Skip navigation
All Places > Products > RSA Archer GRC > Blog
1 2 3 Previous Next

RSA Archer GRC

276 posts

At the end of each calendar year, I look back at how the year went, mainly in my personal life.  For example, I reflect on what happened in my family - who graduated, got engaged or married or had kids, who accepted new jobs or moved.  I also look at how things went with my career, if my health has improved and how my relationship with my wife got better.  These are some of the most important aspects of my life and that’s why I reflect on them.  Not that I don’t think about them more often, because I do, but the end of the year is a good time to look back.


I was also reflecting recently on the areas I oversee here at RSA - which are Business Resiliency and Audit for Archer.  These two areas are not that similar, but I have noted a common theme in that these two fields continue to turn their sights to risk management, moving more and more from being primarily compliance-driven disciplines.  Specifically, they are looking at what the impacts of risk are to the businesses they support - their organizational goals, revenue and growth projections, customer impacts and strategic objectives, to name a few.  I have also noticed that IT organizations, specifically trying to manage the far-reaching effects of cyber threats, are translating IT risk into business impact so executives and business decision makers can better understand the implications and make better decisions.


That’s the pattern I’ve noticed this year - moving to business risk.  It’s the right trend and a good sign.  Some things are helping this along.  For example, frameworks like the ‘three lines of defense’ are being more widely recognized and adopted and are driving better alignment across groups that deal with risk.  It also helps that industry analysts are touting the benefits of aligning the three lines within the enterprise risk or operational risk management (ERM/ORM) umbrella, and that many solution providers and partners are following suit.  This has been RSA Archer’s mantra for many years so it’s good to see it catching on.


What happens next?  We need to take action and I recommend these areas to consider.  


One Step at a Time.  My personal reflections sometimes (maybe not often enough) result in changes in my life but often fall off because they’re based on “changing the world” goals.  I recommend aiming for incremental change.  Do a little better each day.  How do we know if we’re improving our business risk management? We monitor and report and analyze key risk metrics.  We also need to focus on simplicity.  Not many of us are risk experts, but we all have a role in owning risk, so we need a concise set of indicators (think of your car’s dashboard) we can use to make course corrections.  Recognize small victories and build on them. 


First Things First. We need to focus on the most important risks.  Like my personal reflections about my family, career and life illustrate, they’re the absolutely most important aspects of my life.  Business risk management should follow suit.  Complex businesses throw so many risks at us that we can’t focus on everything and do it well.  So, prioritize and focus on the most important risks.


Today and Tomorrow.  I look back to see how the year went but I also reflect every day on how I can improve some aspect of my life.  Business risk management should also include analysis, reflection and action based on long and short term views.  Risks take different shape and affect our businesses differently over the short and long term.  This goes for negative and positive risks.  We can learn much by looking at both viewpoints and taking action based on what we learn.


Something I’ve learned doing this year after year is to stay as positive as you can and keep working at it.  Have a great end of 2016 and may your 2017 be even better!  Contact me at or @pnpotter1017.  

Without question, RSA Charge is my favorite week of the year. RSA Charge 2016 in New Orleans represents 13 years of the Archer community of practitioners, partners and subject matter experts gathering to learn, grow, share, mentor, and network with more than 2,000 of our closest risk management and compliance friends. Even after all these years, RSA Charge continues to inspire me with amazing stories of our customers’ and partners’ accomplishments, ability to overcome challenges, and willingness to share lessons learned and best practices with peers who quickly become new friends and colleagues.


As I rushed between customer meetings at Charge, an RSA Archer customer stopped me in the hallway to shake my hand, introduce himself and say, “Thank you. Thank you for my career. You have enabled me to provide for my family.” He went on to tell me how RSA Archer continues to challenge him and he doesn’t foresee a day that he’ll want to do anything else.


Wow! Albeit it brief, this was such a powerful conversation for me. At RSA Archer, we strive to make a difference. In fact, two of RSA’s core values are:

  • We Give a Damn – About our clients, about what we’re doing, about each other. We’re in this together.
  • What We Do Matters – Our work makes a difference in the world.


As technology providers, we aspire to bring business value to our customers. We want to help organizations gain quick wins and inspire everyone within their organization to own risk. And to have that “difference” articulated to me by one of our customers in such a real, personal way truly inspired me.


In my many years with Archer, I’ve witnessed customers beginning their programs, growing their teams, and advancing their careers, and I’ve watched leaders move on to another organization and start this process all over again. I’ve seen Archer associates become Archer customers. And likewise, I’ve seen Archer customers become Archer associates. This technology and the Archer Community continues to inspire teams and help forge amazing careers.


The Archer Community is truly one of a kind. Some have jokingly referred to the Archer Community as “cult-like,” with participants who are truly enthusiastic about sharing and helping others. But I believe that the Archer Community and our Archer team is more like family. Events like RSA Charge feel more like a family reunion -- a chance to catch up, find out how others are moving ahead, help each other through the challenges, and celebrate each other’s successes.


Our Archer family has grown considerably over the years. We can no longer fit everyone into that small hotel conference room in Scottsdale, Arizona that we first shared in 2003. I sincerely cherish the time that we spend together at RSA Charge and I’m looking forward to repeating this fantastic experience once again next year. Get ready to pack up your boots and cowboy hats and I’ll see y’all Oc#tober 17-19 at RSA Charge 2017 in Dallas, Texas!

What a week! This pre-Halloween week, we held RSA Charge 2016 in New Orleans, the most haunted city in America – and what a phenomenal turnout! We’re thrilled to have more 2,000 attendees join us this week to share best practices for GRC, security and business risk management and to gain invaluable insights from their peers and subject matter experts alike. And the stories shared at RSA Charge are just a small sampling from the more than 1,300 organizations who have implemented Archer.


The spirits of RSA Archer gatherings past – this being our 13th year – give us this opportunity to look at how much the industry has grown and how GRC is shifting. Risk and compliance management is out of the shadows, transitioning from a functional role to an enterprise-wide strategic perspective. Looking at the “Ghosts of GRC Past, Present and Future” helps provide perspective on the continuing growth and transformation of this increasingly business-critical practice.


The “Ghost of GRC Past” had organizations trying to keep up with new regulations and emerging compliance requirements.  GRC was anything but a strategic program for the business, focusing on very discrete problems and a few, select processes. Archer was there in 2000 at GRC’s beginning, as companies began investigating technology enablers.


The “Ghost of GRC Present” has companies formally adopting practices based on industry and international standards, implementing combined strategies to tie together data and consolidate processes, and instituting frameworks to guide procedures. While technology is a cornerstone of risk management strategies, many organizations still have “skeletons in their closet” pockets of disconnected risks that can cause serious damage.


The “Ghost of GRC Future” shows growing emphasis on determining how risks impact your company’s overall performance. The very strategies that fuel your company’s growth are the same initiatives that introduce more risk into your organization. GRC can no longer be considered separate from business strategy and objectives, and evolves to become Business Risk Management.


Business Risk Management is more than connecting dots – it’s anticipating where the next dot will be. That means gathering the right information from the right sources to get the complete risk picture you need to analyze and predict your risk landscape, rather than merely survey it. Clearly, it’s time for the “Ghost of GRC Past” to be laid to rest. It’s time to evolve to beyond GRC to Business Risk Management.

It’s Official: The RSA Archer NAVIGATOR Tool Is Now Live – premiering at RSA Charge 2016 and on the Archer GRC Community on October 25.


The NAVIGATOR Tool is designed to help you take charge of your learning and power your path to Archer success.

As you know, RSA offers many resources to help you achieve time to value with your Archer investment. It could be participating in our classroom or on-demand training through RSA University.  It could be learning about Archer via our comprehensive user documentation.  Or, it might also be taking advantage of the discussions with RSA subject matter experts, our partners, or your GRC counterparts on RSA Link…the largest GRC Community in the world.  And, engaging with your peers at events such as RSA Charge, or reviewing the more than 60 RSA Charge/Summit customer use case presentations, both of which provide incredible learning opportunities. 


This wealth of information at your fingertips, however, can also be daunting … how do you know where to start, what training and/or documentation are right for you personally?


With the NAVIGATOR Tool, we are taking the first step toward simplifying the process of finding the right information and content for you, based on your role and your level of expertise, that’s right ‘your role’ and ‘your level of Archer expertise.’ (*see definitions below)


For those of you attending Charge, we will be hosting 3 Lab Sessions in Room 225:

        Wednesday, Oct. 26:   11:15 am – 12:00 Noon

        Wednesday, Oct. 26:    3:45 pm -   4:30 pm

        Thursday, Oct. 27:      11:15 am – 12:00 Noon


For all others, we invite you to watch the NAVIGATOR video and to check out the NAVIGATOR Tool for yourselves (attached below for your convenience). We ask that you remember this is only Phase 1 of a 3-Phase project; our goal is to have an automated NAVIGATOR Tool available in Q1 2017.



*Key Definitions


1.      A person in an Archer Administrator role is typically responsible for implementing business requirements within the RSA Archer Platform. While a full understanding of the Platform features is required, additional knowledge about the solutions in use can also be beneficial.

2.      A person in a Technical Administrator role is typically responsible for the installation and maintenance of the RSA Archer Platform. They require knowledge of the Platform, its solutions and all the technical aspects of deploying RSA Archer for usage by the various teams within their company.

3.      An Archer Business User is typically responsible for defining requirements for an Archer build.  This user should know what the Archer platform is capable of, so that appropriate requirements can be written.  Knowledge of the solution area(s) purchased is also appropriate for this user.

4.      End users of an Archer implementation will benefit from learning how to navigate the system and how to build reports.  They may also benefit from viewing the solution training(s) and reading the Use Case guides for the solution(s) within which they will be working.

Levels of Expertise

1.      Getting Started:  Brand new to RSA Archer and needing foundational information on the RSA Archer platform and solution areas

2.      Expanding: Advancing your knowledge of the platform and achieving a deeper understanding of the RSA Archer use cases and how to implement them

3.      Advanced: Mastering your knowledge of RSA Archer from a technical, administrative or business use, depending upon your role


Whether attending the 2016 RSA Charge event in New Orleans, or back at your office, you can now view and/or download any or all of the 60+ customer Use Case presentations starting today, October 25. (Please Note: several will be posted by EOD today)


This year's presentations represent 6 tracks: 

  • GRC - Taking Command of Your GRC Journey
  • GRC - Where Cyber Risk Meets Business Risk
  • GRC - Transforming Compliance
  • GRC - Inspiring Everyone to Own Risk
  • GRC - Archer Technical
  • GRC - Archer Advanced Technical


The 2016 presentations promise to be some of the best submissions we've received to date. , I know, we say that every year, but Archer customers continue to amaze us with their willingness to share their best practices and learnings and even some of the war stories, with other Archer customers.



We want to help you be successful, whether you are fighting the latest security threat or mitigating business risk. Our industry-leading products help you fight those battles, but we know that buying and installing our products are just the beginning of your journey.

RSA offers many resources to help you achieve time to value with your Archer investment. It could be participating in our classroom or on-demand training through RSA University.  Or, it could be learning about Archer via our comprehensive user documentation.  It might also be taking advantage of the discussions with RSA subject matter experts, our partners, or your GRC counterparts on RSA Link…the largest GRC Community in the world.  And, engaging with your peers at events such as RSA Charge provides an incredible learning opportunity.

There is a wealth of information out there to help you begin your Archer journey.   But with so much information at your fingertips it can be overwhelming to know where to begin.

The RSA Team is dedicated to helping you take charge and power your path to Archer success.  On October 25th, we are introducing the RSA Archer Navigator to simplify the process of finding information on RSA Link.   You can identify learning assets by your role and level of expertise with links to take you directly to the information you need. And you’ll find details like the duration of various assets and the associated Continuing Professional Education (CPE) units that can be earned by leveraging these learning tools. 

RSA is committed to continually adding valuable content and enhancing the Archer Navigator tool so that your RSA Archer journey continues to be a smooth ride!

If you are attending RSA Charge, come to Room 225 to see a demo!

        • Wednesday, Oct. 26:    11:15 - 12:00 Noon
        • Wednesday, Oct. 26:      3:45 - 4:30 pm
        • Thursday, Oct. 27:        11:15 - 12:00 Noon

If you are unable to attend RSA Charge, look for the Archer Navigator banner on the Archer GRC Community for access to the Tool. 

Marshall Toburen

Ready to Be Sued?

Posted by Marshall Toburen Employee Oct 7, 2016



If you are a financial services company (bank, insurance company, asset manager) of reasonable size doing business in New York, this blog’s for you! Yesterday, I attended a meeting regarding the proposed New York State Cybersecurity Requirements For Financial Services Companies  In this meeting, Counsel from the Robinson+Cole - Cybersecurity and Privacy Practice woke me up to the breadth and significance of this regulation. By June 30, 2017, all financial services companies doing business in NY State have to be in compliance with this regulation and in 2018 must begin annually submitting the following signed certification to the NY State Department of Financial Services:


Here is the abbreviated list of what you are going to need to do (please read the regulation for the complete, unabbreviated list):

• Within 5 years of enactment, have your data at rest encrypted
• Within 1 year of enactment, have data in transit encrypted
• Have the ability to reconstruct all financial and accounting records for at least six years should a cyber security event occur
• Designate a qualified Chief Information Security Officer (CISO) with responsibility for compliance with this regulation
• Employ sufficient cybersecurity personnel to manage risks and perform core cybersecurity functions, providing on-going training to these personnel to keep their skills up to date.
• Have multifactor authentication in place around internal systems and external networks
• Have a litany of policies and procedures in place around electronic and physical security, risk assessment, training, third parties, incident response, business continuity, and data destruction
• At least bi-annual reporting to your board of directors regarding the confidentiality, integrity, and availability of your organization’s information systems, policies and procedures, cyber risks, effectiveness of the cybersecurity program, exceptions to policies and procedures, and cyber security events that have occurred.

For the 1,900 or so organizations impacted by this regulation, you will find these requirements to be more proscriptive than the EU General Data Protection Regulation, Gramm-Leach Bliley Act, and Payment Card Industry rules. However, there is a substantial amount of overlap between these regulations. Organizations that have been effective in addressing these other rules and regulations using RSA Archer should be well on their way to demonstrating compliance with this NY State regulation and minimizing the risk of litigation from non-compliance.

With only a couple of weeks left before the largest gathering of GRC and Security professionals in the world happens in New Orleans Oct. 25-27, 'Throwback Thursday' is making a comeback.


Register by Oct. 10 using code: 8C6TBTSOCIAL to save on the RSA Charge 2016 microsite



We know that there is an enormous amount of content on the Archer Customer/Partner Community, 3800+ pieces to be exact, and it grows every single day. Now add the 40 RSA University training courses, and it can be a daunting task figuring out what is relevant content based on your role within your organization, and your level of Archer experience.


We knew we had to do something to make you successful with Archer training and implementation. You’ve told us so much; and we listened, and acted.


We are pleased to announce that on October 25, at RSA Charge 2016, and also on the Archer GRC Community, we will be launching the new Archer NAVIGATOR Tool.


This NAVIGATOR Tool is the FIRST step in an ongoing 3-step campaign to make it easier for Archer customers like you to find relevant training and documentation, plus helpful support content, based on your role within your organization – Archer Admin, Archer Tech Admin, Business User, or End User, and your knowledge level of Archer - from Getting Started (1-2 years), to Expanding (3-4 years) to Advanced (5 years+). 


Phase 2 will start right after Charge, and Phase 3 of the NAVIGATOR Tool will launch in Q1 2017.

There is a dedicated team of Archer employees, across different business units to help you take charge and power your way to Archer success. The team is focused on building upon each Phase of the NAVIGATOR Tool to make a significant improvement over the prior version. And, we will count on your feedback to help us reach this goal. Our endgame at the conclusion of Phase 3 will be to deliver you an automated solution to manage our informational assets, helping you be an Archer success.


Over the next several weeks, leading up to Charge 2016, you will see blogs from Kathy Coe, Education Services/RSA University; Anya Kricsfeld, Technical Support; Megan Olvera, Education Services/RSA University; Meg O’Neil, Engineering; Susan Read-Miller, Product Marketing; Amy Robertson, Solutions; Denise Sposato, Product Marketing/Communities; and Elizabeth Wenzel, Technical Publications.


If you are attending RSA Charge 2016, there will be 3 lab sessions in Room 225 that you can register to attend on the RSA Charge 2016 microsite, or just drop by. If you haven’t registered yet for RSA Charge 2016, do so today, or visit the RSA Charge microsite for full details.

  • Wednesday, Oct. 26:    11:15 - 12:00 Noon
  • Wednesday, Oct. 26:      3:45 - 4:30 pm
  • Thursday, Oct. 27:        11:15 - 12:00 Noon 


We are very excited to launch Phase 1 of the Archer NAVIGATOR Tool on October 25 – hope to see you at RSA Charge in New Orleans, or on the Archer GRC Community.


Take Charge! Power Your Path to Archer Success! 



Next week, on October 5th, many companies and professionals all over the world will be celebrating CX Day – a day set aside to focus and celebrate customer experience created by companies and their people and processes.  It is an important day, and we at Dell, RSA, and Archer will definitely take part in festivities planned to mark such occasion.  We will take the time to review all the things we do well, recognize individuals in our company who exemplify the right attitude and approach at taking care of our customers, and talk about the plans we have to kick our customers’ experience to an even higher level.


But…. anyone can do that.


What makes this day authentic here at Archer, is that you, our customers, are the central point of all of our activities, not just on CX day, but every day and at every part of our journey together.


I wrote in my previous blog about the formation of the Total Customer Experience (TCE) forum to focus even more on the experience we provide to you.  With the renewed and a more focused effort through this forum, I am happy to see improvements already in several aspects of our business that result in a better experience.  Here are a few to mention:

  • Faster time to relief – through the combined efforts of Customer Support team and Engineering, we have seen measurable improvements in time to relief on support issues opened by our customers. We have focused on better technical training for the teams, improved communication methods, and closer collaboration with engineering.  I hope you have noticed the improvements.
  • Improved availability of resources – with the increased focus on providing more resources to enable you, our customers, we have been able to more than double ourKnowledge Base. In addition to all articles now being accessible from our Community, the most frequently used KB’s are easily seen on the main page.  And, they are now easier than ever to find – you can Google them.  Give it a try.
  • Closer collaboration with the GRC Community – from Champions Network to a plethora of Working Groups, to Roadmap review meetings, staying connected with both Archer Product direction and the GRC community has never been easier. Get involved if you haven’t yet.


In addition to this, we have work going on in a lot of other areas, such as:

  • Improving our billing process 
  • Refining our licensing and entitlement process
  • Accelerating our ability to provide resolution to both support and product issues


So, as we approach CX Day, and I reflect on what this means to me, two thoughts come to mind.  First, thank you for being our customers – our biggest advocates, and our firmest drivers for change and improvement.  Without you, there’d be no C in the CX day.  And second, I am so excited to be part of a team who not only provides a great product, but realizes that without a great experience to go along with it, we would never succeed.  I am excited to continue in our journey together and can’t wait to achiever bigger and better results.


Thank you and happy CX Day to all!


If you haven't yet registered for RSA Charge 2016, you have just over a week to save $200 off the onsite fee; the discount registration fee of $695 ends on September 23. This year's venue takes place Oct. 25-27, at the Ernest N. Morial Convention Center, New Orleans.


This must-attend event will be the largest gathering of Archer customers, partners, and risk and compliance experts from around the world, providing GRC professionals – from experts to novices – with the premier venue to share knowledge, gain hands-on experience, and learn best practices from other GRC professionals and subject matter experts.


Like last year, your RSA Charge 2016 registration pass will give you full access, without additional fees, to ‘all’ RSA Charge sessions, under one roof, including RSA Archer GRC Summit presentations, Security Operations, Identity, and Fraud.


The conference registration package also includes access to keynotes, the Archer super session, breakouts, birds-of-a-feather sessions, hands-on labs, and the Innovation Zone. And, if you need more reasons, registration also includes your access to evening events, as well as a continental breakfast and lunch on Wednesday and Thursday.


Don’t miss out on this Savings; REGISTER TODAY and visit the RSA Charge 2016 microsite for more information.

If you haven't heard, RSA Charge is just around the corner!


This year, New Orleans will play host to our customers, partners and the RSA team. If you can spare a few hours between trips to the French Quarter, Café Du Monde for a beignet (or 12), and Fritzel's for traditional jazz, the RSA team wants to hear from you.


RSA Charge provides a unique opportunity for you to engage face to face with the RSA Archer team in focused working groups. The working groups provide an opportunity for you to influence the product roadmap; learn about the future of our solutions, use-cases and features; and to interact with your peers.


To learn more about the Archer Working Groups at RSA Charge, please view Antoine Damelincourt, recent blog Join the Archer Product Management team @RSA Charge!


Still need to register for RSA Charge? Take advantage of the discounted rate before time runs out!


See you in a few weeks!



You know that RSA Charge 2016 will be the largest gathering of Archer customers, partners, and risk and compliance experts from around the world, providing GRC professionals – from experts to novices – with the premier venue to share knowledge, gain hands-on experience, and learn best practices from other GRC professionals and subject matter experts.


Now, RSA University (formerly known as Education Services) is making RSA Charge 2016 even better, with their announcement of pre-Charge courses being offered at 20% OFF normal pricing. Seats fill up fast and are limited to 10 students maximum per class. Don't miss this opportunity - REGISTER today using the links below. 


RSA Archer Pre-Summit Admin Boot Camp (2-day class

This 2-day course provides an overview to the concepts, processes, and procedures necessary to successfully design and administer the RSA Archer Platform.  Students will gain knowledge of the key RSA Archer 6.x platform components such as applications, security management, and communication tools through presentations and hands-on practice.   This course is a compact version of the standard four-day RSA Archer Administration I course. Many of the same core components will be included.  

Target audience includes new Archer administrators who are responsible for building in and managing the RSA Archer 6.x Platform.


October 24-25, 2016  ($1600 per person, 10 students maximum)



RSA Archer GRC 6 Advanced Workflow & Navigation  (1 day class, offered twice) 

This 1-day workshop for experienced 5.x admins provides an overview of the RSA Archer GRC 6 interface and hands-on practice using the Advanced Workflow feature.  Target audience is existing RSA Archer administrators who are well-versed in RSA Archer versions 5.5 and earlier. 

Prerequisite Knowledge/Skills:  Students must be comfortable with the administrative features of the RSA Archer GRC Platform, including but not limited to: Data-Driven Events, calculated fields, and On-Demand Notification Templates. Experience building out business workflow using these features is essential.


October 24, 2016 ($800 per person, 10 students max on this day)

October 25, 2016 ($800 per person, 10 different students max on this day)



RSA Archer GRC 6 Platform Fundamentals for Business Users  (1 day class, offered twice)

This one-day workshop includes a thorough overview of RSA Archer Platform features, including but not limited to: Application and questionnaire creation and management, essential access control concepts, email notification options, reporting and dashboard options, integration possibilities, and more.

Target audience includes RSA Archer business users with a need to understand what is possible with the platform. Ideal audience includes those who may need to create business requirements but will not actually administer the platform.


October 24, 2016 ($800 per person, 10 students max on this day)

October 25, 2016 ($800 per person, 10 different students max on this day)



Also being offered:

RSA Hunting Workshop for Analysts – Security Analytics/ECAT  (2-day class)

This 2-day workshop presents the opportunity to spend class time working in a hands-on virtual environment, with minimal lecture and materials. Students will be provided with a complex use cases to work through, involving a network-based attack resulting in end-point malware infection. 

Target audience includes Security Analysts interested in using RSA NetWitness Logs and Packets and RSA NetWitness Endpoint to locate anomalies on the network and endpoint devices, to diagnose and track malware infections, and to reconstruct a cyber-attack in a realistic virtual enterprise setting.

October 24-25, 2016  ($1600 per person, 10 students maximum)


The Agenda for the October 13 RSA EMEA Archer GRC Summit in Amsterdam has been announced. 


This is the fourth year for the RSA EMEA Archer GRC Summit and promises to be one of the best with the largest gathering of customers, partners plus risk and compliance experts from across Europe, the Middle East, and Africa.


Join us for this 'complimentary' must attend event to share in driving GRC innovation through education and collaboration with the industry's best minds at the RSA EMEA Archer GRC Summit.

Location: The Grand Sofitel, Oudezijds Voorburgwal 197, 1012 EX Amsterdam Netherlands.





Sir Francis Bacon is attributed with the quote, “Knowledge is Power”.  There have been many variations on this phrase but I want to add one more twist.


I presented at a conference this week where the session was dedicated to discussing the risks and remedies of ransomware, which are the practices and technologies used by bad guys to gain access to systems and hold information hostage until a ransom is paid.  Sometimes the information they get ahold of is not so important, but other times they hit the jackpot and gain access to the “crown jewels” of a company – customer information, trade secrets or pending business strategies and plans. Company and institutional knowledge/information your company has worked hard to accumulate, formulate, organize and use is the lifeblood of your business.   In some organizations, this information is the most vital asset they possess.


The venue for my presentation was the Washington D.C. Spy Museum.  As I toured the museum afterward, I learned a few things about the history of “spying”.  I learned that people who spy do it for many reasons, but the single most important goal is the attainment of – you guessed it, information.  Information gives them power.  Back to the “knowledge is power” concept – when the bad guys have access to your information, they don’t necessarily have knowledge but they have power.  However, safe and secure in your hands, this information equates to knowledge, and how this knowledge translates into power is in your ability to use it to compete and win in the marketplace.  


My speaking topic at the conference was business resiliency.  A key underlying tenet is having an understanding of what is most important to your organization - and this starts at the top.  For example, (the most critical) products/services provided to customers; the business processes that produce them; supporting IT systems; and the information assets produced or used in that product/service.   Determining what is critical starts at the highest levels and can be determined through business impact analyses (BIA).


Let me share an example and a caution.  Not all information is created equal (or equally important).  For example, Coca Cola’s recipe for Coke is, safe to say, very critical to them, whereas a lower tier vendor’s contract details probably isn’t as critical. Now, these examples are obvious and most companies intuitively know what their most importation information assets are, and maybe have an inkling of what is on the lower end of the scale.  But, what about what is in between?  Herein lies the rub - of the hundreds of information assets organizations produce and use, do they know which of those are critical?  Which of these information assets are undervalued and therefore under-protected?  Which require special compliance considerations?  This all presents exposure and risk. 


There are many implications on information assets across the spectrum of governance, risk and compliance (GRC) activities.  For example, which risks or threats could impact your information; what compliance requirements such as privacy considerations require that you take certain protective steps and implement controls, and could result in penalties if not done; or which vendors have access to your (critical) information and what are they doing with it, and are they protecting it.  Given the far-reaching implications to your organization across many use cases, these GRC activities related to information assets should be coordinated at some level. This blog highlights just a few examples of the exposures our organizations face due to not properly evaluating criticality of and exposures to our information assets. 


I took this picture at the Spy Museum of a Trojan horse exhibit, which depicts the infamous method Greek soldiers used to infiltrate the City of Troy and win the Trojan War.  In today’s world, the goal is access to information.  Now, a Trojan malicious computer program is used to gain unauthorized access to a computer and access personal or proprietary information.  Information assets are the lifeblood of our organizations and we must remember that their proper use, management and protection enables our power to compete and thrive.