Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > November

You know the age old joke right?  Suppliers, vendors, or third parties as they are commonly known, have become an integral part of business operations for most organizations.  Wal-Mart utilizes over 60,000 of them, while Boeing has over 21,000. Know how many suppliers it takes to make pencils? Even the Dixon Ticonderoga Company has thousands. Alright, they do much more than change light bulbs as each has its critical role in the supply chain of large, complex organizations. The question I want to pose today though is if you are the Internal Audit (IA) group for one of these companies using thousands of vendors or suppliers, how do you audit such complex third party management and supply chain programs?

Understanding complex supply chains is challenging enough, let alone trying to audit them.  Even some of the simplest supply chains often include third parties, fourth parties, fifth parties, partners and more - and their inter-relationships are mind-numbing.  Why is auditing an organization's supply chain so important?  It's because controlling supply chain risk is absolutely critical and top of mind for boards of directors, risk groups and regulators. The myriad of studies done by advisory firms, universities and the supply chain industry itself all come to similar conclusions.  For example, a recent PricewaterhouseCoopers (PwC) analysis shows that businesses that experienced supply chain disruptions experienced steeper shareholder value drops than their peers; more intense stock price volatility; and deeper declines in return on sales and assets. To further complicate matters, supply chains are not getting simpler - they're getting more complex and this is true globally.  Furthermore, there isn't parity in supply chain disciplines around the world.  For example, US companies are applying greater regulatory scrutiny to business operations and supplier integrity, while there are more supply chain issues with companies in developing countries. 


So how does IA go about auditing their organization's supply chain to mitigate risk?  Here are a few ideas.


First of all, IA should ensure they have supply chain expertise on their team or external experts they can leverage.   IA must then understand their role versus that of management.  It's management's job to implement a supply chain framework and program that includes a strategy and approach to manage the best suppliers that will enable them to successfully achieve their business objectives. IA can work with business leaders to develop this supply chain program, but ultimately management owns it.  The program must include end-to-end risk management across the entire supply chain.


Each time the supply chain program is audited, IA should ensure it is implemented and functioning as intended.  One way to do this is for IA to evaluate a sample of vendors by risk or criticality to the organization according to procedures set forth in the supply chain program.  This may include leveraging key risk indicators to identify any troubled vendors within the supply chain. As part of their review, it is important for IA not to just focus on controls, but to evaluate strategies as well.  Basic blocking and tackling (onboarding, managing, monitoring, correcting) is critical to any supply chain program, but evaluating supply chain performance from a strategic and holistic perspective is critical. IA must also ensure the program aligns with corporate objectives, addresses risks and considers compliance obligations.


I will conclude with a simple anecdote that illustrates the point.  A Harvard Business Review study showed that ever since retailers equipped their cash registers with bar code scanners, they promised a brave new world of supply chain management. Stores would automatically track the flow of goods and electronically transmit precise replenishment orders. Suppliers would synchronize their production schedules to real-time demand data. Fewer goods would sit around in warehouses; fewer customers would find products out of stock. However, in an in-depth study of 35 leading retailers, it was discovered that the data was often wildly inaccurate. The executives at one company with a reputation for expert data handling estimated that their data were “99% accurate.” Physical audits, however, showed that inventory levels were way off the mark for two-thirds of the stores, and it was estimated that those errors reduced the company’s overall profits by 10% through unnecessary inventory carrying costs and lost sales from out-of-stock items, or stock outs.


Although a good supply chain program or structure is in place, audits may show otherwise.  It is critical for IA to understand its company's supply chain, focus not only on the structure and program but perform audits to validate results.  For more information, contact me at

The host cities for the 2015 Roadshows include: Boston, Minneapolis, New York City, Southern California, Toronto and Washington, D.C. For planning purposes, the scheduled Roadshow events will take place in the late February / early March time frame. We are very close to finalizing the dates and locations for each host city.


The full-day ‘complimentary’ GRC Roadshow events provide a unique networking forum that foster engagement with fellow risk and compliance professionals to discuss GRC trends, challenges and opportunities. With highly interactive discussions, case studies, RSA product updates, and more, these events provide a means for you to learn new strategies to achieve maximum performance from your governance, risk and compliance program.


The theme for the 2015 Roadshows is ‘Harness Risk – Fuel the Enterprise.’ If you are interested in presenting at one of the Roadshows, please send an email expressing your interest to Christopher Dodge at and be sure to include your city preference.


We hope to see you at one of the 2015 Roadshow events, and please check back for further updates.



… To think about how investments in technology and staff will work together in your organization’s Security Operation Center (SOC).    When we introduced RSA Security Operations Management (SecOps), our intent is to help customers to really think about what framework and orchestration of people, process and technology are required to build out their SOC capabilities.


As such, the key value propositions of SecOps are as follows:


  • Business Context – Provide up to date business context of assets to security analysts so they can prioritize incidents that pose the biggest risk to their organization.
  • Incident Response – Provide a framework to collaborate and effectively investigate security incidents that is aligned with industry standards.
  • Breach Response – Provide a framework so when an incident leads to a data breach, the organization is prepared ahead of time to respond to the breach.
  • SOC Program Management – Enable SOC teams to run the overall incident and breach response process as a consistent and predictable business process.


As I started talking to customers about SecOps, I have found that the SOC maturity levels differed across the board.    The mature SOC customers who are in “Defined” Stage or above of the CMMI Maturity Level immediately see the benefits of SecOps, the ability to automate their overall SOC processes, drive efficiencies, drive consistency and prove the overall effectiveness of the team.


But early stage customers that are in the “Initial” or “Managed” stage of their SOC implementation would pose the question back to me, “We are in EARLY stage of building out our incident response team and SecOps has a lot of functionality, where do I start?”.


You are never too early to take advantage of SecOps functionality.  You are investing in technology and staffing your team --- how do you get full return on your investments?  SecOps can be implemented in stages and more functionality can be introduced as your team matures.  For starters, if you are in the early stages of SOC implementation, here are 3-items that you should think about at this stage:


  • Alert aggregation into SecOps – Analysts will have one place to go look at new incidents and manage the queue.


  • Prioritize incidents against business context – Start getting your IT asset information into SecOps / Enterprise Management and assess the risk of those assets.  Analysts will be able to prioritize the incidents that pose the biggest risk to the organization.


  • Leverage OOTB Incident Response Procedures  - SecOps has OOTB response procedures that were authored by our RSA Advanced Cyber Defense Team.    You can build on these response procedures and create your own.


The above 3-items will immediately improve your analyst effectiveness.  From here, you can continue leveraging additional SecOps functionality for Breach preparedness and overall SOC program management.  So, my answer back to the early stage customers --- You are never too early to leverage SecOps, it can bring immediate benefits to your SOC team.


SecOps has been available for our customers for exactly a year.  I continue to learn from RSA customers and let’s continue fighting the good fight against the bad guys!   Watch Bob Cheong, CISO of Los Angeles World Airports talk about how he built his SOC capabilities from scratch. 


100929               100930


The EMEA GRC Community gathered in record numbers last week for our second annual RSA Archer GRC Summit in EMEA.  With over 300 attendees this year, we saw a huge increase in participation from our inaugural event last year – by far the largest GRC Summit in the Europe, Middle East and Africa region.  For everyone that attended, thank you for spending your valuable time to network with peers, share your knowledge and continue your Risk Intelligence journey.100642


This year’s GRC Summit featured:

    • 15 educational breakout sessions led by customers, partners and RSA subject matter experts covering topics such as GRC Program, IT & Security Risk, Operational and Enterprise Risk, Regulatory & Corporate Compliance, Business Resiliency and Third Party Governance.
    • Keynotes from Rob Gould (Vice President EMEA, RSA), Eric Erston (RSA Archer Go To Market, RSA), Malcolm Marshall (Partner, Global Leader, Information Protection, KPMG) and Ron “Chopper” Harris (Chelsea Legend, Chelsea FC) focused on the central theme of Risk Intelligence – harnessing risk and exploring opportunity.
    • 8 sponsors including KPMG (Gold Sponsor), Accenture and EY (Silver Sponsors) and Atos, WiPro, CSC, TUV Rheinland and NTT Communications (Bronze Sponsors) that shared and demonstrated their risk and compliance best practices.


100645We would like to thank all of our attendees, speakers, panelists, and exhibitors for making the RSA Archer GRC Summit EMEA such a wild success.  The educational breakout sessions have been posted on the RSA Archer Community (login is required) and pictures of the event are also available (use the password “Chelsea”).  Please take a look and share with other risk and compliance practitioners that were not able to join the event.


We look forward to seeing everyone next year!  Cheers!

Party lines.  Since we just finished an election cycle, I am sure you have heard that phrase many times over the last few weeks.  However, I am not referring to the propensity of political candidates to stoutly stand for or against a referendum based on their political party.  I am actually referring to a long lost term regarding local telephone circuits shared by multiple subscribers.  Party lines were a standard service offered by early telecommunications company for many years.  For today’s modern cell phone user, the idea of sharing a telephone line with multiple people seems absurd.  However (according to Wikipedia), the last party lines were decommissioned in 1991 – not that long ago.  Even so, it seems almost inconceivable that, at one time, to telephone someone you had to ask the operator to connect you and then had the possibility that someone could pick up another phone and interrupt your call.  Believe it or not, that’s how it was.


Telecommunications has come a long way and we no longer have to worry about this situation.  But I am bringing up this topic because of a similar situation modern companies have to contend with today – the Third Party ecosystem that has become a part of every enterprise.  It may not be as bad as sharing a telephone line but the interconnectedness between companies is becoming more and more complex.  And the worst part of it is that many companies do not actually know all of the entities that they are connected to for business services, supply chains, infrastructure services and a host of other business purposes.  It is like picking up that telephone line and not really understanding who is on the other end – or who could be on the other end.


Vendor Management has become a huge risk area for many companies today.  In terms of managing security risks, the constantly growing number of vendors and service providers is an area that IT security functions can no longer ignore.   Too many times, the security function finds out about external connections too late in the game or, in the worst cases, after an external party is the source of a significant breach.  We have seen it in the news regarding some of the biggest breaches and it will continue to be a growing problem for IT security.  All companies do NOT manage security equally.  Smaller vendors - while potentially absolutely critical to your business processes - may be significantly challenged with managing  and tightening down security.   Therefore, the weakest link - a staple in the vernacular of security professionals - is exceedingly appropriate in this conversation.


Gartner just released its Magic Quadrant for IT Vendor Risk Management. (See my previous blog for more information) The report outlines the importance of managing the lifecycle of vendors for many different reasons.  The information security implications are evident and obvious.  The domino effect of a security compromise is a threat scenario that should be investigated and analyzed by every security team.  Who are you connected to?  Who is connected to you?  Who are THEY connected to?  Where are the access points and methods?  The list goes on when managing security risks around vendors and suppliers.


Most security functions have included these scenarios in their technical schemes but given the seriousness of some of the cascading data breaches, this should be an area where security strategies must be constantly evaluated.    Vendor Management is a relevant, high risk, high impact area where the security processes should be actively engaged.  Unraveling your business connections and realizing you have been compromised due to a "party line" is not what you want in the middle of serious security incident.  Understanding who you are connected to and the business context around that connection will allow you to prioritize and address a serious part of the risk landscape.


For more information on IT Vendor Risk Management, see Gartner’s report at:

If you have been reading Gartner and Paul Proctor’s blog, you may have heard that Gartner has changed up their plan for GRC research in 2014.  Rather than create an overarching Enterprise GRC Magic Quadrant, they are focusing on several individual GRC use cases.  The first of many of these new reports is now out! RSA Archer continues to be a GRC leader. EMC-RSA has been positioned as a Leader in the IT Vendor Risk Management Magic Quadrant! You can download the report here.



For this Magic Quadrant, Gartner analysts Christopher Ambrose, Kris Doering, and Gayla Sullivan evaluated 10 enterprise-class IT Vendor Risk Management solutions and their criteria focused on two primary areas – the organization’s Ability to Execute and Completeness of Vision.


According to Gartner, the demand for IT Vendor Risk Management solutions is being driven by high-profile IT service provider failures, increasing rollout of enterprise risk management programs, and the number of third parties that access regulated information. In addition, if we look at the 2014 Global Outsourcing and Insourcing Survey from Deloitte, it finds that 74% of organizations do not currently have adequate tools and processes to manage their vendor portfolios and 62% believe their vendor management organizations are inadequately staffed.


Leaders in this Magic Quadrant have a clear understanding of the IT VRM market's needs and deliver solutions that are functionally robust, use emerging technologies and delivery models, and receive high marks from customers. They are able to deliver IT VRM solutions that integrate with broader GRC platforms and other security, risk and vendor management applications. With over 950 customers and over 11,500 RSA Archer Community members, RSA Archer maintains a strong and active community of users who exchange best practices.


We are proud of our strengths and will continue improve not only from these analyses, but also from our regional user groups and our continuous engagement with our valued customers. Contact if you would like more information.


This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Filter Blog

By date: By tag: