Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > July

Whether you're a World Cup 2014 soccer fan or not, you've probably heard about Tim Howard, the goalie for Team USA.  Tim had an unbelievable performance during Team USA's run through the World Cup tournament, but esp88058ecially against Team Belgium, where he recorded 16 saves, the most in a World Cup game since 1966.  Check out this amazing picture of all his saves in one combined shot!

How did he accomplish such an amazing feat? What did he do to prepare and what strategies and tactics did he practice that worked so well?  Before I answer, here are a couple of interesting soccer facts.  A soccer ball can hurtle from any direction through the air at 80 miles an hour striking with about 5,000 pounds of force. Howard's job is to react instantly to catch or block these cannon balls. "I'm constantly strengthening my core because that's what gives me the ability to react faster and the stability to control my body better", says Howard. His training focuses on speed, balance and range of motion. Tim has to be able to shift his body weight and throw himself in any direction, without any preparation. His agility workouts combine explosive lifting, core exercises, jumping drills and boxing. To draw a comparison here, does internal audit ever have to react quickly and adjust their audit plans to address new risks? How have they prepared to do this?


Goalies are so important to a soccer team because they are that last line of defense against attackers.  To draw another internal audit analogy, you could call goalies that "third line of defense".  Behind control owners (forwards), risk and compliance groups (defenders), Internal audit (goalie) is often that last line of defense to fend off shots (risks) after the rest of the team (e.g., risk and compliance groups) have played their positions.


The team approach to both soccer and internal audit is important too as success comes from the strength of the team and their approach.  Soccer teams use strategies that vary based on their philosophy and strengths.  Some strategies include attacking, defensive, high pressure, low pressure, possession, counter attack, long ball or exploiting formations.  One of these stood out to me - low pressure, which is where all eleven players behind the ball defend as a collective unit. They cut the field in half and make the opposition break them down. This struck a chord with me because internal audit, risk and compliance teams, and other related groups must also "defend as a collective unit".  Their posture is often both offensive and defensive as they identify and defend against existing and new risks by implementing effective control strategies.


I've loved watching the 2014 World Cup and also enjoy my role helping internal audit groups leverage their larger "team" to supplement their role as the company's "third line of defense".  To draw one last soccer analogy, there's a tactic that's difficult to teach kids when they're learning the game of soccer, called "go to the open spot". Kids want to run to where the ball is right now. The problem is that by the time they get there, the ball is gone. We try to teach them to run to where the ball is going to be, not where it is right now.  The question I'll close on, is this - Is your combined internal audit, risk and compliance "team" playing the game together, and are you "chasing the ball" with compliance-driven strategies or headed to where the ball is going to be using risk-driven strategies?  Be the Tim Howard of internal audit!  Contact me at with your feedback or questions.

The sentry walked along the rampart peering out into the misty darkened sea.  Weary from his nightly watch, his feet clumped along the stones of the high fortress wall.  He paused as he noticed a distant fragment of the fog swirl and he heard a distinct snap echoing across the water.   As he strained his eyes into the haze, a form began to take shape.  He saw the flash of fire and then heard the vague boom of a cannon.  The ship materialized instantly.  He turned and ran along the wall shouting “Alarm! Alarm!”  Cannon fire from the ship erupted spewing hot massive balls of lead speeding toward the fortress walls as the first explosion shattered the night.


Such was my imagination roaming as I stood on the walls of Castillo de San Cristóbal in Puerto Rico on my vacation last week.   As a military history hobbyist, I love visiting historical sights and the fortresses in San Juan, Puerto Rico (Castillo de San Cristóbal and Castillo San Felipe del Morro) provided me with plenty of revelry.  As excellent examples of Spanish fortifications from the 16th and 17th century, the fortresses offered everything you would expect – high stone walls, thick ramparts, cannon emplacements,  well placed sentry turrets.  As I stood on the massive castle walls, I couldn’t help but think how the original builders must have thought the fortification as completely impregnable.  How could anyone breach these walls?  However, time marched on, technology changed and seemingly impregnable fortresses have all been at one time attacked and defeated.


In security, we are constantly challenged with this same principle.  As soon as some fortification or defense is built (and perceived as impregnable), the game changes and the attackers find new ways around the ramparts.   Whether it is new malware, exploiting the human factor or just the pure brute force of DDoS, we read stories of impregnable walls breached every day.  What are some of the lessons we can learn from those fortress builders of years gone by?


  • The impregnable is never impregnable.  History has this lesson upon lesson.  What we can learn is that the impregnable is only impregnable at one point in time.   Once some defense is in place, the immediate plan on how that defense should be improved, fortified or even replaced must be initiated because the attackers are already planning on how to defeat those defenses.
  • The walls will always be breached.  There are multiple instances where the reliance on the defensive structure is so complete that the defenders cannot think of any possible outcome other than the attackers being thwarted.  (Think Maginot Line).  As soon as the walls are breached, the strategy breaks down and the defenders are thrown into complete chaos.
  • Protection of the fortification does not equate to protection of the population.  Castillo San Felipe del Morro is a great example.  In 1625, while under attack by the Dutch, the fortress withstood the invasion. Unfortunately, the town itself was sacked and burned.  Great outcome for the generals, not a good outcome for the poor villagers.


Security has to be a constant flow and evolution within an organization.  Firstly, security strategies must be fluid and no defense should be considered impregnable.  There always must be movement forward to ensure protective and defensive measures are evolving and improving.  Secondly, a breach should be expected… anticipated - perhaps even welcomed.  Why? Because in today’s digital security world, if you haven’t found a breach, you probably are not looking in the right places or you are blissfully blind to the ransacking going on in your village.  And finally, security needs to understand exactly what it is protecting.   Understanding and connecting to the business is what will give security the motivation to keep evolving and addressing emerging threats.  I pity the soldier that stands safely on the walls of a fortification watching the village burn to the ground outside.


For those of you that missed it, last year EY released the results of a significant global, quantitative survey assessing the maturity level of risk management practices relative to performance.  In this report, Turning risk into results: How leading companies use risk management to fuel better performance, EY found that:

  • The top-performing companies (from a risk maturity perspective) implemented on average twice as many of the key risk capabilities as those in the lowest-performing group.
  • Companies in the top 20% of risk maturity generated three times the level of EBITDA as those in the bottom 20%; and
  • Financial performance is highly correlated with the level of integration and coordination across risk, control and compliance functions.


These are significant findings, further highlighting the most important drivers for an organization to adopt ERM and mature their risk management program – increased performance and shareholder value!  If you are responsible for implementing your organization’s risk management program, do share this information with your leadership team.  It will help you coalesce support for the initiative, speed the program along, and silence naysayers who may be skeptical of the benefits


The full report can be obtained at the following link:$FILE/Turning%20risk%20into%20results_AU1082_1%20Feb%202012.pdf

Hello everybody! On the heels of the Archer Summit I’m very pleased to announce the latest Archer content update is available. The last one was big but this one’s a monster! In addition to mapping enhancements for HIPAA and NIST 800-53 we also added supplemental content to PCI v3, developed the PCI Self-Assessment Questionnaire stack, completed the NIST CSF true-up to the final version and added mappings, and did a full top-down refresh of all NERC content!


But wait there’s more! New policy content! We added new top level policies for financial services and healthcare-related items, enhanced many existing policies, and updated the policy library mappings to Archer Control Standards.


This release is cumulative of Q1 and Q2 development efforts. This includes both new content as well as updates to existing content elements already in your library. So you’ll want to pay special attention to the release notes and supplemental documentation before processing them to ensure everything is well understood. The update page with release notes is here and content import packs are available through Customer Support. As always we’re here to answer questions too – whatever you need. And keep on the lookout for more exciting content developments debuting soon!


Happy Independence Day!

Filter Blog

By date: By tag: