Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 Previous Next

RSA Archer Suite

296 posts

In my last blog "Translating Security Leadership into Board Value" I introduced RSA's most recent Security for Business Innovation Council report along with the concept of Business Driven Security.  A business driven security strategy is of great value to existing CISOs, information security leaders and the organizations they serve.


To explore business driven security concepts a little more, imagine that you have just accepted a job at a different company, to be responsible for the company’s entire information security program.  You know very little about your new company except what you have read on their website, via Google searches, and from published financial statements.  You are very excited to start your new job and you know your first priority is to complete a preliminary assessment of information security in a very short period time. 


On day one, you know you don’t know:

  • The information most important to the organization;
  • The information security regulations imposed upon your organization;
  • How much important information needs to be protected;
  • Where the important information resides inside the organization and with third parties the organization does business with;
  • What technical and organizational measures the organization has in place to manage and monitor information risk;
  • Whether the technical and organizational measures that are in place are commensurate with the level of information security risk; and
  • Whether technical and organizational measures are designed and sufficient to tell you the potential impact to the organization should the measure fail, a vulnerability arise, or breach occur.


By utilizing RSA Archer and consistently applying risk management principles such as those outlined in ISO 31000, you are able to build the foundational elements of a business driven security strategy for just about any type of information that is important to the organization whether it is intellectual property; imposed by contractual obligation, such as PCI; or imposed by regulations such as GLBA or EU-GDPR.


The following diagram provides a condensed view of where RSA Archer would be used to enable a business driven security strategy.  RSA Archer is used to document the identification of information at risk, assess inherent and residual risk around the information, evaluate the acceptability of the risk; document the technical and organizational measures to mitigate risk; document decisions regarding the acceptance of risk; performing control tests; and to monitor the on-going risk profile, related key risk and control indicators, and outstanding risk issues to be remediated.  Lastly, RSA archer is used to capture vulnerabilities, incidents, and control gaps, provide insight into their business context and the amount of associated risk so that problems are remediated based on their priority and significance.



By utilizing RSA Archer as your foundation for Business Driven Security you are able to answer the questions you set out to answer.  You now know:

  • What information is most important to the organization;
  • What information security-related regulations are imposed upon the organization;
  • How much important information needs to be protected;
  • Where the important information resides inside the organization and with third parties
  • What technical and organizational measures the organization has in place to manage and monitor information risk;
  • Whether the technical and organizational measures in place are commensurate with the level of information security risk;
  • Whether the risk treatment measures are designed and sufficient to tell you the potential impact to the organization should the measure fail or indicate that a vulnerability or breach has occurred; and
  • Whether the information security risk profile is changing and why it is changing


All of this information informs your conversation with executive management and the board.  You are able to articulate the amount of risk in business terms, justify security expenditures, and state how much various breaches might impact the organization, should they occur.  Finally, with your documentation and methodical approach, you are able to demonstrate to all of your stakeholders, including regulators, that you have a sound, logical, and defensible risk-based approach to information security.


CISOs find themselves increasingly engaged directly with their Board and Executives because the Board and Execs see the volume and impact of security incidents increasing.  In fact, Oxford Economics just reported that serious breaches permanently shave nearly 2% off public company value.  This is in addition to the substantial expense ($4 million per breach on average) and turmoil organizations experience when incidents do occur.  Executives and Boards are left wondering if management understands the risk – where it resides, how much it is, and whether it is being adequately addressed. 


When CISOs get the call from their boards and Execs, they are often not able to answer these questions and to converse in a way the Execs and Board want.  CISOs are extraordinarily adept at understanding security risk that arises around the technologies employed by their organization but translating their technical understanding into business terms can be difficult.  Communicating technical risk into business risk is a paradigm shift for most organizations.  Effective information security programs are becoming “Business Driven Security” programs.


RSA just released a Security for Business Innovation Council Report regarding this problem, “What Boards Want to Know and CISOs Need to Say” that discusses the translation of security leadership into board value.  A Business Driven Security strategy is core to the translation of CISO technical expertise into Board terminology but it also enables CISOs to better understand where they should implement technical and organizational measures to protect the most important information to the organization.  This understanding can be more easily conveyed to the Board and executive team before spending millions of dollars on security initiatives and human resources.  It provides the what, where, how, and why they are spending the money, that it's being spent properly, on the biggest risks, and that there are procedures to monitor that the spend has been effective.  In my next blog I will describe how you can use RSA Archer to drive a Business Driven Security strategy.



Looking for information on Archer and how to get the most out of it?  The Archer Information Design and Development team (formerly known as Technical Publications) has your back.  I’m Elizabeth Wenzel, and I have the pleasure of managing a talented team of content developers that are working hard to deliver the information that you need to get the most value out of your Archer investment.


We are currently working to not only strengthen and deepen the coverage in the existing documentation but also to add additional content and manuals to help you on your business-driven security journey with RSA Archer. Of course, having a lot of material to use is both a blessing and a curse – you know that the information is ‘somewhere’ but where?  This is where the new RSA Archer Navigator 2.0 comes in.


Use the Navigator on RSA Link to filter the Archer assets by your role and expertise in using Archer, the area you are focused on (Platform, Use Cases, and so forth), and the product version. Navigator shows you the assets that meet your filter criteria, allowing you to jump right in and get the right information so you complete your task.


While all of the documentation content, other than technical content (installation, sizing, and Archer Control Panel) is included in the Archer online Documentation system built into the Archer product, we’ve anticipated that you may have the need to access that information in a printable book format (PDF) – all of the content in the online Documentation is also available within PDF guides (the same content in two formats): What’s New Guide, Platform Administrator’s Guide, User Guide, RESTful API Guide, and Use Case Guides.  Combine these with the technical documents such as Installation and Configuration Guide, and it adds up to a lot of content at your disposal! Now, I recommend you use the Navigator to hone in on just what you are looking for. If we’ve missed something, we have even provided an easy way for you to share this with us, right on the Navigator home page.


We hope you agree that the Navigator 2.0 a helpful tool; find your path to success with the RSA Archer Navigator 2.0


Watch the RSA Navigator video to maximize your Navigator experience. 

So time flies… It seems like yesterday when the RSA customer community gathered in New Orleans to share experiences and learn new tactics and strategies. 2017 marked the 13th year of the RSA Archer user community summit and believe it or not, year number 14 is just around the corner.   Last week, we announced the call for speakers for RSA Charge 2017 and I cannot wait to start seeing the speaker submissions flowing in.  

We have put together a stellar team to construct the learning tracks to optimize your experience. As content chairperson for the RSA Archer portion of RSA Charge, I have the privilege of seeing this process unfold. While this will be my 9th user group conference with RSA and Archer, it is still inspiring to hear you tell the stories of your successes - how you overcame challenges or leveraged an innovative approach to deliver strategic value to your organization.

If you are contemplating submitting a session, know that this is a very rewarding experience. Presenting to your peers can be a bit unnerving but the satisfaction and return is well worth it. To teach others is to learn about oneself. Thinking through your experiences, applying your new found knowledge and acknowledging your successes and lessons learned is as much of a benefit as imparting your wisdom to others.

A few topics come to mind as food for thought if you are looking for ideas:

  • We always welcome stories about how your long term strategies unfolded in your companies. Our Take Command of Your Risk Management Journey track is dedicated to hearing how you built your plans, gathered forces and conquered the difficult path that risk and compliance efforts can sometimes take.  
  • As the market moves toward concepts of Integrated Risk Management, the Inspire Everyone to Own Risk track needs content focused on engaging all lines of defense to manage risk. How your company is blending different risk initiatives - Operational Risk, Resiliency, 3rd Party Risk and Audit – is a topic of keen interest.
  • We can’t forget the Compliance world either. Many of your GRC and risk management efforts were borne out of compliance drivers and our Transforming Compliance track is THE place to tell your tale. One topic that keeps coming up is the impending General Data Protection Regulation (GDPR). Any story of how your organization was better prepared for GDPR or any new regulation based on the RSA Archer implementation is a great learning topic for all participants.
  • And what RSA user group conference is not complete without stories of how IT & security risk is being managed. RSA Archer has a great legacy when it comes to helping IT & security teams manage risk processes. Vulnerability and threat management, security incident processes, IT compliance and general IT risk strategies are top of mind subjects for every organization today and perfect for the Managing Technology Risk in Your Business track.
  • Last but certainly not least are the RSA Archer Technical Tracks. This is where the innovation, creativity and expert chops of RSA Archer administrators come to the forefront.   The topics in these tracks range from inventive workflows to state-of-the-art API integrations and more.

I invite all of you to take a look across your implementation of RSA Archer and pull out those nuggets to share with your peers. RSA Charge is the perfect venue to help others navigate their own challenges. Hope to see and hear you in Dallas!

Check out our webinar in preparing to submit your proposal.


Believe it or not, the RSA Charge 2017 event is only six months away, Oct. 17-19 in Dallas at the Hilton Anatole. Visit the RSA Charge microsite, now open!


For those of you thinking about participating in the event as a presenter, RSA is offering two webinars with valuable guidance and insight on ‘What You Need to Know About Submitting Your Speaker’s Proposal’ for the 2017 Charge event.


You will not want to miss this opportunity to hear directly from the Program Committee leaders who will be making their selections and to ask your questions.


To accommodate RSA’s worldwide audience, the webinars are being offered twice; registration is not required – click the links below 10 minutes before the start to join the webinar of your choice:


Monday, April 24 @ 11:00 am (EDT)


Thursday, April 27 @ 9:00 am (GMT +8, Singapore)*

*This webinar will be live at 9:00 pm, April 26 for those not able to attend the April 24 webinar


To help you get those creative juices flowing, the following 2017 Submission Tracks have been identified for RSA products; for full session descriptions please see attachment:


Security Operations, Identity, Anti-Fraud

  • Detecting and Responding to the Threats That Matter
  • Identity and Assurance
  • Reducing Fraud, while Not Reducing Customers
  • Secrets of the SOC


Governance, Risk and Compliance

  • Inspiring Everyone to Own Risk
  • Managing Technology Risk in Your Business
  • Taking Command of Your Risk Management Journey
  • Transforming Compliance
  • RSA Archer Suite Technical
  • RSA Archer Suite Advanced Technical


We hope you’ll join us at one of the RSA Charge 2017 webinars, What You Need to Know About Submitting Your Speaker’s Proposal.’ Remember, registration is not required.  


RSA Charge 'Speaker' Submission Form is now live - check it out today! 

Marshall Toburen

Completing the Puzzle

Posted by Marshall Toburen Employee Apr 14, 2017

In a previous blog I reviewed the real world pay back for being a risk leader.  Let’s say your company gets it, they know that good risk management increases the likelihood that objectives will be fulfilled and profits improved, and now you’ve been given the assignment to start the risk management program and make your organization a risk leader.  Where do you start, how far do you take the program, and how do you get from start to finish? 


Today, most organizations operate based on a complex interrelationship of business processes, technology, telecommunication, supply chains, and outsourced activities.  Putting the puzzle pieces together may not be easy in your organization.  No one talks about risk the same way.  Capturing the pieces and analyzing and understanding them is challenging, and it is difficult to convey them to the boss in a consistent manner with the limited resources you have available, within the deadlines you have been given.


Since our inception we have worked with thousands of companies to help them build a risk and compliance program tailored to their most pressing needs.  We have learned that most organizations just starting out tackle the same problems and follow the same general path.  We have consolidated these pieces into the RSA Archer Ignition Program.


The RSA Archer Ignition Program is a fast track, economical, approach to launch the foundational elements of a business risk management strategy to help organizations get up and running as quickly and easily as possible.  The ignition program includes:

  • The ability to catalog and monitor Risk, to establish a strategic method to understand risks across the enterprise;
  • The ability to identify and track Third Parties used by your business to understand the emerging ecosystem that affects risk;
  • A process to manage Issues that arise from audits, risk assessments, and internal compliance activities;
  • A Business Impact Analysis framework to quickly catalog and prioritize assets and business processes to build the context to connect risk and prioritize technical and organizational risk treatment measures;
  • Fixed-price deployment and quick launch professional services to let you quickly stand up your environment; and
  • Insights and best practices from RSA University.


In my prior post, I discussed the Risk Catalog component of the RSA Archer Ignition Program.  With organizations outsourcing so much of their business activities these days, it is also a critical, foundational component, to understand and manage these outsourced relationships.  As part of the RSA Archer Ignition Program, the RSA Archer Third Party Catalog allows you to document all third party relationships, engagements, and associated contracts, as well as the business units and named individuals in the organization that are responsible for each third party relationship. With RSA Archer, you can understand the significance of your outsourced relationships. You can report on all third party information, including profiles, engagements, third party business hierarchy, internal contacts, facilities, third party contacts, and more within a single repository.

Key Features of the RSA Archer Third Party Catalog allow you to:

  • Catalog organizational elements of your business for third party reporting
  • Catalog suppliers, partners, service providers and other third parties
  • Capture important details related to third parties, including contracts
  • Map internal business units to third parties
  • Manage contacts with third parties
  • Efficiently manage your third party relationships
  • Establish accountability for each third party relationship
  • Track exceptions related to third party relationships


With the RSA Archer Third Party Catalog, you can:

  • Obtain Awareness of all third party relationships throughout the organization
  • Reduce time spent identifying third party relationships and contracts
  • Build awareness of manager’s Accountability for individual supplier relationships and quickly identify relationship owners
  • Track contract terms, including notification of key contract events such as contract obligations and renewal and expiration dates


The RSA Archer Ignition Program empowers organizations of all sizes to complete the puzzle, to respond to risk with data-driven facts using a streamlined, fast time-to-value approach.

I’m glad the world didn’t end during DRJ Spring World 2017 conference last week, because over 1,000 of the world’s business continuity and disaster recovery specialists were there!


It was another great conference and I had the pleasure of presenting on building resiliency across the organization’s value chain and the key relationship between business resiliency and operational risk management. Both topics were on the minds of attendees as shown by their questions:


  • Outside of surviving a high profile disaster, how do we make customers understand the value that our resiliency program adds to our product or service?
  • If the company has a critical Third-Party vendor and that vendor outsources, who owns the relationship and the potential risk exposure?


Also, over 20% of the sessions at DRJ dealt with resiliency or risk which shows experts are thinking about the importance of business resiliency on the organization and how risk should be considered more broadly than just recovery.


I mentioned in a previous blog, Driving Resiliency Through Operational Risk Management, that there is a direct correlation between driving business resiliency (versus recovery only) and operational risk management (ORM). I believe collaboration between ORM and business continuity programs is a precursor to improving business resiliency, and the top three reasons are:


  1. The bigger picture – looking outside typical business continuity type risks, like natural or man-made disasters, broadens our horizon. Considering the potential risk and impacts from supply chains, reputation impairment, social media, regulatory compliance, or even the risk culture within the organization highlight new risks that could have larger affects on the organization’s resiliency that were never dealt with before. Coupled with a view across the value chain, resiliency teams are better able to anticipate how these new risks might impact the going concern of the organization.
  2. Aligns the Forces – the ORM “umbrella” by its very nature aligns risk functions across the organization, including their methodologies, approaches, resources and outcomes. The key is ORM gets these separate functions on the same page, working together, aligned on priorities, and striving toward agreed upon and appropriate outcomes. Individuals or siloed groups trying to manage risk may feel that their efforts don’t affect the outcomes, but a larger, more coordinated approach does.
  3. Drives Risk Maturity – as risks become more complex, fluid and pervasive, risk approaches need to mature to enable the organization to become resilient to those risks. ORM is a discipline that continues to evolve and mature, unlike siloed risk functions in every organization that attempt to deal with risks reactively, as best as they can. Every organization should evaluate their holistic risk management capabilities against a maturity model (refer to my blog above), determine where they currently stand and what the end goals is in terms of risk maturity.


Organizations that are able to align siloed risk functions under the auspices of their ORM programs have a better chance to become risk-proactive, even opportunistic. As ORM and Business Resiliency are considered together and measured against the bigger picture of the organization’s value chain, functions like business operations, business continuity, supply chain management and internal audit can understand the risks that impact their organization and implement better measures to ensure the resiliency of the organization.


Send me your comments at or connect with me @pnpotter1017.

Many of you know that implementing an effective governance, risk, and compliance program can be a costly and time-consuming effort: Hardware, software, and the active engagement of a lot of people in the 1st, 2nd, and 3rd lines of defense.  Before implementing a program and periodically throughout the life of the program, the question always arises from senior management: Is this REALLY worth the cost and effort?


I have very good news for you. The return on investment (ROI) in implementing a GRC program using RSA Archer is probably better than most any other investment your organization can make!


Over the past 5 years we have engaged three independent assessments of the ROI of RSA Archer.


The first independent analysis of RSA Archer customer ROI was conducted by Forrester in April, 2012. This analysis showed a 3 year composite ROI of 572%.  Even we were stunned and a little skeptical of Forrester’s estimate.


In November, 2014, GRC 20/20 took a look at one of our largest financial institution customers and confirmed that they were achieving annual savings in excess of $1.5 million / year while increasing assessments 317%, without increasing staff.  We were feeling a little more confident that the ROI was huge.


Finally, just last month, IDC completed an independent analysis of a cross section of Archer customers and concluded that the 5 year ROI related to their Archer implementation was 496%; with average annual benefits of $4.1 million per organization, or $17,931 per user.  That represents a payback period of only 11 months!


The IDC Report attributes the ROI of RSA Archer to 3 factors: improved risk mitigation, greater business productivity, and IT infrastructure cost savings.  I encourage you to read the IDC report.  Your organization’s results might vary based on the scope of your program but you will be able to see the individual breakout for each of the areas where they identified positive returns:

  • Network security breach response
  • Auditing
  • Disaster recovery management
  • Third-party risk management
  • Risk management assessments
  • Regulatory compliance


Whether you have a small program or a large, mature program, it is safe to say that you are probably seeing a significant, positive return on your investment in Archer.  Based on these independent assessments, upward of 500%.  If you don’t believe it, try estimating your own ROI.  I explain how to estimate your ROI in an earlier blog and we have made a template available for you to do so.

Marshall Toburen

Capture the Prize

Posted by Marshall Toburen Employee Apr 5, 2017

Risk is the effect of uncertainty on objectives.  Organizations that manage risk well increase the certainty that their objectives will be achieved.  Not surprisingly, organizations that lead in the management of risk “capture the prize”.  They more frequently achieve their objectives and are actually more profitable and less likely to experience a negative profit margin than those organizations that don’t manage risk well. 


                    Source: PWC 2015 Risk in Review Survey

Pretty compelling stuff, right?  You would think that everyone would be chasing this certain prize.  Yet, there are still a lot of organizations that think it too difficult and time consuming to set up a basic risk management program.  With this in mind, earlier this year we
announced the RSA Archer Ignition Program – a fast track approach to launch the foundational elements of a business risk management strategy to help your organization get its program up and running as quickly and easily as possible.  The ignition program includes:

  • The ability to catalog and monitor Risks to establish a strategic method to view and understand risks across the enterprise;
  • A process to manage Issues from audits, risk assessments, and internal compliance processes;
  • A Business Impact Analysis framework to quickly catalog and prioritize assets and business processes to build the context to connect risk and prioritize technical and organizational risk treatments;
  • The ability to identify and track Third Parties used by your business to understand the emerging ecosystem that affects risk;
  • Fixed-price deployment and implementation services to let you quickly stand up your environment; and
  • Insights and best practices from RSA University.


A central element of the RSA Archer Ignition Program is the RSA® Archer® Risk Catalog.  It provides the foundation to record, assess, and track risks across your enterprise, and establish accountability by named first and second line of defense managers. It provides a three-level rollup of risk, from a granular level up through enterprise risk statements. Inherent and residual risk can be assessed utilizing a top-down, qualitative approach, with assessed values rolling up to intermediate and enterprise risk statements.

Key Features

  • Consistent approach to documenting risk, assigning accountability, and assessing risks
  • Oversight and management of all risks in one central location
  • Ability to understand granular risks that are driving the big risks across your enterprise
  • Consolidated list of prioritized risk statements


With RSA Archer Risk Catalog, you can:

  • Obtain a consolidated list of the organization’s risk
  • Enforce a consistent approach to risk assessments
  • Prioritize risks to make informed decisions about risk treatment plans
  • Create accountability for the ownership of risks


The RSA Archer Ignition Program empowers organizations of all sizes to respond to risk with data-driven facts using a streamlined, fast time-to-value approach. Contact us to learn how we can help you capture the prize.



Looking for more information on the RSA Archer Use Cases?  The new RSA Archer Navigator 2.0  can help guide you to a ton of useful information that can help organizations that are in the midst of integrating their business processes into Archer.


From the Navigator, select  “Solutions and Use Cases” from the Focus menu to discover some outstanding Use Case-focused materials that you and your team members can leverage to better understand how to get started including architectural design requirements and installation requirements.    You can also access 3-5 minute videos demonstrating various Use Cases using RSA Archer.   And, you can take advantage of the various On Demand training options that explore the RSA Archer Use Cases.    Consider taking one of the “Deep Dives” where you can see a video demonstration, a mock planning session that can provide some best practices, and access to hands-on practice with all use cases within a virtual lab environment. 


Enjoy your journey with RSA Archer Navigator 2.0.





I recently had the pleasure of presenting with a panel of RSA Archer customers on the topic of “Building Resiliency Across the Value Chain” for a Disaster Recovery Journal webinar.


Two key questions were posed to the 80 attendees. The first question was: “Where is your organization on the business resilience scale?”  The responses were:


  • Recovery only (5%)
  • Mainly recovery with some focus on resiliency (53%)
  • Mainly resiliency with some focus on recovery (18%)
  • Very resiliency-oriented (18%)
  • Other (5%)


The second question was: “How closely do your business continuity/IT disaster recover/crisis management teams work with or integrate with operational risk teams?”  The responses were:


  • Not at all (2%)
  • Sporadic discussions when required (32%)
  • We are working with ORM more and more (28%)
  • BC/DR/CM is well aligned with or a part of ORM (32%)
  • Other (6%)


90% of respondents indicated they are addressing resiliency at some level, and 92% have BC/DR/CM teams integrated with operational risk management (ORM) teams. The alignment of responses to these two questions is no coincidence.  There is a direct correlation between business resiliency and effective risk management that more and more organizations are benefitting from as they continue to mature their operational risk management and business continuity or resiliency programs.


What does GRC maturity look like? The RSA Archer maturity model defines three stages for GRC maturity:


Diagram 1 – RSA Archer Maturity Model


As organizations mature their operational risk management programs, their business resiliency capabilities grow as well, often due to three factors:  


  1. Methodologies – deploying risk assessment and treatment approaches (e.g., ISO 31000) and common business impact analyses (BIA) consistently across the organization
  2. Priorities – consistently applying common methodologies drives more aligned priorities and higher consensus 
  3. Actions – clear priorities drive better understanding, prioritization, and execution


These three factors initiate proactivity, consistency, and alignment in both the risk management and resiliency practices and culture of the organization.


Risk management is, by its very nature, a proactive practice, as is business resiliency. The two go hand in hand.


For comments, contact me at or @pnpotter1017.

Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:


  • 'A storm in a teacup' – Cicero; or ‘Billows in a ladle’ – translation of Cicero’s writings
  • 'A storm in a glass of water' - Netherland
  • 'Tempest in a potty' - Hungary
  • ‘A storm in a wash-hand basin’, or ‘A storm in a cream bowl’ - England


Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain.


Most organizations perform some type of risk management activities. They usually include identifying risks that could impact the organization and its reputation, profitability or strategies; or its key assets, business processes, IT systems and locations. Once the most potentially impactful risks are identified and analyzed, they are treated with controls and other mitigation activities to drive down the residual risk within the organization’s tolerable risk limits. This is all well and good, but what if the elements of the organization (e.g., business processes) that the risk could impact are not that critical and how do you know?


Let me give you a simple example. A cyber attack could potentially impact both an organization’s financial and non-financial systems. The financial system is probably more important to protect, right? Oftentimes, organizations have no reliable way to identify what is critical versus non-critical causing them to spend the same level of time, attention and resources to protect the less critical areas; this is the ‘tempest in a teapot’ syndrome.


It stands to reason that the organization should have a methodology to identify what is critical so that risks can be properly treated relative to what they might impact. Some impact areas and their importance are obvious, such as inputs into the organization’s most important product or service. However, there are so many moving parts to today’s complex enterprises that there must be a methodical way to identify, analyze and prioritize what is truly critical to protect. This methodology is a business impact analysis, or BIA.


A BIA is a way to catalog and prioritize business processes and assets, building context to connect risk issues to business impacts. It is a well-known methodology inside business continuity (BC) circles as these teams have performed them for decades to determine what business assets are most important to recover after a disruption. More broadly, the BIA needs to be a prominent part of the framework of a good risk management program. However, often it is not and this is a common problem many organizations’ risk management programs experience.


To strategically address business risk, enterprises need a well-rounded program. There are specific areas to include to create a healthy and sound foundation for growth. RSA has implemented the RSA® Archer Suite Ignition program to help organizations do just that – establish a solid risk management program foundation focusing on four fundamental capabilities:


  • A process for Issues Management to eliminate ‘churn’ around risk and compliance issues from audits, risk assessments, and internal compliance processes. Check out my Issues Management blog: Facing a Tsunami of issues
  • A Business Impact Analysis framework to catalog and prioritize assets and build the context to connect risk issues to impacts to the business;
  • The ability to catalog and monitor risks to establish a strategic method to view and understand risk across the enterprise; and
  • The ability to identify and track third parties used by the business to understand the emerging ecosystem that affects business risk.


The RSA Archer Suite provides a common platform to address these processes. You can learn more about the program here: RSA Archer Ignition Program.


The Duke of Ormond's letters to the Earl of Arlington in 1678 put it best - "Our skirmish seems to be come to a period, and compared with the great things now on foot, is but a storm in a cream bowl."


The Duke must have had a good BIA such that he did not have to worry that his risk management program would cause him a 'tempest in a potty' (that was for you Elly ;). For comments, contact me at



We are pleased to announce that the latest version of the Navigator is ready for you to take it for a spin – kick the tires, put the pedal to the metal and see what the Navigator 2.0 can do to help you take control of your learning and power your path to Archer success.


RSA Archer offers a wealth of assets to help you achieve time-to-value with your Archer investment, from classroom to on-demand training through RSA University, to comprehensive user documentation, to technical videos.


But, this wealth of assets is also a double-edged sword  – how do you know which of these assets at your disposal is right for you, based on your Archer Role within your organization, and equally as important, your Level of Archer Expertise.


We took your feedback from the initial Navigator launch in October and incorporated many of your suggestions over the last few months into the new Navigator 2.0. We now have six filters to help you with finding the assets that are right for your Role and Level of Expertise. And, speaking of Level of Expertise, we changed the levels to Beginner, Intermediate, and Advanced; we also changed the Focus to more clearly define the content – General Product; Platform; Modules; Release Notes and Advisories; Solutions and Use Cases; Use Case Guides; Training; and Troubleshooting.  You can also filter the list of available assets by Version 6.x or 5.x, by Cost - free or fee, and by Media Type.


We hope you are pleased with these updates to Navigator 2.0.


We want to be a partner in your Archer success. May we ask once again for you to share Navigator 2.0 comments and feedback with us?  We will, in turn, continue our quest to make the final version of the Navigator, due mid to late 2017, a support tool that can provide easy viewing and functionality on today's popular digital products such as tablets and phones, as well as on RSA Link.


In conclusion, if you don’t see a particular asset you’re looking for, we want to hear about this too. We have provided an easy-to-use drop down form on the Navigator 2.0 page for you to click and tell us what we’re missing. 


Thank you in advance for sharing your comments with us.  Remember, you're in the driver's seat with Navigator 2.0 - now, enjoy the trip!


Another year, another RSA Conference. At this point, I have lost count of my appearances at this annual gathering of all things security – I believe it was number 15 or 16 for me. I say “appearances” because the days blur into such a steady stream of meetings, discussions and general sensory overload that at the end of the week, I know I ‘appeared’ many places, but still wish I had time to participate in more. There is so much that happens at this event it can be both inspiring and intimidating. A walk through the Exhibitor floor quickly gives one the sense of magnitude of our industry. So when I reflect back on the conference, it feels as if someone sat on the fast forward button on the remote control for my DVR and flashed through the episodes of The Big Bang Theory, Marvel Agents of S.H.I.E.L.D. and Scandal waiting for me when I return from the conference.

First up, RSA Conference is a collection of geniuses contemplating a massive digital universe. Just like the Big Bang Theory, brain power plays a big role in fueling our industry. The innovation and pure technical skill of the security profession is on full display at RSA Conference. But the cast of the Big Bang Theory is more than a bunch of techie whizzes spouting geeky Star Trek references. The stories contain genuine friendship, acceptance and diversity as the characters navigate their lives. At RSA Conference this same sense of community can be felt. It is evident that the security world is a small world with many old friends coming together to share their diverse experiences and thoughts.

Next, Marvel’s Agents of S.H.I.E.L.D. For those fans of the TV show, you know that the team of agents work fearlessly to keep the world safe.   We have our own version of these agents in our industry. No security event would be complete without the many super heroes fighting the forces of evil.   Our industry is on the front lines of some serious conflicts. As Zully Ramzan stated in his eloquent keynote, the security and risk profession is the barrier between opportunity and the edge of chaos.

Finally, the intrigue of Scandal awaits.   Scandal, if you haven’t seen the show, has an endless series of twists and turns as the characters weave their way from one treacherous skirmish to the next.   While I suspect most organizations do not face the political turmoil chronicled in the TV show, businesses today face a constantly shifting environment of threats that would seriously challenge Olivia Pope, the savvy protagonist of Scandal. The threats facing organizations today are immense and require individuals dedicated to doing the right thing. In Scandal, they are referred to as ‘gladiators’ and our industry is full of them.

This year’s RSA Conference had many highlights. But the highlight for me, is that this conference, year after year, continues to push our industry forward. Great minds come together and share experiences. Those new to the profession learn new skills; seasoned veterans are inspired to keep learning.   I am proud that RSA is such a vibrant contributor to this conference. Whether we are inviting you to reimagine your identity strategy, push the boundaries of the detection of attacks, ignite your business risk management program or get out in front of fraud, RSA continues to change the game and help organizations implement business driven security. It was a great conference for 2017…I can’t wait to appear at RSA Conference 2018.

“Tsunami” is the Japanese term for a series of violent and recurrent waves in the ocean caused by the displacement of a large volume of water. Earthquakes, volcanic eruptions, landslides or other underwater explosions or man-made events are usually the cause. Unlike normal ocean waves that are generated by wind, or tides that are generated by the gravitational pull of the Moon and Sun, a tsunami is much less predictable and often more sudden and impactful.


Do you ever feel like your organization is navigating an unrelenting tsunami of issues generated by multiple groups, such as audit, risk, and compliance, or external auditors and regulators? These fierce waves are usually caused by risk management activities, threats, cyber events, non-compliance with regulations or other forces.


Like tsunamis we don’t see coming, today’s business environment is a challenge for issues management, regardless of your industry, geographic location, or business model. With constant regulatory change, shifts in business strategies and rapid technology transformations, it is easy to become overwhelmed by the magnitude, velocity, and complexity of issues that must be addressed. Like dealing with the aftermath of a tsunami, remediation plans many organizations put in place to “clean up” are reactive, short term and may not solve the real problem.


Let’s look at how most organizations deal with their issues and remediation plans.


  • Issues come from a variety of sources. As a result, there is natural duplication and no real consistency in either the issue or remediation plans. Different individuals or groups document issues in various systems, but the issues are often incomplete or drive remediation plans that don’t address the real problem.
  • Issues are treated differently.   This depends on many factors, such as the group that documented them. For example, audit findings may carry more weight than an issue documented by another group, even when the other issue may have more serious ramifications than the audit finding. This occurs when the organization has no consistent method of prioritizing issues across the board. For the business manager assigned multiple issues and remediation plans, once the audit is final and their day job takes over, priorities change and the issues never get resolved.
  • Tracking and resolution of issues is inadequate. In this case, the audit group or compliance function that first raised the issue has no good way to follow-up on status of the issue or its remediation plans after the audit is over. Often because their first priority is the next audit engagement, and if the business process owner doesn’t track resolution of the issues, they are dropped or forgotten.


To properly address issue management, organizations need a strategic and comprehensive approach, including the following:

  • A process that works for the whole organization. Every environment is different, but every issues management process needs to ensure issues and remediation plans are documented consistently, assigned to the right owners, and tracked to completion.
  • A way to prioritize issues and remediation plans. This must be consistently applied and driven by business priorities, such as the most important products and services the organization produces, and the criticality of the business processes and IT infrastructure that support them.
  • A single automated tool the entire organization can use. RSA® Archer offers an Issues Management use case that enables your organization to manage the lifecycle of all issues regardless of where they originate from. The use case includes a Business Hierarchy to establish the corporate structure and accountability, workflow to drive consistency, and reporting to provide visibility into the results. To learn more visit: RSA Archer Issues Management.


There are other requirements, but these are a few critical areas to set the stage, enable quick implementation of the process and drive buy-in across the organization.


Preparing for tsunamis won’t eliminate all the risk or impacts, but it can significantly reduce the effects and make clean up afterwards that much more manageable. Similarly, implementing a well-thought-out issues management process reduces much of the risk of the findings that are sure to come, as well as make the remediation process that much more complete, streamlined and consistent.


For more discussion, email me at