RSA?
The first thing that we do is to interact with
business owners to really understand what
the risk is of a particular application or
service being lost in terms of integrity,
availability, and confidentiality. Once they
really understand that risk, we then identify
the controls that are required to mitigate
that risk. We then move into a compliance
function that asks, did you implement those
controls effectively?
Following the deployment of the RSA
solutions, does your GRC strategy now
provide a competitive differentiator for
Shell?
I believe the strategy that we now have
around GRC really does make a difference in
terms of Shell getting into new
organizations, new adventures and new
joint ventures, because we're able to
demonstrate to the business or a potential
business operator that we are in control. We
can show them what we're doing not just in
terms of controls and risk, but also in terms
of the work that we're doing, in terms of
security, threats and vulnerabilities and
incident management. Having that whole
suite of applications and being able to look
at the whole GRC end-to-end, really is a
competitive advantage.
So how does your GRC strategy align
with your business plan now?
We’re actually moving Archer into the hands
of our project management community.
Given the size and scale of our organization,
we literally have thousands of IT projects
and so we’re introducing RSA Archer to
project managers. The day they walk in the
door and are told ‘this is your new project’,
they can do their business impact
assessments and leverage work flow to
contact our risk and control staff to review
the work that they've done. This way, they
can better understand the risks. They can
take controls that have been agreed at an
enterprise level and, using Archer, bring
them straight into their project.
What's been the measurable impact to
your business from standardizing your
GRC strategy around RSA?
If I think about some of the metrics that
we've been able to capture associated with
the implementation of RSA, there's a pretty
long list actually. It's issues associated with
efficiency and effectiveness, first of all. It's
issues around standard processes. But more
specifically, we've been able to save money
because we've been able to conduct
offshore testing. We've been able to have
third parties come in and look at our
evidence.
To view the full video interview, go to http://www.emc.com/link
©2014 EMC Corporation. All rights reserved. EMC, the EMC logo, RSA, the RSA logo and Archer are the property of
EMC Corporation in the United States and/or other countries. All other trademarks referenced are the property of
their respective owners. SHELL QA 1014