Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > August
2014

I would like to introduce you to a GREAT new video that we just released that illustrates how organizations can manage operational risk using RSA Archer.  This professionally developed video is suitable for stakeholders at all levels of an organization to gain an understanding of the real world use of RSA Archer by senior management teams responsible for operational risk oversight and corporate governance.  This video demonstrates how RSA Archer provides transparency across operational risk activities, agility in identifying and addressing operational problems, and how RSA Archer promotes the necessary risk intelligence to optimize an organization's performance.

 

This video can be viewed from the following link: https://community.emc.com/videos/12017

 

For further perspective on how RSA Archer can promote risk intelligence within any organization, please download this white paper: http://www.emc.com/collateral/white-papers/h13175-risk-intelligence-wp.pdf

 

Financial services organizations (banks, insurance companies, mutual funds, broker/dealers, etc.) are encouraged to download the following white paper for a deeper dive into managing operational risk within financial services: http://www.emc.com/collateral/white-paper/h12564-financial-managing-operational-risk-wp.pdf

Continuity Central recently asked RSA Archer about business continuity software usage.  Here are the results of the interview:

 

Continuity Central: What trends are you seeing in the way business continuity managers are using specialist business continuity software?

 

RSA Archer: At RSA Archer, we see more focus being placed on substantive business impact analyses, understanding the organization better, workflow and more balanced and comprehensive reporting.  There is movement away from a one size fits all approach and shifts toward making business continuity planning and provisions commensurate with the risk and impact of losses as well as impacts over time, making BC planning a risk and cost/benefit decision.  Also, BC managers are using BC software that enables them to establish relationships and dependencies between business processes, people, locations, information and technologies.

 

Continuity Central: Our recent Business Continuity Software survey shows that just over half of BC managers (53% of 470 respondents) currently use specialist BC software.  Is that figure lower or higher than you would expect? Why do you think that more people don't use specialist BC software?

 

RSA Archer: This is about what I would expect for several reasons.  More organizations don't use BC software because of budgetary issues and they can't convince senior executives of the benefits because they haven't properly assessed the risks.  Some organizations are in industries where BC planning isn't prevalent, or they may only have one resource performing planning as a 'check the box' activity for regulators.

 

Continuity Central: The above survey asked respondents to rate the BC software they use on a scale of 1 to 10 for various aspects.  The area with least satisfaction was 'Ease of Use'.  Is this a surprise to you? Why?

 

RSA Archer: BC software takes learning and getting used to a new tool, as well as maybe new ways of doing BIAs, documenting plans, etc.  Users are accustomed to and perceive spreadsheets  and Word documents as being easier to use because of familiarity and the inherent flexibility to change templates and enter information 'on the fly'.  This same flexibility is a detriment at a program/administration level because of the lack of consistency, control, workflow and reporting.

 

Continuity Central: What would you say are the main advantages of using specialist BC software over standard software such as Microsoft Excel and Word?

 

RSA Archer: Best practices and standards (ISO 22301/22313) are built in, as well as consistency, control, workflow and reporting.  Some tools, like Archer, are integrated with other related disciplines like compliance, incident management or vendor management.

 

Continuity Central: Do you think that demand for ISO 22301 certification will result in increased use of specialist BC software?

 

RSA Archer: Yes.  Based on the rigor recommended by the standard, the need for specialist BC software that aligns with the standards (22313 as well) will increase.  Also, workflow, analysis and automation that these tools provide will continue to drive usage up.

 

Continuity Central:  In general do you think that the way people use specialist BC software is changing?

 

RSA Archer: Yes, I believe the way people use the software is changing.  For example, risk management is an area most BC teams only perform in a very cursory manner or just based on location specific risks.  The question of 'what can go wrong' is driving an increased focus on better risk management capabilities not found in most BC software.  Users also want software that integrates with related areas to BC, such as managing continuity of third parties, incident management, security and compliance.  Standalone systems just aren't adequate enough for growing, complex and global organizations that need to manage these interrelated disciplines.

 

The RSA Archer responses were provided by Patrick N. Potter, CBCP, CISA | GRC Strategist, Business Continuity and Audit.  For more details: http://www.emc.com/security/rsa-archer/rsa-archer-business-continuity-management.htm

It is hard not to like the Marvel movies that hit the big screen every year.  Being a pseudo-geek (pseudo because I have no comic book collection or replica light sabers mounted on my wall), I enjoy the world Marvel has created.  Even on the little screen, Agents of S.H.I.E.L.D has become a staple in my house despite them calling out their "RSA hack" in the early episodes.  It isn't our fault Tony Stark's Gmail account was compromised. Someday, Director Fury will open up about the closed door sessions he had with Art Coviello and how RSA helped them get a handle on their security analytics but I digress.  Marvel's latest creation - Guardians of the Galaxy - has hit the theaters in a big way this summer.  Who couldn't be pulled into a world where a band of misfits battle evil despite all the odds?  If you are a security professional, you should immediately identify with this plot.  I mean - look across the cube farm outside your cubicle.  For goodness sake, one of the characters is named 'Groot'.  Make you think of your Unix guru perhaps? Even if you don't identify with each character, your security team would most likely appreciate the label of 'band of misfits'.  So where do these 'bands of misfits' fit in today's world?

 

I discussed in my last blog the crucial point we are at today - highlighted by Art Coviello's and Amit Yoran's keynote speeches at RSA Asia - when it comes to the security industry and the need for intelligent design rather than brutal evolution to drive our collective security strategies.  Last week, Jeff Moss, aka Dark Tangent, opened Black Hat 2014 with a call for 'Radical Simplicity' as the key to dealing with the exploding complexities of technology. Dan Geer then rallied for a series of steps to build a more secure, and trusting, technology driven society.  At both the Black Hat and DefCon conferences, the theme of relevancy permeated the events.  Yes, of course, there are the headlines of the data breaches, the 1.2 Billion passwords hijacked and the other usual fodder stressing the need for better security.  But when you look at technology - when you really look at it - we sit on the eve of some truly magnificent potential for the human race.  And security - more accurately Trust - is in the eye of the storm.  And that, my friends, is what they call Relevancy with a capital "R".

 

I wonder if the cavemen who discovered the wonders and usefulness of the first projectile had this same sense of relevancy.  If they knew what that idea would result in, would they have pursued that path?  While the first stone thrown may have resulted in dinner for the clan waiting in the cave, the next few millennium unfolded and before we knew it, we have Nagasaki and Newtown. I believe those early pioneers would have continued on their journey exploring the technology of the projectile for pure necessity but with an increased sense of responsibility and moral imperative.

 

We are on the cusp of the same path with digital technology.  If you think technology is ingrained in society today - wait until ten years from now, twenty, fifty... Every device we add to the Internet is another shovel full of dirt making the already unfathomable digital ocean deeper. When devices are embedded in everything from our cars to our bodies, technology will be incongruously fused to the human journey.  Security must be at the forefront of making this technology evolution safe for future generations.

 

Last week, I heard this theme in multiple presentations - the call to action, the need for moral direction, the absolute criticality of security to build trust as we walk down this technological path.  As embedded devices, the Internet of Things and ideas that haven't even been thought of yet change how humans live, we must be thinking in terms of what is best for the future.  We all have a role to play in this technology age.  Security should be a compass that will enable this technology to be used for good - trusted communication, open communities, the spread of knowledge, things that  benefit mankind.   This leads me back to our plucky little band of misfits, i.e. your security team.  Guardians of the Galaxy?  I say it is much bigger than that.  Let's start with "Defenders of the Universe" and go from there.

At RSA Conference APJ this year, Art Coviello's opening keynote stressed the interdependency of the digital world we have created.  He articulated the challenges the security industry faces as the norms of behavior for nations, businesses and people in the digital world are still painfully ambiguous.  The "rich soil of digital chaos" is being tilled by many.  While we have collectively input into the building of this digital world, we now approach the increasing 'interdependencies we have created with fear and trepidation'.  The dissolution of Trust bred by recent revelations is already beginning to radically impact the Digital Age.   Amit Yoran followed Art with further exploration on how organizations' Cyber Security functions must respond to this 'digital chaos'.  He painted a picture of using visibility, analytics and action as the basis for Intelligence Driven Security with robust, agile capabilities to 'wage a near real-time battle against the adversary.' 

 

These talks drove me to consider what our digital universe will be in the future.  Most often we discuss the changes in our digital world as an Evolution.  Some may say Revolution (borrowing from the Industrial Revolution) but I hear the world "evolve" so often when it comes to IT, Security, GRC and anything cyber related. Technology is evolving; the adversary is evolving; compliance is evolving...  To me Evolution boils down to 'survival of the fittest'.  While there are definitely elements of 'the powerful prevail, the weak fail' when it comes to the Digital Age, in reality, we should be thinking in terms of "Intelligent Design" - not Evolution.  Now, I don't want to get into the debate between Evolution and Intelligent Design.  But what I mean is that "Intelligent Design" implies a process where something is built for a purpose with a long term strategy interwoven into the effort.

 

When you look at today's security strategies, we must take a step back and look at this bigger picture.  Is your organization's security strategy driven by Evolution or Intelligent Design?  Evolution is a constant war against what works and what doesn't.  Something is built and if it works it survives; if it doesn't, it goes the way of the Dodo bird.  Unfortunately, many of our security implementations seem to follow this thinking.  While this approach may seem like progress, much of it is build up, tear down, build up, tear down, repeat as necessary.  Intelligent Design, as I envision it, represents a non-traditional way of looking at security.  It isn't rooted in the traditional terms and frameworks of security - military type defenses and walls constructed to statically deny the adversary.  Intelligent (Security) Design means the long term purpose and goals are woven into each step of the journey.  Each step builds on the last with purpose and meaning.

 

Several months ago, I wrote a blog that posed the concept that the "digital universe" represents a Fifth Dimension in our world.  It is a truly unique dimension since we created it.  The future of this digital world is controlled completely by us.  We create the technology, we deploy the servers, we write the code.  So which path should we chose: Evolution or Intelligent Design.  Do we want the brute force and, in many circumstances, the harsh world of Darwinism? Or do we want this dimension - OUR dimension - to follow Intelligent Design?   Isn't that what we should be striving for? Not who is the biggest and strongest but what is the end goal, what is the purpose and where does this digital world lead us.

 

Art's articulation of the erosion of trust and the potential damage to the digital dimension we have built underscores the absolute critical role security plays.  Consider where technology can take us and then consider the impacts of a complete breakdown of the technology advancements all due to a crumbling level of trust.  We see evidence of this fragmentation today and it is foreshadowing of a reversal of progress for the human race. Do we want the ability to share information, create relationships across borders, raise injustice, educate our children and build a truly global network to live? We, as the security industry, cannot leave it to the 'survival of the fittest' because those that need these capabilities are not always the powerful.   It would be shameful for us to allow the future of a universe we created and control to be decided by the cruel hand of natural selection.  Trust in the digital age must be restored by Intelligent Design - not Evolution - both within your organization and the industry as a whole.

 

Want to learn more about RSA's Intelligence Driven Security to restore Trust?

Filter Blog

By date: By tag: