Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > June

To begin, I wanted to provide the link to Part 2 of 3 of the Continuous Monitoring white paper series, available here.


I also wanted to mention some of the developments in the CM world since my last blog.


As mentioned previously, the Dept. of Homeland Security (DHS) is using the term Continuous Diagnosis & Mitigation (CDM) to refer to CM. DHS is working to build a CDM dashboard for the entire federal government. The CDM dashboard contract is moving forward. An integrator has been chosen for the project: InfoReliance, a current RSA Archer partner. Read more here. Potential solutions are being considered. RSA Archer is, of course, among these candidates.


On a related note, “Ongoing Authorization (OA)” is becoming the de facto term to describe the use of CM to maintain security authorizations. A few weeks ago, NIST released implementation guidance on this subject, available here.


I will be posting another blog before the end of the month to announce the third and final part of the CM white paper series. I think at that time, I will also hopefully have some news to share regarding RSA Archer’s upcoming Continuous Monitoring v2.


Thanks for reading. As always, please email with comments or questions.



Read an interesting article over at HBR recently (“Forget the Strategy PowerPoint” by John Kotter) that argues for better ways to articulate high level strategies.


The gist is that it’s already hard to communicate a strategy anyway but even harder when all you have is a bunch of slides. People’s attention is often divided and it’s easy to misinterpreted complex ideas without the full context driving the strategy, etc. So why not ditch the strategy presentations altogether in favor of telling more exciting stories centered around “big opportunities” instead?



In his article Kotter focused on challenges that executives often face when unveiling strategies to their organizations. Whatever difficulties the CEO faces in make an argument down from the top, we can all probably speak from experience that it can be even harder going the other way and selling ideas upward. So maybe this “opportunity philosophy” could hold water at any level of the organization?


Kotter suggests that where full blow strategy statements can be long and complicated, effective opportunity statements are simpler and easier to communicate. Some of the most important characteristics include keeping them short (half page or less), rational (grounded in current reality), compelling, positive, authentic, clear, and aligned with existing goals. The inset figure shows an overview of how to connect the opportunity vision to change.


In many ways this falls right in line with conversations we've been having with many of you this year around several key areas of opportunity such as business resiliency, operational risk, and of course my personal favorite, regulatory and corporate compliance. Those of you that attended the Archer Summit saw this underscored throughout the week and in fact many of you were the ones actually driving those discussions and telling the best stories of all!


So for fun let’s give Mr. Kotter’s theory a try. Here’s a possible take on the big opportunity that exists in the area of regulatory and corporate compliance. And while we’re at it, how about we throw in a nautical theme after last week in the desert? Here goes…


For some industries regulatory scrutiny has been a daily reality for decades. However the days of “those guys” being the only ones with compliance challenges are long gone. Today any modern enterprise regardless of industry is feeling the pain especially when it comes to technology and protecting sensitive information. This is on top of merely trying to keep the business afloat amidst the increasingly dicey seas of global competition.


Since compliance is NOT the average company’s main business focus, this rising tide of obligations serves to increasingly distract companies from their core missions. Costs and negative effects on productivity continue to pilfer resources away from strategic initiatives, squeezing companies from both sides until their only options left are bad ones. Which poison should they pick? Do they continue ratcheting up compliance spending as their business suffers setbacks? Or do they hold fast and roll the risk dice against a negative event such as a security breach or serious violation? An armada of competitors is on the horizon while regulatory sharks constantly patrol for their next meal. Not the situation to be in with a leaky boat and a nervous crew.


Imagine a different world with calm seas and favorable winds where compliance wasn't nearly so painful or expensive because things just “worked” as they should. What if your compliance program could be like a fast, watertight ship gliding effortlessly across the open water and speeding safely to whichever ports of call beckoned the business next? What if your crew were so practiced they could respond to changing conditions with minimal effort and without drifting off course or losing speed?


We believe this describes how a streamlined compliance program should function. Companies that embrace this philosophy stand to fundamentally transform compliance from a success barrier into a true competitive advantage. They will prosper while their competitors are tossed about in the wake, struggling to keep up. This is not a future fairy tale. The capabilities are here today with a clear direction to navigate for those adventurers that choose to set sail on these compliance winds of change.


Is there a new story you'd like to tell around your dockside water cooler? We can help!

I'm thrilled to announce the release of the latest RSA Archer Audit Management solution! This has been a collective effort between our strategy, product and engineering teams, driven by fantastic feedback by our Audit Working Group, advisory partners and analysts.

When we started this journey, we had specific goals that we were looking to achieve.  But, based on all of our partner and customer feedback, we've not only achieved those goals but far surpassed them - and here are just a few examples:


  • We offer a solution that enables Internal Audit organizations to execute their entire lifecycle in one tool - no more separate spreadsheets, reporting packages or databases. RSA Archer   Audit Management combines Institute of Internal Audit and COSO standards with best practices - both for Internal Audit and Governance, Risk and Compliance disciplines.
  • We propel Internal Audit groups ahead as they mature their organizations from being silo’ed functions to working with and then aligning with their organization's risk and compliance functions.  This not only gives them visibility into how other groups are assessing risks, testing controls and evaluating the business, but also enables an alignment of approaches, resources and results.
  • We offer a true offline audit solution that allows audit teams to work in connected or unconnected modes and allows multiple team members to work on the same audit record.


There's so much more, and the links at the bottom take you to all the details.


The world of Internal Audit is changing - and fast. The goal for Internal Audit all along has been to be that independent assessor of controls and risks - the "third line of defense". That hasn't changed. What has changed is that Internal Audit must:


  • Demonstrate their value more and more to the organization
  • Show how they complement other risk and compliance groups
  • Prove that they are in touch with the needs of the organization and its strategic direction
  • Demonstrate that they focus on critical risks Show that they are a strategic partner to management

The new RSA Archer Audit Management solution enables Internal Audit groups of all size, industry and market to progress toward this vision - no matter where they are on the path to maturity.

We've given sneak peeks to many existing and prospective customers, partners and analysts and the feedback is unanimously and overwhelmingly positive! We think you'll like it too. Please contact me at for any questions you have, and here are a few links to give you more information.


This week I attended the quarterly chapter meeting of the Information Security Forum.   As this was a combined meeting between the North American and Canadian chapters, the meeting was an excellent cross section of industry and geographic sectors.  The meeting was filled with great conversations on security topics challenging CISOs today.


At one point in the meeting, I paused and surveyed the room noting the different personalities that have risen to the tops of the security food chain within the companies attending.  Representing several large, multi-national organizations, the CISOs present discussed many different topics.  One significant observation was the business acumen of the people responsible for dealing with an extremely technical discipline, working with a broad contingent across the organization and protecting complex infrastructures against an advanced and determined adversary.  No longer is the discussion around DMZs or SQL Injection attacks.  The discussion revolved around supporting business initiatives, third parties, engaging the business in controls design, understanding data and all of those good things that should be part of the conversation.


When a CISO can give a presentation with an entire preface on their company's business - and not just the veneer that can be gleaned off the website or looking at their products in the store but the history, the evolution and the innovation that has driven the company's success over the years, it provides an impressive backdrop to discuss any security challenge.  I saw this same type of business orientation and appreciation last week at the RSA Archer Summit across many different security, risk and compliance roles.


As I listened to these CISOs, I noted some key personality attributes:

  • I imagined how approachable they must be within their own businesses when discussing security issues.  CISOs have to have this openness for the business to be comfortable to discuss risk and at times deal with tough choices.   Many times these CISOs have come from the business - demonstrating key leadership attributes already in the company - giving them the ability to put themselves in the shoes of the business management.
  • CISOs must have passion and an assertiveness to engage and pursue the business.  The CISO role is not for the passive and faint of heart and the CISO can't be the "man behind the curtain" pulling on the chains.  Building relationships is an absolute part of being a CISO.  CISOs many times have the 'protective instinct' of a mother bear and if fellow management understands that, they can depend on the decisions made by the security organization.
  • Hard decisions are rampant within the security function.  CISOs must have the courage to stick to their guns and make the case to balance security and risk.  When it comes to fighting for what is right, CISOs must be able to back up their opinion with the facts and then guide the discussion into a positive direction.
  • Finally, the CISO must be trustworthy to ensure the business that the security efforts are working for the best of all and reasonable. There has to be a level of trust before a CISO comes to the business asking, or demanding, a certain earmark budget to protect a business initiative.


The CISO role in an organization is not a technical role and it hasn't been for several years.  Building a partnership with the business, and determining the strategy to protect that business, is the fundamental objective of the CISO.   The technical skills and expertise within the organization must then flow from there.  I have been evangelizing the "business context" need within security for a long time.  These conversations at the ISF meeting were further evidence of the need to infuse security operations and technical efforts with an understanding of the business.    When a CISO is armed with the operational details of the day-to-day security efforts in terms the business understands, that approachable, passionate, courageous, trustworthy personality can kick in and truly impact the organization.

The 2014 GRC 20/20 Value Award nomination process is underway.  The Value Awards recognize organizations that have implemented GRC solutions that have returned significant and measurable value.


This year, Michael Rasmussen with GRC 20/20 has many use case categories available in which you can submit a nomination including:

  • Audit Management & Analytics
  • Business Continuity Management86696
  • Compliance & Ethics Management
  • Enterprise GRC Architecture & Integration (cross department enterprise GRC strategy and implementation)
  • Enterprise Legal Management
  • Environmental Health & Safety
  • Identity & Access Governance/Management
  • Information Governance (classification & control of information)
  • Internal Control Monitoring & Assurance
  • Issue Reporting & Investigations
  • IT Security, Risk, & Compliance (IT GRC focused on information & technology)
  • GRC Data Integration, Modeling & Analytics (dealing with big risk and regulatory reporting needs in complicated environments)
  • Policy & Training Management
  • Risk Management (Enterprise or Operational Risk Management – but across organizational areas with differing risk analytic and reporting needs)
  • Third Party Management
  • Specific Issues/Risk/Regulations (e.g., Anti-Bribery & Corruption, Conflict Minerals, AML, Privacy, PCI, and hundreds or thousands more).
  • Specific issue/risk/regulation
  • Other


Nominations are due June 30, 2014.  Award recipients are notified in August and announcements will be made in early September. 


Please note that GRC 20/20 is looking for specific, quantifiable value for these use cases.  If you are interested in nominating your use case and would like some assistance, please feel free to contact Susan Read-Miller and I will be happy to provide some guidance.

At the RSA Archer Summit in Phoenix this year, the theme of pioneer spirit and innovation permeated the event.  Art Coviello’s opening keynote outlined the technological advancements driving business and the collective challenges across the industry.  Gen. Wesley Clark highlighted the growing threats in our world.  Amit Yoran articulated of how digital risk and business risk is now inseparable and Eric Erston’s call to action to transform compliance, harness risk and explore opportunity inspired us all.  The sessions this year continued in the legacy of previous Summits sharing best practices and war stories from the front line of trailblazers in our industry.  The thriving city of Phoenix was the perfect backdrop for this collection of innovators.


The expansion west all started with the Louisiana purchase.  This purchase was a gamble for the Thomas Jefferson administration since most of the territory was unexplored.  It was mainly driven by the protection of the trade access of the Mississippi River.  It was not really as strategic as it seems now – it was a tactical answer to an emerging problem.   The territory had lots of potential but no one had a clear picture of the vastness and actual value.  Exploiting the territory wasn’t the immediate driver – it was a tactical step and turned out to be an absolute immeasurable turning point on the future of the country and the world.


This is parallel to many companies journey to GRC and our customer’s purchase of Archer.  Our customers buy Archer many times as a tactical answer to immediate needs – compliance, risk management, business continuity, IT security, Audit, etc.   While there is a sense of future value, most often it is a lot of unknown and unexplored potential.  Those customers that have been exploring the territory (implementing Archer) for a period of time have discovered all of the natural resources (unlocking the potential of GRC and Archer so to speak).  The many new customers are just expanding their understanding of what the potential is but still need to deal with tactical issues.  They all at some time stood on the bank of the Mississippi looking at the daunting task of exploration but knowing that riches and wealth are just beyond the horizon.


The Western expansion in the United States has been a journey based on technology.   There are many parallels when you think of that historical perspective and the journey our customers are taking for GRC:

  • Transportation evolved from trading paths leading to roads leading to trains expanding the West and forging new communities.  This expansion is similar to how organizations broaden the footprint of GRC in the company breaking down silos and building channels across operational functions.
  • Communication technologies transitioned from messages passed along trading routes to the pony express to telegraph systems connecting towns together.   Many of our customers articulate how communication and collaboration has expanded in their company through GRC.
  • Homesteaders facing the wild frontier organized into small settlements then into towns and ultimately from a territory into a state.   Sounds like some of the momentum we see in our customers as they develop their GRC programs from grass roots efforts to a core business discipline.
  • And finally, the Wild, Wild West was transformed by the improved safety and stability from town sheriffs and escalating to US marshals and formal government.  The reduction of risk made it safer to live in the West just as GRC strives to reduce risk and make it safe for the business to explore and realize new opportunities.

All of these advancements led to the country exploiting the opportunities and tapping into the natural resources of the territory.  Out of that effort, we saw the result – Phoenix, a thriving modern city.


At the Summit, we used these concepts to bring our customers together through the many personas that made the expansion West possible.

  • Sheriffs – Risk and Security people
  • Gunslingers – Technical administrators
  • Trailblazers – special designees for those people responsible for bringing Archer into a company and program sponsors
  • Prospectors – those evaluating Archer and GRC
  • Homesteaders – Compliance people representing most often the first people to embark on the GRC journey

These personas helped our customers connect with like-minded explorers of the GRC landscape and highlighted the different roles it takes to create a settlement, organize into a territory and achieve statehood.  In other words, the many different skills and expertise it takes to make GRC a success in an organization.


This was my sixth Archer Summit.  Each year, I am amazed at the growth (we had over 1,000 people this year), the level of sophistication and the amazing openness of our customers to help each other conquer the challenging frontier of GRC.  As I tried to tweet out highlights, as soon as I heard one great quote to tweet, a customer would offer up another nugget of insight.  It was a constant flow of information and a great week.  Thanks to all of our customers for participating in such a wonderful, open community and sharing your knowledge as we all continue exploring the land of Opportunity.


For more information on exploring your land of Opportunity, read my blog and download our new white paper on "Risk Intelligence".

“En Garde…Thrust…Parry…Riposte”   For those of you who either are a fan of swordplay, or have seen at least one Errol Flynn movie, you will recognize these terms from Fencing. While I have never fenced in my life, I do have a solid understanding of the back and forth nature of conflict. Many moons ago, I enjoyed training in mixed martial arts and experienced it firsthand. For every offensive move, a defensive move must parry the attack. Security in many respects is a constant series of clashes.


Based on experiences early in my career, I always view security in terms of “Security of Inclusion” and “Security of Exclusion”. “Security of Inclusion” represents letting the good guys in to what is necessary based on business requirements.   “Security of Exclusion” represents keeping the bad guys out and all of the mechanisms to defend and respond to attacks.  These two worlds naturally have a certain tension – open, shared environments vs. closed, secured environments. Security teams always look to achieve balance between guarding the doors while allowing ease of access.


The war on the “Exclusion” side is an even more pronounced battle as defenders and adversaries are in constant state of thrust, parry and riposte. Adversaries have a growing arsenal of tools – phishing, zero days, drive-bys and so on – that provide ample ways to sharpen their rapier. Defenders in turn need to hone their sabres.  Such is the life of a security professional. It is a war of attrition and tools for the defenders must continue to evolve – refining the blade, so to speak.  Much of the conversation on the “Exclusion” side is being driven by the wide variety of threats organizations face.   Gartner recently released some excellent research on Vulnerability Risk, Threat Intelligence and Threat Assessment which highlight the ongoing need to bolster processes that understand where the organization is vulnerable and what types of threats are the most dangerous.   This is just one example of views across the industry advocating a continued evolution of threat and vulnerability management within an organization today.


I have blogged about Vulnerability Risk Management in the past. Most recently, I highlighted how RSA Archer’s Vulnerability Risk Management assists customers in identifying Heartbleed vulnerable systems. I am pleased to share with you that the latest release for RSA Vulnerability Risk Management (VRM)  is now being showcased at the RSA Archer Summit 2014, starting today.   The new features of RSA VRM expand the coverage of vulnerability scanners with addition of support for Rapid7 & Nessus (Tenable) scanners. In addition, customers will have more flexibility to integrate a scanner of their choice by making use of generic XML scanner interface.  Vulnerability Management is a key part of the security arsenal and the sharper it is, the more prepared an organization is to repel an attack. RSA VRM provides an organization with a single pane of glass to collect, analyze, prioritize and track remediation of vulnerabilities identified during scanning processes.  Like a well rehearsed parry, identifying and closing vulnerabilities in a timely fashion is an absolute must for organization’s fending off the thrust of today’s adversaries.

I am a big fan of The Big Bang Theory.  For those of you familiar with Sheldon, Leonard, Raj, Howard and Penny, you will already have an idea of where I am going with Schrödinger’s Cat.    Schrödinger’s cat has been referenced throughout the show as a mechanism to explain several situations within the plucky band of nerds. For those of you not acquainted with the show, please have patience as I weave my way through risk management (of which I know a good deal), thought experiments (of which I know little) and quantum mechanics (of which I know even less). 


Erwin Schrödinger, an Austrian physicist, posed a thought experiment in 1935 to articulate a theory in quantum mechanics on how something could be in two states at once.  His thought experiment was, in a nutshell, if you place a cat in a box with poison, from the world outside the box, the cat can be considered both DEAD and ALIVE. (I apologize for all of the cat lovers out there.  I didn’t pick a cat for this experiment; Herr Schrödinger did.  I will be asking for forgiveness from my own two cats, Ninja and Ilsa, when I get home.  And it was a THOUGHT experiment.  No cats were harmed in the making of this blog.) The experiment illustrated that until the box is opened and the cat is observed, the most accurate answer to “What is the state of the cat?” is the cat is both alive AND dead.  A fairly morbid proposition but it became a benchmark illustration of how atomic particles can be considered in multiple states at the same time given equal probabilistic outcomes until definitively observed.


Now, what does this have to do with Risk? It is obvious if you are the cat, but what about the rest of us?


Businesses are in two states all the time; every business situation has elements of both Risk and Reward.  When you think of risk, most often the conversation immediately drives toward the negative conversation.  Take the classic “crossing the street” risk.  We always start with the Risk is that you get hit by the car.  The Likelihood of that risk is dependent on how busy the street is, how fast you walk, did you look both ways before crossing, etc.  The Impact is…well – painful… But we many times forget about that other side of the coin.  The Reward is you cross the street safely and have the Opportunity to ask the chicken why he crossed the road.  (insert groan at the bad joke here)


Too many times risk managers focus on the negative attributes of risk.  What happens if X goes wrong? What is the likelihood?  What is the impact?  However, most risks have a negative AND positive state.  Every risk has some opportunity associated with it.   Technology innovations, new business models, cloud computing, extended enterprises and third parties – each of these has a Risk and each has a Reward.


This is where Schrödinger’s cat comes into play.  It is only when more information is gathered around the situation that the risk comes into focus.  If you look at the poor cat in the box, the more information we have; the better chance we have of understanding if the cat is dead OR alive.  We can change the probability of the outcome based on facts.   Does the poison have a smell that repels the cat?  Is the poison tasteless?  Is the poison inserted into a nice piece of juicy salmon?  All of those pieces of information give us better insight into the state of the cat.


Organizations are facing instances of Schrödinger’s cat every day.  The ability to determine the state of risk is dependent on how many facts can be compiled about the business, the risks and the opportunities and how well those pieces of information can be put together.   When an organization innovates, breaks new ground, launches a new service, opens a new market or embarks on a new journey, the opportunity has both RISK and REWARD.   Moving forward, the organization needs to balance those two states.  However, most organizations have a natural tension between what they WANT to do to get the reward and what they HAVE to do to manage risk.   Mastering this friction is the basis for Risk Intelligence


I am pleased to announce the publication of the white paper “Risk Intelligence: Harnessing Risk, Exploiting Opportunity” at the RSA Archer Summit.  This paper explores how organizations need to change the conversation from the negative risk landscape to the positive opportunity landscape.  We are moving to a world where risk management will become the primary source of competitive advantage.  Rather than avoiding risk, organizations need the ability to embrace risk. Risk management will become the core capability which separates winners from losers. Organizations that understand and manage risk effectively will prosper while those that can’t will fail.  Today’s business environment is not a Thought Experiment.  No organization wants a fatality on their hands – even if it is an imaginary cat.

Filter Blog

By date: By tag: