Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2013 > November

In my previous blogs (Vulnerability Risk Management: Lets not boil the Ocean and ulnerability Risk Management - It is a Big Deal) in this series, I focused on how important Vulnerability Risk Management is for organizations and the need to take it beyond a compliance task.   When you take that next step to use vulnerability identification and remediation as a core piece of your threat prevention strategy, key metrics must be put in place to measure the success.  Vulnerabilities can be identified in the thousands on large infrastructures and without a clear sense of progress, the security and IT functions can weary very quickly of playing “whack a mole”.   In security, we constantly talk about the challenges of showing return on the investment.  Many times, we can use the phrase ‘you can’t measure things that DIDN’T happen’ to justify not having a clear metric for success – meaning that security protected against something bad happening and therefore it was a justified investment.  However there are things that can be measured to show success in vulnerability risk management.


Metrics that Matter

Issues by Status – When a vulnerability is identified on a system the first time, it is a new data point that should inform and, depending on the situation, drive an action.   When that vulnerability is found the second, third, fourth time…it indicates a gap.  Either the vulnerability is either too insignificant that there is no reason to take the time to fix it or the vulnerability has been lost in the “vulnerability pit” and no one is paying attention.  Either way, there should be some action (exception, escalation, tuning of the scanner, etc.) driven by that constant ping of a vulnerability.   Understanding the status of a vulnerability – whether it is New, Active, Reopened, Verified, Excepted, Pending Remediation or Fixed – must be tracked over time to identify the rate vulnerabilities are moving through the process and are addressed.


Remediation Time – Once a vulnerability is identified and has been flagged to be addressed (through a configuration change, patch, etc.), then the time it sits idle (and still a danger to the system) directly impacts the “dwell time” an attacker can exploit that vulnerability and use the system to leap frog to other systems.   This metric should measure the length of time from identification to remediation and is a measure of the efficiency of the patch and remediation cycle.


Scanner Coverage – Due to the constant change in vulnerabilities, organizations must look to increase their scan footprint (more devices, more often).  Scanning only critical systems on a frequent basis can help protect those assets (and is a definite minimum capability) but vulnerable less critical systems can provide a significant launching point and given enough time an attacker can breach sensitive systems.  Organizations should measure the number of devices (in terms of percentage of the “Device Universe”)  and frequency of scans as well the mix of authenticated and unauthenticated scans.  Understanding the coverage of scanning is essential to get a picture of the breadth and depth of the vulnerability scanning program.


Inadequate Fixes – Finally, the security function needs to understand the effectiveness of the patch and configuration management processes.  This is a critical ‘checks and balances’ relationship between Security and IT.  It does not help if vulnerabilities keep popping back up due to either bad patching efforts, system administrators ‘undoing’ configuration changes or other issues.  When a vulnerability goes from “Fixed” to “Reopened”, there is an issue somewhere in the process.  The patch or fix could be detrimental to the business function and therefore should drive some risk analysis and exception process.  Regardless of the reason, the issue needs to be investigated and resolved.


Accurate Asset Inventory – Vulnerability Risk Management hinges on a clear understanding of the assets.  If an organization can organize a view of the infrastructure and deal with DHCP, multi-homed devices, overlapping IP spaces and the other challenges associated with the large Device universe, it can be game changing.  The key metric would be the percentage of vulnerabilities that can be associated with a true, cataloged business asset.  The nameless, faceless, unknown IPs, and vulnerabilities associated with those IPs, represents a lot of noise.  Some of that data is extremely important – the new production servers that were brought online that Security didn’t know about, for instance.   So tracking this metric over time gives a clear indicator on how well Security and IT understand the business context of IT assets.


There are other metrics as well but getting these basics down can greatly improve the understanding of the efficiencies and effectiveness of the vulnerability management program.  As with all metrics, it takes a commitment to consistently measure over time to produce meaningful conclusions.   Watching these metrics over time can help understand where the systemic issues might be in the vulnerability program.  Is the Remediation Cycle taking too long?  This can indicate an issue with patching infrastructure.  Does a Vulnerability sit idle in the same status too long?  IT may need more prioritization assistance.   Is the scanner coverage stagnant or not testing systems on a frequent enough cycle?  Sounds like the scanning implementation may need a review.


The main question to ask yourself is “Can I measure, track and report on these metrics today?”  If so, then you most likely have a pretty solid process in place and can provide management with the basics in terms of progress, efficiencies and effectiveness.  If not, then the question is how can you put in place the right infrastructure to start measuring Metrics that Matter?


Watch this video to find out how our Vulnerability Risk Management solution helps organizations measure these metrics, research our new solution or contact your RSA representative.

Having navigated the operational risk landscape within various Financial Institutions (FIs), I understand the dynamics and challenges of an evolving company.  On one hand, the business is growing and expanding through mergers and acquisitions or the launching of new products or services.  On the other hand, management must maintain a calm, firm hand on the rudder of the organization to ensure the business does not overextend or wander into perilous waters.  Finding the balance between these two considerable drivers makes all the difference as a financial institution maintains relevancy in today’s financial market through this constant flow of innovation and expansion. 


As a board-level discussion topic at all financial institutions today, operational risk is real and public disclosure of significant operational risk events has become an all too common occurrence. The growing complexity of FI activities, changing workforce, expansive and shifting regulatory requirements, and dependencies on third parties can dramatically impact an FI's operational risk profile in the absence of an effective operational risk management strategy. FI executives, shareholders, regulators and the public expect financial institutions to be proactively looking at risk, adjusting operations and reacting in a strategic manner that appropriately limits risk. RSA Archer helps FIs achieve a balance between risk and business agility through a comprehensive approach to Operational Risk Management.


I am pleased to announce the release of a White Paper: Financial Institutions: Managing Operational Risk with RSA Archer available on the website.  This paper explores the significant challenges Financial Institutions face with regard to today’s risk landscape and how RSA Archer can enable core Operational Risk processes.

It’s an exciting time for those of us involved in the RSA Archer community. In the face of tough competition from a number of strong entries outlining how organizations have used RSA Archer to transform their businesses, the winners of the GRC Innovation Awards have been chosen. Congratulations to Aon, whose team received their trophy at the RSA Archer Roadshow on 6th November.


Aon is a global provider of risk management, insurance, brokerage, reinsurance brokerage, human resource consulting and outsourcing services. It is a Global Fortune 500 organization with 62,000 employees, supporting three regions in 126 countries with three key business units.


The Security Risk Management (SRM) organization is an internal function supporting and governing the security needs of Aon’s business units and regions globally. As the organization matured, it faced an increasingly complex array of requirements, and implemented RSA Archer to help manage all security aspects associated with Aon’s supply base and client base, and to support the integration of risk management functions globally into one, all-encompassing process.


The deployment has driven improvements across a range of business areas, including:

  • Better coordinated risk activities and enhanced business processes
  • Matured security risk programs
  • Improved business processes and efficiencies
  • Increased risk transparency across the organization, which feeds risk-based decision making.


Besides the business value that the project has added, it features a number of innovative elements that made it stand out for the judges. For example:

  • The Vendor Management module is built on a two-instance architecture that allows external suppliers to provide responses to Aon questionnaires directly into SRM’s system, without compromising security.
  • The Risk Management module uses a three-tiered stackable risk register to allow for consolidation of regional risks onto broad global risks

Aon plans to build upon the success of the RSA Archer implementation by executing the remaining phases of its roadmap which will include new modules and functionality.


Congratulations to Aon on its well-deserved win! We look forward to seeing where it will go next with its RSA Archer technologies..



I’m always fascinated to hear about what our customers are doing with their RSA Archer technologies. So it was understandably rather exciting to be involved in the GRC Innovation Awards that have just taken place within the Archer community. We received entries from a variety of organizations, all justifiably proud of how they’ve driven value for their businesses. The winner for Europe was Telecom Italia Information Technology.


The organization is the provider of ICT products and services to Telecom Italia. It is dedicated to offering the highest standards of infrastructure, systems and application management to its customers, and it holds a number of international accreditations. It was selected as the European winner of the GRC Innovation Award in recognition of the successful implementation of its new Risk Analysis and Management processes based on RSA Archer GRC.


The project involved a mix of elements, including:

  • A combination of several on-demand applications (ODAs) and questionnaires, powered by a unique methodology to systematically implement complex workflows and changes to any ODA, through a consistent and user-friendly GUI
  • A set of custom components to extend ODA capabilities quickly and easily when needed
  • An exclusive web-based infrastructure service that allows users to request more complex elaborations to ODA capabilities
  • A set of automatic tools to significantly reduce the effort needed to develop and maintain custom components, thereby keeping focus on business priorities and not workflow administration


Telecom Italia Information Technology expects a significant increase in productivity across its Risk Management processes. Also security governance is experiencing a boost in productivity, thanks to the implementation of several security indicators and automatic dashboards. These productivity improvements are in turn enabling Telecom Italia Information Technology to increase the number of processes that can be integrated into its Risk Management framework.


My hearty congratulations to the team at Telecom Italia Information Technology for the success of their project and their award win!



In my last blog, I discussed the importance of Vulnerability Risk Management.  Security professionals know for an IT security organization to protect a company against today’s threats, processes, tools, procedures and enablers must be implemented to create a holistic strategy.   The idea of a multidimensional program with a continuous cycle that flows from prevention to detection to response and a feedback loop to ensure that threats are proactively managed is the dream of all CISOs.   To wield the power of a proactive and responsive organization CISOs must balance investment across many different needs.  While no organization can prevent every threat or patch every vulnerability, the goal should be to identify and prevent as much as possible, effectively detect and respond to active threats, learn from events and incidents, and improve going forward.   That is why Vulnerability Risk Management is a key part of a security management strategy.  But when you look at this problem, it can seem almost inconceivable that a large infrastructure – that keeps expanding and expanding – can be put in check.   So an important thing to keep in mind is to Not Boil the Ocean.


Vulnerability Management has several layers of problems but let’s focus on just these main three challenges:


1)   Security needs to ensure that the right devices are being scanned and the right vulnerabilities are being identified.  The Device and Vulnerability universes are extremely large and the need to be very diligent about this process is becoming more and more important given the changing threats we see today. Prioritization becomes a fundamental need to deal with the growing number of systems and rapidly changing threat landscape.

2)   IT already has lots going on and pages and pages of vulnerabilities with no prioritization and little guidance doesn’t help.  They have to sift through lots of information just to hit the key issues. They have too much data and need a more streamlined, managed process to keep up.

3)   Not all vulnerabilities and servers are the same.  Some vulnerabilities are more dangerous than others, some devices are more important than others.  We also don’t live in a perfect world.  Patches can fail for lots of different reasons – from a technical issue, a process issue, the server doesn’t reboot properly, the server was offline – pick a reason.   Companies can end up with all of these issues that need to be watched closer or aren’t accounted for and impact the true risk. Both IT and Security need an escalation mechanism to raise the visibility of critical issues related to vulnerabilities.


This sure places a lot of work on the shoulders of the IT and security administrators.  And it isn’t just them that are interested in how well this process is working.  First, the CISO wants to know if this process performing the way it should be  Are we managing the vulnerabilities and protecting the right assets?  Second, the Enterprise Risk function wants to know where IT security risks fall into the big picture.  How vulnerable is the company to security threats in the context of other enterprise risks? Finally, the Business wants assurance that the most precious assets are protected.  Are my crown jewels adequately protected?


So we have a multi-dimensional problem, with numerous stakeholders – where do you start?


First, let’s get a handle on asset catalogs.  Vulnerability Scanners are viable mechanisms to discover and identify assets on the wire.  But those assets can’t just sit in Security-land.  They need to be communicated to IT so they can differentiate between production, development and other types of IT systems.  But even better – let’s connect them to the business so that both Security and IT gain insight on the business context of IT assets.


Second, let’s take those massive reports off the table and provide IT with amanageable vulnerability system that helps them prioritize and address issues.   Many vulnerabilities are patched through normal operational procedures – Patch Tuesday comes out, the patches are tested and validated, the patches are pushed out via the patch management system and POOF – vulnerabilities fall off the map.  Of course there will be wrinkles – systems don’t reboot, systems will be off the wire, there are lots of things that can interrupt a patch cycle.  However, let’s not keep bugging IT  - let’s help them figure out what needs to be addressed.


So that means we need an escalation process that works for both IT and Security.  IT needs an ‘out’ when things get tough.  That doesn’t mean ignoring vulnerabilities or dropping them into a bottomless pit.  It means keeping things on the radar and working the problem.  Security needs a path to escalate serious threats – a change in a vulnerability, an active attack, the release of exploit code – and fast track certain patches or vulnerability fixes.


What’s working in your organization?  Do you have strategies in place to address these issues?  What’s it look like out on your ocean – boiling, luke warm or floating icebergs?   Take a look at our solution to these issues with our new Vulnerability Risk Management module for RSA Archer.

Filter Blog

By date: By tag: