Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2015 > May

Maxwell Street.  John Lee Hooker growling out “Boom, boom, boom, boom”.  Four whole fried chickens and a Coke.  The Blues Brothers. That’s my immediate vision when I think of Chicago. As a devout fan of the blues, Chicago holds a special place in my heart.  In the 1940s, artists flocked to the city, establishing one of the most unique and vibrant musical scenes in our history.  The legacy carries forward today as Chicago continues to be a city bustling with activity and the wail of the blues.


In 2014 we celebrated our 11th RSA Archer GRC Summit in Phoenix, Arizona with more than 1,000 GRC professionals. Over the course of three days, the group participated in 56 educational breakout sessions led by RSA customers, partners and RSA Archer product experts covering eight tracks.  Sessions addressed program, process, and technical topics giving our customers a platform to share their experiences with each other, to network with fellow GRC professionals, and to grow their GRC and RSA Archer capabilities. The theme of 2014 event was “Harnessing risk. Exploring opportunity.” and highlighted the journey all of our customer’s embark on when pursuing GRC excellence.


This year’s RSA Archer Summit is being held in conjunction with our larger user forum and conference named RSA Charge and takes place in Chicago.    This year’s theme –Recharge, Retool, Reignite – is fitting for such a venue. This is why I have visions of smoky, blues filled dance halls to mind.   The Chicago blues is not all heartbreak and woes.   What is more invigorating than an electric charged blues boogie fueled by howling guitars, wailing harp and a thumping beat?   Take a listen to Howlin Wolf or Muddy Waters and try to keep your foot from tapping.  This year’s conference is the perfect opportunity to network, learn and build your vision for your GRC journey.  With the combined conference you can also benefit from sessions available for all of RSA’s product portfolio.


The Call for Speakers is still open and I highly encourage you to take this opportunity to share your knowledge and insight.  Pull up a chair, bring your guitar, get your Mojo working and sing your heart out.

To be an effective third party manager today you have to be extremely risk intelligent, able to answer questions like:

  • Who are all of the third parties we do business with and what products and services are they delivering?Which third parties are most important and why?
  • Which third parties pose the most risk to the organization, why and how?
  • Are third parties performing in accordance with the original agreed-upon terms? If not, what are they doing to improve?
  • Is the financial wherewithal of any third party deteriorating such that they may go out of business unexpectedly? If so, what are our contingency plans? and
  • Oh, by the way, are we fulfilling all of our obligations to comply with regulatory requirements around third party management?


It’s impractical, if not impossible, for one person to answer these questions without help from each business unit; the risk specialists in security, regulatory compliance, business continuity, and credit; purchasing and legal, finance, product management and even strategy.  But to get this kind of help when you are first starting your program requires a lot of meetings, telephone calls, emails, and trading spreadsheets.  This buries the team with work and there is little time to figure out what steps you can take to lighten the load while still making your third party governance program better.


This is where RSA Archer’s new Maturity Model initiative comes in.  We have created maturity models around third party governance and all of our other solutions to help customers understand the critical capabilities of an effective and efficient program that can be facilitated through the use of Archer.  The maturity models are an excellent self-assessment and can help you prioritize your initiatives and refresh your roadmaps.  I encourage you to learn more about our maturity assessment initiative and how it might help you with your program.


The bonus… they are free of charge!  So, schedule your assessment today by contacting your Archer Sales representative. Learn more about each of our maturity models through our white paper series !

At RSA Archer, we are now officially announcing our GRC maturity assessments. I personally would like to announce the Assessment & Authorization (A&A) and Continuous Monitoring maturity assessment for the federal community and federal adjacent customers, like contractors. In addition, we have maturity assessments that correspond to most of our other offerings and domains of interest:

  • Operational Risk Management
  • IT Security Risk Management
  • Regulatory and Corporate Compliance
  • Business Resiliency
  • Third Party Governance
  • Audit Management


So what is it?

You answer a questionnaire and send us the results. We perform the analyses and provide charts, reports, and artifacts in a formal briefing. This is all FREE. You can invite other stakeholders to this briefing or at least have the reports and materials to take back to your team to prompt some serious discussion.


Why do you need it?

In the context of A&A and Continuous Monitoring, we know they are mandatory activities. FISMA and OMB have told us so. We have been doing A&A (and C&A) for many years. Most people are still figuring out what they are going to do about Continuous Monitoring. Very few have attempted to achieve Ongoing Authorization.


The maturity assessment doesn't just force you to examine each little piece you’re doing or not doing, it forces you to see the activities’ relationships, and how they impact each other. Beyond just a litany of checklist activities, you have to at some point examine the maturity of your processes, tools, and staff. Without this, you will likely never meet the minimum, and if you do, it will be at the maximum cost in stress and pain to your staff. To put it another way: an organization with a mature information assurance program will have efficiencies and visibility in place that will allow them to achieve more than a less mature organization with the same amount of resources.


What's next?

If you are interested in learning more about our process, we have white papers posted here for you to learn more.

Or contact me directly and we can discuss next steps.


As always, thanks for reading and email me with comments or questions




Register today for RSA Charge 2016, taking place in New Orleans from October 25 – 27. Visit our webpage, to learn more. 


This must-attend event will be the largest gathering of Archer customers, partners, and risk and compliance experts from around the world, providing GRC professionals - from experts to novices -  with the premier venue to share knowledge, gain hands-on experience, and learn best practices from other GRC professionals.


Your 2016 RSA Charge registration pass will give you access to ‘all’ RSA sessions, without additional fees for RSA Archer, Advanced Security Operations Center, Identity Management and Governance, Fraud Protection, and much more, including shared General Sessions and an Innovation Zone for the combined audience.


See you in New Orleans!

You may be familiar with the story of Frodo Baggins of the Lord of the Rings trilogy.  He was an unassuming hobbit from the Shire who inherited a ring.  Once he came to understand the power and dark purposes of the ring, he set out to destroy it in the fires of Mount Doom before the Dark Lord Sauron could use it to destroy Middle Earth. There were many times on his long journey that Frodo tried to do this alone.  He did so because he felt it was his quest to accomplish, he didn't agree with how others wanted to proceed or he was scared for the safety of his friends.  It was only when he relied on help from friends like Samwise Gamgee, Lord Aragorn and the wizard Gandalf, did his quest finally succeed. There were many adventures, new characters, close calls and misdirection along the way.  But in the end, he accomplished his goal of destroying the ring and saving Middle Earth.


You may be less familiar with the story of the ARC.  The ARC finds themselves in a very similar position as Frodo and his counterparts.  The ARC consists of three groups that set off on similar but separate quests, each to destroy evil and restore peace in the land. The problem is they were very much separate even though their goals were the same.  At first, they didn't know much about each other only than they each existed.  There were times they crossed paths in their journey and even fought against each other not knowing they could be allies. In the end, only when truly perilous times came upon them all did they begin to work together to achieve their quest.


Ok, I guess it's time to bring this back to the purpose that I'm writing about, and it's not to become the next J.R.R. Tolkien! This ARC group I"m referring to exists in most every substantial organization today.  It's the Audit, Risk and Compliance (ARC) teams and when you think about it, they really have been on a similar quest, or what I'd call a maturity journey to abolish evil (risks) and establish control(s).  As a Governance, Risk and Control (GRC) company with over 1,300 customers, we've seen our share of organizations all along this journey.  Some very separate in their quest to manage risks, implement controls and help steer the destiny of their organizations.  Others, working together with similar approaches, sharing the load and reporting results consistently and holistically.  Just like when Frodo and his counterparts worked together as a team did they triumph over their foes, the organizations that align their ARC teams (and there are many ways to do this) are more successful.  This could be done by evaluating risks in the same way, dividing up the work of evaluating controls, coordinating with regulators or becoming more involved in strategic initiatives to give the unique perspective only ARC groups can provide.


Frodo needed directions to the fires of Mount Doom where the ring could be destroyed.  ARC and other groups also need a roadmap, so we've recently implemented Maturity Models to light the way.  These Maturity Models cover each area - Audit, Compliance, Risk, Third Party Management, IT Security and more.  Each one helps the organization understand where they are on the road to maturity and how to advance further.  Finally, just as Frodo and his colleagues had swords, shields and bucklers, organizations have access to the Archer GRC tool, which is a strong enabler if coupled with the Maturity Models to help teams accomplish this shared mission.


It's not an easy journey, so check out our White Papers on the RSA Archer Community RSA Archer Maturity Model White Papers.

A quick Google search on the words “Maturity Model” returned over 6 million results, with at least 22,000 results relating to the just recently released “RSA Archer Maturity Models”!


Yep, RSA Archer has released maturity models around each of its core solutions: Operational Risk Management, IT Security Risk Management, Regulatory and Corporate Compliance, Business Resiliency, Third Party Governance, and Audit Management.


We believe that it is important for our customers to understand the full capabilities of our solutions, to exploit them in a manner that brings the greatest efficiency and value to their organization.  Generally, this means enabling the progression of an organization from a siloed, compliance orientation to an advantaged, opportunity focused orientation.  This progression enhances an organization’s “risk intelligence”, helping them to make better and faster decisions about risk that strengthens their competitiveness, and increases the likelihood that they will achieve their mission and objectives without experiencing nasty surprises along the way.


In my last blog I discussed the breadth of Operational Risk events today based on an analysis of litigation volume and insurance premiums.  At the rate things are going, it’s unlikely we’re going to see a big drop in Operational Risk Events any time soon.  That is why there is still the need for another maturity model.  Organization’s still have a need to better manage Operational Risk.


There are four key capabilities integral to a successful OpsRisk program:


• Establishing the scope and context for ORM

• Identifying and Assessing Op Risks

• Making Decisions about Operational Risks and Treating the Risks; and

• Reporting On and Monitoring Operational Risks


The RSA Archer Operational Risk Management Maturity Model is designed to help organizations enable these key capabilities to their fullest using the RSA Archer Operational Risk Management Solution.


So, if you want to better understand what an Advantaged implementation of GRC looks like, please contact us to conduct a Maturity assessment.  To learn more about our maturity models, check out our Maturity Model White Papers.


We’ve recently begun rolling out our new RSA Archer Maturity Models, a unique set of resources designed to help customers better understand and navigate their GRC journeys. The concept of a maturity model is certainly not new, especially in the technology world. However to me one of the more frustrating aspects of typical technical maturity models (besides being abstract and not GRC focused) is the tendency to have a rigid, unforgiving way of making you feel inadequate no matter what you accomplish. So we set out to create a fresh, new spin on discussing operational maturity in a way that’s more instructive and GRC-centric. Our maturity models are very approachable to help customers easily identify where they currently are in their journey so they can set realistic goals for where they want to go next, and most importantly provide specific guidance for HOW to get there!


In our initial announcement a few weeks ago we introduced the basic approach across the seven GRC discipline areas we focused on for this first round of models. The Regulatory and Corporate Compliance Maturity Model details dozens of specific aspects necessary to build a mature compliance program from the ground up; and transform disconnected, inefficient risk and compliance motions into an integrated and differentiated system of activity and source of enterprise competitive advantage.


Celebrated business executive Jim Barksdale was notorious for his creative business expressions including his “Main Thing Principle.” His mantra: “The main thing is to keep the Main Thing the main thing”. During his tenure as COO of FedEx his frame of reference was a little different than ours here but the idea is the same. Every organization, every program needs a “Main Thing” – a central driving concept that forms the basis for success. That one thing is what people must clearly understand above all else in order to realize the potential.


One of the key elements you’ll hear us echo repeatedly is the importance of building business context. If there’s only one “main thing” in GRC then I would argue that’s it. Because it’s that rich business context that unlocks the inherent potential that exists within every organization’s operations. Without that context we don’t know what we don’t know, let alone how to prioritize goals that harness risk and transform compliance in meaningful ways to deliver real, tangible value through GRC initiatives. As Jim Barksdale would say, “You can’t manage that which you cannot measure.” (He would also say “In a fight between a bear and an alligator, it is the terrain which determines the winner.”) I’ll leave it to you to apply that latter pearl of wisdom on your own.


In the meantime I encourage you to take a look at the maturity model white paper for Regulatory and Corporate Compliance and the other Maturity Models, along with our Risk Intelligence Index on the RSA Archer Community. My fellow GRC Strategists and I are excited about the conversations these resources are inspiring with customers as a new backdrop for them to plan their GRC journeys and ramp up their programs. If you have any feedback or would like to engage in a consultative maturity model discussion in your organization, please email me anytime!

It's time to lumber up those fingers, sharpen your pencils, and submit your presentation proposal for the 2015 RSA Archer GRC Summit.


This year we've made it even easier for you do so.  New this year, we are providing detailed C4Ss FAQs, as well as an informative video that outlines guidelines and suggestions for a successful submission.

There will be 8 tracks, including:

  • IT & Security Risk
  • Corporate and Regulatory Compliance
  • GRC Program
  • Operational and Enterprise Risk
  • Business Resiliency & Third Party Governance
  • Industry Vertical
  • RSA Archer Technical
  • RSA Archer Technical Advanced


Prices for this year's GRC Summit are the same as last year, with an Early Bird Discount available when registration opens on May 14. This year's GRC Summit will be a co-located event with RSA CHARGE 2015, October 21-23 at Lakeside Center at McCormack Place, Chicago.


Can we give you any more reasons to attend? Well, yes we can; RSA Archer attendees will have access to all RSA sessions, 'without additional fees,' covering Advanced Security Operations Center, Identity and Access Management, Fraud Prevention, and much, much more. With RSA Archer GRC Summit and RSA CHARGE 2015 co-located events, we look forward to an even greater event.


Don't miss out; Submit Your Presentation Proposal today!!

Filter Blog

By date: By tag: