Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > March

It sounds almost too good to be true, right?  How can a business create a safer workplace for their employees while at the same time driving down costs?  At first glance these two goals seem completely opposed to each another. 


But if you step back and really think about the potential benefits of achieving both objectives, it quickly becomes apparent that these two goals are directly linked to each other. If a business can reduce the number of workplace related accidents and injuries to their employees, they are better able to lower costs to the business due to the loss of employee productivity, increased healthcare costs as well as fines and penalties imposed by various industry and government regulators.


But how do businesses go about implementing a comprehensive program to effectively identify, monitor and resolve workplace illness and injury events?  Using the new RSA Archer Environmental Health & Safety (EHS) solution is one way businesses have begun to resolve these challenges.  The RSA Archer EHS solution provides a systematic process to enable businesses to create and track recordable events and provides powerful dashboards and reporting tools so that employees and business owners can quickly find the information they need. 


Government regulators like the Occupational Safety and Health Administration (OSHA) have stringent reporting guidelines that require business to annually report on their workplace related illnesses and injuries.  Reporting this information in the required OSHA Form 300 format can often be a very time consuming and costly process due to manual processes and the use of spreadsheets often used to track this information.  The RSA Archer EHS solution simplifies the reporting process required by OSHA by enabling business’s to generate OSHA Form 300 formatted reports directly from Archer.


If you would like to learn more about the RSA Archer EHS solution and how it can help make your workplace a safer and more profitable one, make sure you register for the upcoming RSA Archer webcast on Best Practices for Compliance with Environmental Health & Safety Regulations by selecting on link below.


Webcast Title: Best Practices for Compliance with Environmental Health & Safety Regulations

Date and time:   March 20 at 11 am EDT



I hope you're planning on attending the 2014 RSA Archer GRC Summit in sunny Phoenix, Arizona on June 10 -12, 2014! 80238I may be partial because I've called Phoenix my home for the past 25 years, but what a great location to host this year's event. The weather will be just toasty enough to thaw you out after having frozen through this crazy winter, and the JW Marriott Desert Ridge Resort & Spa where the Summit is being held is absolutely amazing, having been there many times with my wife.


Whether you're a golfer, shopper, hiker, tennis player, hot air balloon rider, foodie, museum goer or just want to work on your tan, plan on a ton of fun things to do before, during and after the Summit.  (I should have been a travel agent). What's even more exciting is the lineup of sessions and activities being planned for you. 

Our team is hard at work to make this the best Summit yet, giving you options to:

  • Choose from 42 customer-led presentations
  • Attend 14 technical breakout sessions
  • Participate in 12 working group and roadmap sessions
  • Join industry roundtables, executive-level breakouts and analyst sessions

However, what really makes the Summit truly special is the active participation of our RSA Archer customers and partners, and there are still opportunities for you to sign up to present a session.  Yes, you can present at the Summit! You can present solo or with someone else, and the benefits include having your conference fees waived, the contacts you make with your peers is fantastic and it's great exposure for you and your organization!

Look for more blogs from me, your friendly Phoenix host, leading up to the RSA Archer GRC Summit - and I hope to see you in sunny Phoenix in June! Oh, by the way, in addition to travel host, I'm the RSA Archer GRC Strategist for Audit and Business Continuity Management, so if you have any questions about them or the Summit please email me at

Question: What happens when you get in your car, completely preoccupied, plug your phone in its charger, arrange your coffee cup, start the engine, back out of the driveway and reach the end of your street?


Answer: Ding…Ding…Ding…


Of course, the seatbelt dinger goes off.  You pause at the stop sign, reach around your shoulder, and while simultaneously changing the radio to your favorite station, you click the belt in its proper place and silence the alarm.


Why is that alarm so effective?  Usually it is in a quiet car and the alarm rivals the sound of some of the most irritating noises known to man.  The motion of buckling your seat belt is so ingrained in your brain that as soon as the alarm goes off, the required action is immediately obvious.  There is no thinking, there is no contemplating, there is just a quick sweep of the arm and the Ding goes away.

Recently, I was pointed me to this article from a recent NPR show ( that discusses the impact of alarm fatigue in the healthcare world.  One quote leapt out at me and resonated:  ‘…technology has gotten out of control. "We have devices that beep when they are working normally, We have devices that beep when they're not working.’


Can alarm fatigue be a problem for the security world?  You bet.  Security IS a world of beeping flashing lights.   Security teams are faced every day with the “properly working beeping devices and the improperly working beeping devices” problem.   Security technologies are supposed to produce alerts and data.  If a security technology (firewall, IDS, SEIM, vulnerability scanner, etc.)  goes dark, i.e. isn’t producing alerts, it is probably a bad thing.  Someone tripped over a power cable and unplugged the thing because we usually think if a security product isn’t spitting out loads of data then it isn’t earning its keep. 


Security teams have all of these beeps flowing at them – which are the most important?  which are just noise?  which need to be escalated?  Eventually, like the hospital workers in the report, the desensitization level against these alarms from our technologies rises and security teams start missing the most impactful alarms.  Yet technology isn’t the only factor in the Alarm fatigue facing security.  A CISO and his/her team can face ‘alarms’ from a variety of sources.  Does this log look familiar?

8:02 AM – Malware infection on

8:30 AM – Voice mail from colleague re: new hacker group

9:00 AM – Meeting with QSA re: last week’s vulnerability scan

10:30 AM – Sun just released a new patch to JRE

11:15 AM – Vulnerability scan on DMZ completed

11:30 AM – Meeting with XYZ department on new application being installed next week

12:00 PM – Company just like us announced major breach

12:02 PM – CVE-2014-123 just released

1:45 PM – Meeting with audit committee re: security risks

2:00 PM – System outage at a local branch

2:15 PM – Weird(?) network traffic reported by network team

2:30 PM – Security policy meeting on revising standards due to new regulation

2:53 PM – Malware outbreak on multiple machines

3:00 PM – New contractor onboarding

3:20 PM – Present Security awareness training to new employees

4:15 PM – Industry ISAC security conference call

4:32 PM – HR reports social engineering attempt

5:07 PM – Port scan on

5:30 PM – Multiple failed login attempts on

6:15 PM – Vulnerability scan found 142 critical vulnerabilities

Which of these are the most important?  What resources should be tasked with digging into these alarms?  Which represents the most risk to the organization – the malware on the unknown IP address, the regulatory compliance results, the unexplained network traffic, the social engineering attempt?


According to the healthcare report:  ‘Boston Medical Center is attracting national attention as a hospital that apparently has conquered alarm fatigue. Its analysis showed the vast majority of so-called "warning" alarms, indicating potential problems with such things as low heart rate, don't need an audible signal. The hospital decided it was safe to switch them off.’    So is the answer to Security Alarm fatigue turning off certain alarms?  Perhaps so but I think the answer lies in adding more dimensions to these alarms than we traditionally have.   We need more depth on alarms and we need the ability to quickly put together the picture around the alarm to understand the risk to the business.


How is alarm fatigue affecting your organization?  Are you taking steps to put in the right filters and dimensions to clarify the alarms?  The goal is not to eliminate the alarms but rather get the motion down to where the thinking and contemplating is minimal.  Like the seatbelt dinger, if the resolving action is understood and clear, the alarm may be addressed with a simple sweep of the arm.

I was watching The Cryptographers' Panel keynote session at the RSA Conference last week ( and learned that the security geniuses have figured out how to capture decryption keys from laptop computers by acoustically listening to them.  I was blown away by this piece of information because I grew up as an IT auditor thinking the coolest way to compromise a computer was through electromagnetic monitoring.  Not any longer, acoustic monitoring is even cooler!


Beyond the realization that computers may need to be constructed in the future to prevent them from being compromised acoustically, this brand new, rather esoteric bit of technical information reminds me of a profoundly important principle of effective risk management: you not only have to have competent risk managers in place but risk managers have to be vigilant to changes in risk profile. 


Changes in an organization’s risk profile originate both internally and externally.  Changes in risk profile often originate from internal activities such as the introduction of a new product, changes in people, process, technology, and mergers and acquisitions.  In the case of acoustic cryptanalysis, the change in risk profile originates from a brand new, externally discovered, technology threat.


In either case, risk managers need to proactively identify and assess changes and ensure that the organization’s risk profile remains within its tolerance level.  This requires risk managers to be tuned into internal changes within their organization as well as external factors that could impact it. Staying on top of internal activities that may affect risk profile will be much less challenging for organizations that utilize GRC technology that automatically alerts them when such changes are occurring.


Staying on top of external activities that might impact an organization’s risk profile is more challenging.  Evaluating the impact of externally originating threats often requires examining external data such as published loss events, market prices, interest rates, and credit scores on customers and vendors.  It requires monitoring changes in regulations, competitive intelligence, customer preferences, economic conditions, and market demand.  Lastly, it requires risk managers to understand their field of expertise not only from a historical perspective but to stay abreast of new and emerging threats that could impact their organization.


On-going awareness of internal and external changes is a big step toward removing uncertainty.  It alone does not guarantee an organization will meet its objectives.  However, organizations that effectively apply this awareness to evaluating changes in risk profile are much more likely to prosper over those that do not.

Filter Blog

By date: By tag: