Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > September

A traffic accident occurred on my way to work recently involving a car and a bicycle. We happen to have an active cycling community here in Kansas City with over 150 miles of paved trails connecting throughout the metro. If you’ve ever visited our office for training you may have noticed we’re situated on one of those trails and some folks like me even use them to commute to work when we can. Suffice it to say this particular morning I was driving to work and a few minutes after leaving home I found myself pulling over to render aid to a downed cyclist. Another innocent victim of motorist inattention I figured.


In my last blog I suggested the "language" of risk could be the most universal language we inherently understand. Most of the time we employ an operational risk discipline in our daily lives without even thinking about it. In fact humans would have probably been long extinct had our initial survival depended on higher order brain functions (thinking) without the fight-or-flight response baked into our subliminal psyche. As our understanding of the world around us increased through the millennia we developed common sense to further enhance our survival and quality of life. Let’s explore an everyday example of what happens in the absence of that common sense.


Picture a 4-lane undivided suburban artery street that feeds residential neighborhoods on both sides through a network of cross streets governed mostly by stop signs. The cyclist, an older retired gentleman was riding northbound on the southbound sidewalk (which we’ll call "strike 1"). The driver failed to notice the bicycle as he began a right turn from a cross street to head south on the main road and subsequently hit the cyclist passing in front of him. As I pulled over to help I saw the guy lying on the ground trying to sit up. He had blood streaking down the left side of his face and his bicycle was also a mess having gotten hung up under the front bumper of the car.


In the brief moments required for me to park and walk back to the corner the cyclist had mustered enough strength to stand up and start delivering a piece of his mind to the driver at top volume. The driver, a small European guy in his 50s was flustered and very apologetic. Turned out he was simply trying to return a rental car for his wife and was baffled at how he could have hit a bicycle considering how careful he was otherwise being not to damage the rental car. Another motorist (a woman 8 months pregnant) who swerved to avoid hitting them both had also pulled over to help. Between the two of us we got 911 called, the mangled bicycle disconnected from the car and both moved out of the way, and the cyclist convinced it would be better to stop yelling and just sit down on the curb for a bit.


While I’m neither a trained medical professional nor a lawyer I actually do have some practical experience with this kind of thing since I was hit by a car myself once under similar circumstances. Overall the cyclist seemed okay. A little banged up but no broken bones or major loss of mobility and he was coherent enough to multitask between typing notes into his phone and ignoring our plea to stop cursing the driver. I looked closer at the blood on his head, saw it was coming from his ear & then noticed a cracked, bloody headphone dangling from under his helmet ("strike 2"). The impact caused him to smack the side of his head on something which cracked his earbud and the resulting shrapnel cut the inside of his ear which bled a bunch but was otherwise a minor injury.


Considering my own history you might have expected me to join in with the cyclist & start berating the driver further. It’s perfectly natural under the circumstances: We hear "car hits bicycle" and we’re pre-programmed to favor the cyclist just like we tend to fight for the little guy or cheer for the underdog. It’s precisely because of my own experience that I didn’t do that. Instead I asked the cyclist where he was headed even though I already had a hunch. His answer confirmed he was just tooling around for some exercise and enjoying the beautiful weather…during rush hour on a crowded main no less ("strike 3!")


Could the driver have been more careful? Of course he could have. But was he guilty of gross inattention or merely conditioned complacency rooted in symmetric experience versus the asymmetric risk that had just landed square on his front bumper? A victim wooed by the perceived probability of success from past outcomes rather than anchored in future potential threats. Although we may have been told back in the day to "look both ways before crossing the street," in reality we get lazy sometimes. Like the night watchman who struggles to maintain "alert readiness" month after month at a building nobody ever breaks into. When we’re not actually crossing the street or even taking a left turn then we often defer to just checking to the left (or the right depending on where you are) since that’s the most likely direction of danger.


Forgetting that simple fact can be harmful for your health as Winston Churchill once learned on a visit to NYC which could be thought of as an asymmetrical outcome, an outlier in other words. Except that Mr. Churchill like the cyclist in my story amplified greatly the potential likelihood of that otherwise very unlikely event unfolding. People tend to forget the difference between odds and probability which leads them to disregard the power of asymmetric risk impacts. Though we’re not really used to thinking asymmetrically it’s nevertheless how the more impactful risks often manifest. So we must force ourselves to consciously apply this thinking and regard each scenario as a coin flip until a historical context or some other reference can prove otherwise.


Since the driver was turning right instead of left or crossing the street he deferred his attention to traffic approaching from the left only. Seeing none he proceeded to turn and BAM! This exact scenario happens to be one of the main reasons why bicycles are required to follow most of the same laws as cars including riding in the street with the flow of traffic, not on the sidewalk and certainly not on the sidewalk against traffic. This also happens to be the opposite of what we’re taught when we’re on foot where walking against traffic gives us the best chance of jumping out of the way of a driver who fails to notice us which was why the cyclist was so upset. He thought he was doing the right thing by applying the same pedestrian logic when in fact all he was really doing was amplifying the likelihood of a disaster.


So what the difference? In a word…velocity. Bicycles move faster than people on foot. Since reaction time is shorter for both parties the same controls don’t work as well. Or put another way, the velocity of the risk requires a different approach to controls in order to adequately manage the risk to an acceptable level, the control in this case being riding with traffic on the street rather than against it on the sidewalk.


If the driver had simply been more vigilant & looked both ways could the accident have been avoided? Probably but that’s not really the point. It’s a bit like saying if a hacker had just stolen somebody else’s credit card database instead of ours then we wouldn’t be in this mess in the first place. We can’t control what other people are going to do so next best thing is turn our efforts inward and focus on what we can control which is our actions and our security posture. In other words minimize our exposure by reducing our attack surface.


What about the responsibility of the cyclist and the strikes against him? Although it wasn’t probably illegal to wear headphones while riding his bicycle (like it is for drivers in cars) it certainly wasn’t the smartest idea in traffic either since it distracts the senses. It was also rather selfish to blunder around during rush hour in the first place with several beautiful trails available nearby. Even if he were riding on the street like he was supposed to, it’s not very enjoyable. At best heavy traffic is forced to move around him upping the chances of a multi-car collision plus raising stress levels of people just trying to get to work on time & instead getting stuck behind some guy who clearly has no pressing time commitments.


And what about his loved ones? Had he been more seriously injured or worse how would that have impacted them? Would they have agreed at his funeral that his little joy ride as worth it or would they have simply shaken their heads at the high cost of fair weathered foolishness? What about the driver who now had a bunch of explaining to do and insurance to deal with? Not to mention both of their wives. How would either of them explain all this without looking foolish? (something the cyclist hadn’t pondered until then but now seemed a little apprehensive about) What about the pregnant woman who nearly hit them both in the aftermath? What if she and her baby had been hurt? Or what if the panicked excitement sent her into premature labor? Then what?


Most people don’t usually think that way but most people haven’t been stupidly hit by a car either. So I thought it fair to ask the guy these questions which he didn’t really appreciate at first. But after a few moments it started to sink in. You could actually see the revelation wash over him. His entire face & demeanor changed and he smiled and shook his head when he realized how dumb he’d been and how lucky he was. Just like I realized how dumb I’d been and how lucky I am everyday now many years later.


It’s amazing the number of lives we touch with even the smallest of actions. The driver who hit me was a young mother with two children in the car and all three were terrified they’d killed me. This was before cell phones and both her husband and my parents started fearing the worst when we didn’t arrive home on time. Fortunately my bike took the brunt of it and other than being a little banged up I was fine. Her car wasn’t damaged either. At the time I also thought I was absolutely right and she was absolutely wrong. Until I learned differently from the police and that same wash of guilt spilled over me for having put all four of us in that silly situation. I swore I’d never make that mistake again which is why for his own good I decided I couldn’t just coddle this cyclist and let him slide either. And you know what? Rather than calling me a jerk and telling me to buzz off the guy thanked me beyond words for putting things in perspective for him. He even apologized back to the driver which put the apology ratio at about 1:1000 at that point and they both shook hands and tried their best to laugh it off amidst still shaky nerves and post-adrenaline rundown. Emergency services arrived and patched up the cyclist and we bystanders proceeded on with our busy day.


See, tough love really does have a happy ending. And I promise neither that driver nor that cyclist will ever forget that experience or make those same mistakes again. The real question is will they regard this as just a bicycle accident? Or will they embrace the bigger meaning that they’ve actually improved their risk posture by updating their operational risk management models based on a historical trended view of impacts and near misses? Ehh…probably not the second thing. But at least they made it home for dinner with a good story to tell.


Twitter: @masonkarrer

When it comes to job descriptions, there seems to be no limit to what can be placed in the realm of the Chief Information Security Officer (CISO) role.  The role is many times a collection of various responsibilities guided by the loosely defined “protect information assets” charter.  Of course there are elements of core security – access control, data protection and warding off the bad guys and the attacks.  Compliance duties are often added as regulatory requirements and industry standards are piled on.  Finally, some CISOs are even tasked with continuity or disaster recovery roles as well.  Last week, I attended the Information Security Forum U.S. Chapter meeting and another role was alluded to during the discussion – that of Investment Advisor.


Now, this role is not the typical Investment Advisor – the CISO isn't expected to sit down and help employees with their stock portfolio nor consult the board on investments in mergers and acquisitions.  The role that emerged in the discussion was that of guiding the business to invest in security and risk technologies and practices while balancing the overall portfolio of effort – spending money in the right places to protect the meaningful parts of business.  This completely makes sense as the return on investment in security must be calculated using the value of the information being protected.


When you think of an Investment Advisor, one expects certain output from that individual:

  • The Investment Advisor must understand the mechanics of the financial world. He/She must have a solid background to discern what is most impactful to the ups and downs of the market and how it affects your finances.
  • The Investment Advisor must be able to talk to you in terms you understand.  The conversation can’t be laden with technical jargon and accounting mumbo-jumbo.  Financial planning has to be described in terms of “retiring at age 65” or “successfully paying for college”.
  • The Investment Advisor must provide clear guidance that brings comfort that your long term financial success is on the right track. Much of this will be based on the past performance and your belief that you are moving in the right direction.


CISOs need these same skills:

  • The security landscape is ever shifting and the media reports paint a very scary picture for executives.  Digital risk is top of mind and the CISO must understand the mechanics of what it means to protect the business.  This knowledge must be translated into actionable strategies that the business can weigh, decide and feel confident in the results.
  • The CISO must engage with the business to determine the right investments – both tactical efforts and long-term strategies – that make the biggest impacts. Any security investment is going to pull some capital or budget from potential business initiatives.  That money has to be well spent and the business has to see a return on that investment.
  • Finally, both Investment Advisors and CISOs have a bit of selling to do to get the money moving in the right direction.  At times it is hard to see the long term benefit of putting money aside in your retirement fund when that new car (or boat or other big purchase) looks so appealing.   A CISO at the ISF meeting stated (paraphrased) “Part of my job is Inside Sales. I have to give the right investment advice to the business.”   Looking over the horizon at the emerging threats and positioning the organization to be prepared is a key role of the CISO.


In the movie “The Wolf of Wall Street”, the main character is a fast talking, wheeling and dealing investment advisor that uses many tricks to get people to participate in very shady investments.  He uses a combination of fear, promises, pressure and jargon to convince people to hand over their money to his schemes.   This is the anti-thesis of what a CISO’s role is when it comes to getting the business to invest in the right security strategies.    A CISO that can sit down with the business, discuss the long term goals and objectives and plan out an investment strategy that protects assets in a cost effective manner will succeed in not only meeting the security needs but will become a trusted advisor to the business and an overall positive force for the organization.

I'm proud to announce that for the second year in a row, EMC-RSA was positioned as a leader in the Gartner August 2014 Magic Quadrant (MQ) for Business Continuity Management Planning (BCMP) software!  You can download the report here.



For this Magic Quadrant, Gartner analysts Roberta Witty and John Morency evaluated 18 enterprise-class vendors and their criteria focused on two primary areas – the organization’s Ability to Execute and Completeness of Vision.  The main features that distinguished the vendors from each other and formed their position in this Magic Quadrant were:

                              • Ease of use, configuration and customization
                              • Depth of data analytics, crisis/incident management (C/IM) and exercise management
                              • Level of real-time interactive action of their mobile device apps
                              • Plan management aides, such as built-in workflow procedures for BIA and recovery plan creation and maintenance


According to Gartner’s estimates, the BCMP market continues to grow with 2013 BCMP market revenue of $162 million — 24% more than their 2012 estimate.  They also stated that BCMP capability is progressively being developed by GRC vendors. We believe this point really accentuates RSA Archer's vision in integrating BCM planning with other related disciplines like Governance, Risk and Compliance (GRC) or Incident Management.


We are proud of our strengths and will continue to learn and improve not only from these analyses, but also from our BCM working group of over 60 customers, our active RSA Archer online community with more than 11,500 members, and our continuous engagement with our valued customers. Contact me at if you would like more information.


This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

When you think of international or universal “languages” what comes to mind? For some it’s love. For others it might be music or mathematics. Business-centric folks might further suggest the notion of profit and loss is fairly universal as well. I propose that risk itself not only qualifies as a universal language but in fact is actually better understood by more people than all of the others combined. To those that would doubt such an assertion as mere crazy talk I say challenge accepted.


Nobody I’ve ever met was born knowing math, they had to learn it. Few people can pick up an instrument for the first time and play it beautifully without any practice or instruction. And love confounds us all at one point or another. Risk on the other hand, both awareness of it and aversion to it is ingrained in us automatically without even thinking about it. In fact we can’t really think about it. It’s just there…hardwired into our ethos.


Remember learning about the fight or flight response in school? Consider that as nothing more than operational risk management baked into our psyche at a subliminal level. Author Seth Godin refers to that part of our brain as the “Lizard Brain”, the semi-conscious area that separates where things like conscious thoughts (love, music, math, problem solving) occur from the deepest part that controls involuntary things like heartbeats and other physiology. Part of the Lizard Brain’s purpose is to trigger protective reactions without the need for extensive preliminary deliberation. In other words, prompt an action without thinking about it first. Whereas the conscious brain might wonder how fast the bus is approaching the Lizard Brain could care less. Its job is to motivate you to jump out of the way before getting run over.


There’s no shortage of other examples to easily illustrate our deep, embedded understanding of risk. When you drive someplace do you wear your seatbelt? Why? Those of you with babies; do you put them in a car seat? Why? What about locking the doors or covering the ATM keypad or a thousand other examples in our daily lives? Why do we do these things if not because of some embedded programming? A combination of nature and nurture resulting in raw behavior centered on risk awareness and further refined by contextual knowledge that enables more intelligent decisions. Ultimately the decision is still binary; accept the risk or avoid it? However the context often makes all the difference.


Embracing this notion of universal risk awareness opens up a whole bunch of possibilities when it comes to enterprise risk management. While it won’t recast everybody as PhD-level analytical risk quants overnight, it certainly suggests the average person can grasp risk management concepts far better than we probably give them credit for. Since risk itself transcends the entire enterprise landscape either way, shouldn't we strive for an understanding that permeates as well?


When it comes to operational risk in an enterprise, rather than assuming everybody in the organization is now magically risk “aware” from the start (which suggests a level business knowledge they may not yet have), instead let’s call them “risk attenuated”. They have a general appreciation of what risk is and the impact it can have. Tapping into that raw understanding is the key to realizing two important benefits.


First we can drastically elevate true awareness by starting an enterprise-wide conversation that complements each individual’s inherent understanding of risk with relevant information about the organization’s specific risk posture and goals. Second, with contextual awareness established we can gather important timely feedback about the operational state of risk in much more useful terms. When it comes to the good, the bad (and the downright ugly) aspects of operations the people in the trenches always know the lay of the land the best. Fortify the first line of defense by appealing to their embedded sense of risk and cultivating them into a well-developed risk intelligence network feeding reliable information up in real time.


You’ll often hear us discuss the importance of risk-intelligent decision making as part of advancing down the path of GRC maturity toward the opportunity landscape. Organizations that embrace these principles are transforming their risk and compliance operations and realizing the competitive benefits of operating in that risk-advantaged state. Those that don’t will continue struggling to understand their broader risk and compliance landscapes and inevitably expend more and more resources chasing security and compliance in an increasingly hostile world of global competition, threats, and regulatory pressure. While operational risk may be concerned with people, processes, and technology together, your people will always be your most important resource. Why not use them?


Have something to say? We’d love to hear it and have a conversation anytime about the opportunities that exist in your world of risk and compliance. We also have more exciting content releases coming soon. Follow me on Twitter (@masonkarrer) to stay in the loop!

At last! Here is the third and final part of my continuous monitoring white paper series. I hope this is the most useful to you because the subject is strictly focused on managing assessment costs. CM has the potential to make your IA program either 1) vastly more expensive and/or 2) work your current staff to death. This paper will hopefully provide ways to lessen the impact and probability of both.


In other related CM news, RSA Archer has the won the DHS CDM Dashboard bid, which is a huge victory! It feels great to know our offerings will be helping the federal government better manage operational risk.


Our VP for Public Sector announces the win here and Government Computer News ( covered the announcement here.


Very exciting times! I hope you have enjoyed the CM white paper series. If you have questions or comments, please email me.


Or let’s connect on

Twitter  / @chrish00ver



Thanks for reading!


Alright, the title is a little misconceiving but let me explain.  This is golf season and for a hacker like me golf strategy doesn't matter much. I'm not going to play very well no matter how much I plan or strategize.  However, for pro golfers, the way they approach a tournament, a course or even a particular hole or golf shot can mean success or failure.  You may have heard of Jack Nicklaus, widely regarded as the best pro golfer of all time as he went on to win 18 major championships.  Jack says, "golf is a game of strategic positioning your ball on the golf course. The better strategies you execute, the lower your score will be." It also stands to reason that the better you know the course the better your game will be - where the flags will be on the greens, where the sand traps are or the length of each hole. This takes preparation each time you play the game.  You play the same course again and again, but it might be different each time due to the placement of the flags on the greens, holes that are opened or are closed, the weather and a host of other factors. In other words, the playing field changes each time.

An age old challenge Internal Auditors face has always been to understand their "playing field", which is the area of the organization they're planning to audit. If Internal Audit has never audited a particular department, business area or IT system before then they have to understand the organization.  If Internal Audit has performed audit work in that area before, then they have to understand what has changed since the last audit.  This is important because Internal Audit has to be able to properly scope their engagement, perform the most effective audit work and add value (hit the lowest golf score and win the tournament). Basic questions to answer as part of audit scoping are what business processes does the organization perform, what regulations are important for them to follow, what critical information do they maintain and what controls are in place.  Again, so much of this changes over time. What further complicates things is a lot of this information is hard to find, unrelated and outdated.  The information is oftentimes closely held, kept in separate systems or maintained by different groups.  Like golfers understanding their next course or tournament, what Internal Audit needs is a reliable, interrelated and real-time source of this information they can leverage during their annual audit planning or preparing for the next audit engagement.


RSA Archer's Enterprise Management solution offers just this type of approach and real time, interrelated information.  It's available not only for Internal Audit, but for Risk, Compliance, Vendor and other groups needing access to this critical information.  Think about scoping an upcoming audit engagement and having access to such information as business processes performed by the area you're going to audit, IT applications they use, regulations and policies they have to follow, critical information they produce, etc. - and it's interrelated and real time.  What's even better is you'll also see the results of work performed by Risk, Compliance and Internal Audit groups for the area you're auditing, allowing you to see risk and compliance scores and metrics, perform dynamic risk assessment and continuous control monitoring and leverage a host of other analytical procedures and reports. Talk about understanding the course before you play the game!


This may not make for a better golfer, but to Internal Auditors it's so important to have access to better, real-time information to enable them to quickly understand the organization and be confident enough to refine or reduce their scope.  This saves time and money, and enables them to achieve their audit plan while using their critical resources on the most value added activities.  Is this a challenge for your organization? Let me know your thoughts by emailing me at

Steve Schlarman

The Power of And

Posted by Steve Schlarman Employee Sep 2, 2014

I have always been a “fan” of words.  Meaning: I read a lot and I write a lot.  I have this notion that “if” is the most powerful word pound for pound.  For only two letters, “if” sure packs a lot of punch.  “If” has fueled exploration (“if the world isn’t flat…”).  “If” has driven innovation (“if I put this filament in a vacuum…”).  “If” opens the imagination (“what if…”).  So many positive things come from the word.  But, we all know, with great power comes great responsibility.   “If” has its dark side – feeding regret (“if only I had…”), suspicion (“If they are doing…”) and fear (“what if this happens…”).    I think the silver medal in the pound for pound battle of words would be “and”.  You have some other contenders – “yes”, “no”, “why”, “but”... but none of them can compete with “and” when it only takes 3 letters to unleash such power.



And (conjunction)

  1. used to connect grammatically coordinate words, phrases, or clauses;  along or together with; as well as; in addition to; besides; also; moreover: pens and pencils.
  2. added to; plus: 2 and 2 are 4.
  3. then: He read for an hour and went to bed
  4. also, at the same time: to sleep and dream.
  5. then again; repeatedly: He coughed and coughed.


“And” represents the union of two things binding together and becoming one - the combination of two verbs, two nouns, two actions…Think of all the great combinations – milk AND cookies,  Abbott AND Costello,  username AND password…  Each element on its own has value but combine the right things and BOOM! Magic happens.  “And” even has a cool symbol - &.  It is almost like the Prince of words.  (& - The Word Formerly Known as And)


Ok – I may be taking it a bit far waxing poetic on all of the positive virtues of “And”.  It goes without saying if you take two bad things and slap an “and” between them, you have an even worse situation…cold AND flu, hacker AND open telnet port, shark AND tornado…  Just like “If”, “and” has great power – and great responsibility.


Now you know I must lead these thoughts into why my blog exists in the first place.  In Security and GRC, amazing things can happen when you leverage “AND” properly.   GRC in some ways is a world of “ands” – or strives to be.  When good controls development and implementation meets efficient testing and measurement – you get the great combination of Policy AND Compliance.  When Policy AND Compliance is coupled with good risk management, you get an even more return on your investment in “ands”.  Combining disciplines is an important tenet to keep in mind when planning your risk and compliance strategy.  When you begin bridging the gap between parts of the organization, the “AND” factor brings additive value when data is leveraged and processes are streamlined.


Operational Risk Management is an absolute world of "Ands".  Risk within an organization can only be understood by layering multiple perspectives together.  An organization that can leverage the power of AND empowers the executive team to have the conversations they need to have to understand, manage and reduce risk.  Executives need relevant, up-to-date information on business risks to drive the right decisions.  Building that picture is dependent on harnessing the Power of AND.


Our video "Managing Operational Risk with RSA Archer" paints of picture of how this conversation can unfold.  Watch it and you will see the Power of And at work.

Filter Blog

By date: By tag: