Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2015 > April

Alright, I admit my five year old daughter is my literary consultant and gives me ideas for my blogs. In this one I'm going to talk about RSA Archer Maturity Models we've recently developed to help organizations in their journey to mature their Governance, Risk and Compliance (GRC) programs using RSA Archer as a key enabler. But first, to introduce the concept, let me tell you the story of the Three Little Pigs (this is my daughter's part). 

The Three Little Pigs is an old English nursery rhyme that begins with three pigs being sent out i111413nto the world by their mother to seek their fortune. The first little pig builds a house of straw, but a wolf blows it down and eats him. The second pig builds a house of sticks, which the wolf also blows down and, you guessed it, has barbecue pork for dinner. The third pig builds a house of bricks, which the wolf can't blow over. The wolf tries to trick the pig out of the house but he is outwitted by the brickhouse pig (yes, she's a Finally, the wolf tries to come down the chimney, where the pig catches the wolf in a pot of boiling water, slams the lid on, then has wolf stew (try that Andrew Zimmern) for dinner.

As I said, we have just launched a series of Maturity Models to help organizations advance their GRC programs through the use of different Archer solutions, one of them being Business Resiliency (BR). The Model and accompanying White Paper below discuss the five phases of the Model (Siloed, Transition, Managed, Transform and Advantaged) and the key capabilities organizations should implement  in building maturity into their BR programs.  Each phase explains characteristics of BR programs that fall within each phase.  For example, BR programs in a Siloed phase might be like the little pig who built his house out of straw.  It was built very quickly, maybe even just to be compliant or to "check a box".  It was a good idea but maybe not completely thought out. As a result, when the disaster struck, the house came down.  In the middle of the Maturity Model is the Managed phase (we'll call that one the house made of sticks).  Stronger than the house made of straw, this one was planned out better, it might have been tested to see how it withstood a breeze or two, and it maybe even had some reinforced windows; but when the wolf blew, that house came down too.  Finally, the last and most mature phase in the Model is the Advantaged phase.  In this phase, our Advantaged pig built her BR program out of bricks. She anticipated the danger, planned accordingly, consulted her risk advisors, and then built a resilient house that not only withstood the impending disaster, but became a competitive advantage as a wolf trapper, processor and cooker.

In all seriousness, the Maturity Model has been received extremely well as organizations are already starting to use it to map out their journey in maturing their BR programs using Archer as a key enabler.  For more information, read the BR White Paper – and check out White Papers on our other Maturity Models on the RSA Archer Community.  Email me at if you're interested in hearing more or give me any feedback you have.  In my next blog I'll talk about the Maturity Model for Internal Audit.  So until then...wait, why am I hungry for pork chops?

Do you have Lessons Learned, Best Practices, and/or Actionable Takeaways that you'd like to share with the largest gathering of Archer customers, partners, and risk and compliance experts from around the world?  Then we want to hear from you!


RSA Archer's 'Call for Speakers' (C4S) Submissions is now open from April 20 through May 22. There will be 64 sessions with 8 Tracks, including:

  • IT & Security Risk
  • Corporate & Regulatory Compliance
  • GRC Program
  • Operational & Enterprise Risk
  • Business Resiliency & Third Party Governance
  • Industry/Vertical
  • RSA Archer Technical
  • RSA Archer Advanced Technical


To assist those interested in submitting a proposal, we are providing detailed C4S FAQs, as well as an informative video that outlines guidelines and suggestions for a successful submission. 


This year's Archer Summit will be co-located with RSA CHARGE 2015, October 21-23 at The Lakeside Center at McCormick Place, Chicago. RSA CHARGE is an exclusive user conference designed to bring together and harness the innovative power of thought leaders, industry experts and the RSA security community.


Archer attendees will now have access to all RSA sessions, without additional fees, covering Advanced Security Operations Center, Identity and Access Management, Fraud Prevention, and much more. With these two events co-located, we are looking forward to even more energy and a larger crowd, with shared General Sessions and an Innovation Zone for the combined audience.


This will be an event you don't want to miss.

Last week, I announced the release of the RSA Archer Maturity Model series of white papers that discuss the different phases and the key capabilities organizations should pursue in building maturity across different segments of risk management. IT and Security risk is one of those key areas and for good reason.  At this point, business and technology is inseparable.   I have written about it before and the general consensus if you do a straw poll among any risk minded individuals is that business risk and IT risk range from inescapably linked to synonymous.   So what does this have to do with Wally World?


The journey to maturity in IT Security Risk Management is much like the popular movie National Lampoon’s Vacation.  For those of you unfamiliar with the movie (or haven’t seen it in ages), let me refresh your memory on the epic tale of the indomitable Griswold family as they embark on a cross country trip to the fabled amusement park “Wally World”.  Along the way, our intrepid heroes fall into multiple calamitous events:

  • They take the wrong turn off the highway and end up in a dangerous, seedy part of town where their car is vandalized.  (Sound like the business unit of yours that thought it was a good idea to outsource an IT initiative without security oversight?)
  • Clark, the beleaguered husband, becomes distracted by an attractive woman leading to disastrous results.  (Ring any bells on that technology that promised to solve all your security issues only to become a quagmire of disillusionment?)
  • Upon reaching their destination, they find the park closed and their hopes of a fun family outing are smashed.  (A reminder that not all strategies come to fruition as many times the rules change, the business evolves, or the plan just doesn’t work out.)

There are several instances in the movie that could draw a parallel with organizations’ struggle to achieve risk management maturity.  My point is that any journey you undertake has its pitfalls and obstacles.  No journey, including the drive for maturity in your IT Security Risk program, will avoid every setback.  However, a journey well planned is a destination half reached.


The RSA Archer IT Security Risk Management maturity model focuses on four key capabilities that enable a sustainable, agile program:

  • Establish business context for security;
  • Establish security policies and standards;
  • Identify and resolve security deficiencies; and
  • Detect and respond to attacks.

An organization focusing on these competencies sets itself apart from the reactive, compliance driven security function and positions the security capabilities to deal with the growing IT Security risk.  A security function that understands the business context of security requirements and issues can prioritize efforts, marshal the right resources and drive controls to the most important part of the business.  Policies and standards set the bar for an organization and, when aligned with both regulatory and corporate compliance, become the foundation for a maintainable program.  Protecting resources requires stout security defenses with limited deficiencies. Finally, no fortification is impenetrable and the organization must be able to detect and respond when attacks pierce the barricades.  There are many moving parts in this strategy and the journey is substantial.  But just like the Griswolds chasing their dream vacation, organizations seek to avoid complications and reach their Wally World – a technically strong, business agile security function that becomes a competitive advantage for the company.


The RSA Archer IT Security Risk Management white paper discusses these capabilities at length and posits where different competences fall into our Maturity stages.  Read the White Paper – and check out our other papers – on the RSA Archer Community at  The paper may not be exactly a ticket to Wally World, but hopefully it helps plan your journey.

Marshall Toburen

BIG Operational Risk

Posted by Marshall Toburen Employee Apr 13, 2015

Operational Risk is broadly defined as error or fraud associated with people, processes, or technology and Acts of God. With the exception of Acts of God, what are the worst kind of Operational Risk Events?  Cyber attacks were cited as the highest technology-related risk in the World Economic Forum, Global Risks 2015. However, according to a recent online Fortune article, data breaches have cost big publicly traded companies “Shockingly little”, typically amounting to less than 1% of annual revenue.  This statistic is a big surprise and leaves one wondering what truly are the biggest IT / Operational risks?  I suggest that they are System Development Life Cycle (SDLC) / product and service liability-related.


Perhaps the most costly and notorious IT Risk-related event in recent history was the SDLC / product failure of Knight Capital, when Knight placed an erroneous trading algorithm into production that cost the company $460 Million in customer reimbursements, $400 Million in market capitalization and $12 Million in  regulatory fines.  Ultimately, it forced Knight to sell themselves to another company.


If you examine product liability claims with the notion that they mostly result from the introduction of new product defects,  poor  SDLC practices, and errors and omissions in the ongoing management of products and services, the picture gets much worse.  In 2006, the most recent year for which relevant data are available, there were over 54,000 product liability cases filed across all State and Federal courts!  Although a number of companies self-insure, you can get a sense of the magnitude of product liability risk by examining insurance premiums collected.  Net premiums for liability insuance tripled from $6.61 billion in 1979 to $19.08 billion in 1988 and amounted to $160 Billion and $84 Billion globally and in the U.S., respectively in 2013.  Of this amount, only $1.3 billion was cyber-liability related.


Some of the most significant product liability claims to date have ranged from automobile design failures that resulted in multiple deaths and hundreds of millions of dollars in compensation, medical device and drug liability claims, and even exploding portable gas cans that forced the manufacturer out of business.


Flawless Product development, project management, and product operations can be extremely difficult.  Often the complexity can be overwhelming because it depends on the comprehensive identification of interdependencies and management of risk originating both internally and as a result of third party relationships. Preventing the introduction of significant errors and fraud in computer systems and customer-facing products and services requires a very methodical approach to risk management.  You must be able to answer questions like: what new products and services are being introduced throughout the company? What business processes (people, process, and technology) and third parties support this product and service? What kind of risk is introduced by a new product?  What could go wrong / what is the worst-case scenario?  What is being done to mitigate and transfer risks and are mitigation activities designed and operating effectively?


RSA Archer helps in the methodical assessment and management of risk whether it originates from IT or non-IT activities, from third parties, from business interruptions, or relates to corporate or regulatory compliance obligations.  On a combined basis, Archer can help an orgainiazation to manage and mitigate its product liability risk.  This capability invariably translates into greater confidence that reliable products can be delivered to market more quickly with fewer suprises,  loss events,  and lower product liability insurance premiums.  We do this with attention to detail and risk management standards and best practice such as ISO 31000 that establishes principles and guidelines to effectively identify, assess, decision, treat, and monitor risk.


Our capabilities to assist organizations in managing risk in each of these core areas were evaluated by Gartner in the last half of 2014.  In each area, Business Continuity Management, IT Vendor Risk Management, It Risk Management, and Operational Risk Management.  In each of these four evaluations, Gartner placed our product in the Leaders Quadrant!  Learn more about these reports


We believe that Gartner’s assessments underscore the importance of risk management in surviving today’s competitive market. Nearly every business unit within an organization is getting involved to actively identify and manage risks as they arise.  After all, they are the ones that understand their business, are most in-tune with risks within the business line and they are also best equipped to accept, treat and mitigate the risk in accordance with the organization’s risk tolerance, policies and procedures.  As a result, business units are now  engaging fully in the risk management framework. A coordinated, integrated level of risk intelligence helps enable CEOs and management teams to fuel their businesses more actively with new opportunities that are within their risk tolerance, minimizing SDLC and product liability risk.

The 2014 ‘Gartner CEO and Senior Executive Survey: 'Risk-On' Attitudes Will Accelerate Digital Business’ report indicated 64% of senior executives listed Growth as the number 1, 2 or 3 priority.   Companies have many paths to fuel growth such as mergers, acquisitions, launching new products and services and broadening out to new markets.   However, all of these activities involve risk.  Without the proper handling of risks, compliance obligations and the general preparation it takes for the business to take on these strategic initiatives, growth can be in peril.  In the same report, executives reported that they were more likely to grow the business IF they had good sense of the risks involved – and the ability of the organization to deal with those risks.  This is why Governance, Risk and Compliance programs have risen from the humble beginnings of point efforts, grass roots initiatives and a select few practitioners huddling in the corner at organizations to become a board level discussion today.  While GRC placed 11th on the list of priorities in this survey, managing risk is an absolute imperative for the organization to meet that #1 priority of Growth.


When it comes to building any enterprise GRC program – and truly affecting change in an organization – the journey has many twists and turns.  Organizations must go through a transformative process of maturing processes from localized, concerted efforts into a broader, comprehensive strategy.  The maturity of a GRC program is the sum of many parts.  Some organizations are just embarking on this journey; other organizations have been trekking this path for several years.


I am pleased to announce the RSA Archer Maturity Models – a series of white papers that outline the six major dimensions of risk management.  The RSA Archer Maturity Models focus on key capabilities enabled by the RSA Archer solutions.  As a technology enabler, RSA Archer provides the critical infrastructure to leverage processes, share data and establish common taxonomies and methodologies.  Our vision is to help organizations transform compliance, manage risk and exploit opportunity with Risk Intelligence made possible via an integrated, coordinated GRC program.


The RSA Archer Maturity Models outline multiple segments of risk management that organizations must address to transform their GRC programs and articulates the five stages of Maturity an organization experiences during the journey from Siloed efforts to an Advantaged state of risk management.  Each white paper discusses the different phases and the key capabilities that organizations should pursue in building maturity across the core components of a GRC program:

  • Operational Risk Management,
  • IT Security Risk Management,
  • Regulatory and Corporate Compliance,
  • Third Party Governance,
  • Business Resiliency,
  • Audit Management, and
  • Assessment & Authorization/Continuous Monitoring (Federal solution).


The GRC Strategy team will be posting a series of blogs highlighting the maturity models over the next few weeks.    As with all journeys, we expect that your organization may have taken its own unique path as your pursue GRC Maturity.  We welcome your feedback as you research our positions in these domains.


The White Papers are available to members of the RSA Archer Community at



Gartner report:

In October last year, Gartner released their Magic Quadrant for IT Vendor Risk Management, positioning EMC (RSA) in the Leader's Quadrant, with the highest ability to execute.109905

In March, this year, Gartner released their Magic Quadrant for IT Risk Management.  Once again, EMC-RSA has been positioned as a Leader!



Some might ask, isn’t IT Vendor Risk Management just a subset of IT Risk Management?  Yes, it is but the breadth and complexity of third parties being used in organizations today require the use of risk management solutions like the EMC-RSA Third Party Governance solution that are specifically tailored to the unique requirements associated with third party risk management.  These requirements include understanding the complete organizational structure of the third party, the business activities and products and services the third party supports, evaluating the controls that the third party has in place to mitigate risk, what type of risk transfer the third party has in place, and establishing and monitoring performance indicators unique to the products and services being delivered by the third party.    These requirements are unique enough that they cannot be adequately addressed by broader IT Risk Management solutions.


Broader IT Risk Management solutions tend to be more inwardly focused, placing attention on the organization’s internal processes and internal control framework to manage risk.  Compliance with information security regulations such as the Gramm-Leach Bliley Act (GLBA) highlight the necessity of both solutions.  On the one hand, you must understand the population of vendors your organization is using, which of the organization’s products and services they support, how they support them, what kinds and amounts of information are being shared, and the control procedures the third party has in place to protect the information being shared and to ensure the third party’s resiliency.  The target of understanding in all cases is the third party and the specific products and services they are delivering. 


There is, however, a broader aspect to GLBA that targets the organization’s internal processes, policies and procedures, and internal controls.  These include documenting non-third party related threat sources that may compromise information security – such as employee accidental loss or deliberate theft of customer information, and data breaches that might occur as a result of compromised application systems and network devices.  Internal controls around information security must also be documented such as how new employees are vetted and on-boarded, how existing employees receive effective on-going training on information security, and how and when security patches are applied to IT assets.  The organization’s policies and procedures to manage information security and GLBA compliance must be documented and associated with the actual regulation in order to demonstrate to executive management and regulators how the organization achieves compliance.  Lastly, information security incidents that occur must be managed in a timely manner to minimize the duration and impact of the incident and to make certain all regulatory reporting requirements are fulfilled.


These two RSA Archer solutions can help you obtain the most comprehensive understanding and management of IT-related risk, whether it originates internally or through third parties!


For more information on these Gartner assessments, please visit this landing page.



These graphics were published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner documents are available upon request from EMC-RSA. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation.


Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

One of the top universal issues that business executives, boards of directors and audit committees deal with is they hate surprises.  I'm not talking about the good ones, like an unexpected jump in stock price, a product launch that's a runaway success, or a favorable tax position.  I'm talking about bad surprises.  Those that bring to the forefront risks that the company, its risk and assurance functions, and "the auditors" failed to identify and do something about.  This especially hits home to auditors when they recently spent time auditing a particular area and could have identified certain risks and alerted management before it led to a bad surprise.  Bad surprises come in all shapes and sizes but they usually spring from unidentified or misdiagnosed risks.  A risk category that is a top five for most executives, and is becoming more prevalent (but is much less understood) is IT risks.

Gartner recently released its Magic Quadrant for IT Risk Management (again naming EMC/RSA a leader for its Archer GRC platform offering).  Gartner defines this space as risks within the scope and responsibility of IT, the IT department, or IT dependencies that create uncertainty in daily tactical business activities, as well as IT risk events resulting from inadequate or failed internal IT processes, people or systems, or from external events. Gartner reiterates that IT risk management is a core competency for governance, risk, and compliance programs. This means that the line between business and IT risk management is becoming blurred as processes evolve and incorporate more and more technologies or become the technologies themselves. This raises IT risks that ORM/ERM and business process auditors, second and third lines of defense, may not be adept at recognizing and knowing how to deal with.

Among the many questions to address in proper risk management is one I'll focus on today.  Which is this - does your organization have the right risk management structure, approach, org109916anization and skills to properly manage IT risks?  A potential weak link in the chain exists in many organizations' organizational approach to risk management.  Operations Risk Management (ORM) or Enterprise Risk Management (ERM) functions typically address business risks, while IT risks are mainly tackled by the IT organization.  Similarly, Internal Audit (IA) departments are often delineated between business auditors and IT auditors, who perform business process audits and IT audits, respectively.  The weak link manifests itself if these separate groups don't have similar if not related risk management methodologies, don't communicate, and don't track or resolve findings through common approaches. IT organizations usually understands their risks fairly well, but they must do a better job at being the conduit between their business counterparts to translate IT risks into business impacts that make sense to executives.  On a positive note, most ORM/ERM groups and their IT counterparts do connect at some level, either through similar risk management approaches, risk registers or other methods. Similarly, IT auditors typically have the skills to identify and raise issues around IT risks and do a good job of communicating them through their audit findings.


Most organizations have a ways to go until they can manage their IT risks to the point that they won't be seeing many surprises - but that's more of a journey than a destination that we're all on. Let's keep the dialogue going! Check out our Community page for more information on the Gartner Magic Quadrant series. Use this link for the “Community page” and email me at with your thoughts!

Gartner just released their IT Risk Management Magic Quadrant results. RSA is at the front, as usual, but when I saw the results I was immediately struck by a question: How closely do Gartner’s and the federal community’s visions of IT Risk Management align? There has been discussion around redefining these categories and some have been broken out into new MQs. So, for my federal security professional colleagues, I just wanted to run through Gartner’s definition of ITRM and compare them to current federal thinking and initiatives.



When Gartner is evaluating tools against the topic or domain of IT Risk Management their site says they focus on “software products that support the ITRM discipline through automating common workflows and requirements”. Automation is key theme. The increased complexity and acceleration in the speed of the IT threat world requires automation these days. Automation is mentioned several other times on the ITRM page, including: “It is important to note that these products automate good, existing processes. Organizations should seek automation when they have sufficient maturity to take advantage of its benefits.”


This fits in very well with current federal emphasis on continuous monitoring (both manual and automated). The federal community is now fairly mature at the FISMA/OMB compliance paradigm and C&A/A&A. Logically, continuous monitoring is one of the areas where automation can help enhance the process. This emphasis can be seen in many new releases in the last year. OMB Memos 14-3 and 15-1 have touched on this topic in the last 18 months. FedRAMP updated its continuous monitoring guidance last summer. The NIST 800-53A Rev4 that just came out is MUCH more granular than previous revisions. This provides more granular reporting, but good luck trying to implement it without some automation.


Gartner’s definition of “IT risk management" is based on customer feedback, funneled through a working group of analysts. It is comprised of the following components:

Policy Management

      • Authoring, change management and version control
      • Development and approval workflow
      • Mapping policy statements into regulatory requirements

Compliance Mapping/Reporting – the ability to link the appropriate controls, assets, and assessment results and reports

Security Operations Analysis and Reporting

      • Ability to leverage diverse scanner and sensor data
      • Turn security metrics into actionable, meaningful reports and dashboards
      • Defect remediation workflow

IT Risk Assessment –providing a risk assessment workflow, and linkage between assets, risk assessments, context, and metrics.

Incident Management – manage, remediate, and report on incidents


It’s not hard to see that these very closely align with the current concerns in the federal community. Continuous monitoring or what DHS calls Continuous Diagnostics and Mitigation for its CDM Dashboard, addresses many of these pieces, as do NIST RMF and CNSSI 1253. The point I wanted to make is that Gartner has many MQs, and RSA has done well in all of them, as you can see here, here, and here. The ITRM MQ is, I would argue, the most applicable to the largest portion and intent of federal cybersecurity efforts and in this MQ, RSA is not just in the Leader’s quadrant, but at the leading edge.


Thanks for reading.

Email me with comments and questions.


Filter Blog

By date: By tag: