Through the years, as federal information assurance professionals, we’ve seen a lot of adjustments and evolution. We had an arms race in buying newer and better firewalls, more secure networking devices, IDSs, IPSs, and SIEM tools. We bought generations of scanners and sensors. We watched several iterations of C&A and A&A methodologies come and go. FISMA took its first lumbering steps, and about a dozen VERY expensive years later, it was rewritten. The evolution in each case was toward a more dynamic and risk-based approach. From bastion to defense in depth. From rules-based to heuristic. From a mountain of logs to a prioritized few. FISMA is trying to do the same thing: to move from a checklist exercise to embracing continuous monitoring and from crusty, three-year-old ATOs to using tangible risk metrics.
Since the economic crash of 2008, the message has begun to sink in that war time spending increases are gone, and even thought the missions seem to grow and grow, the budget has either finally hit a ceiling or a very slow increase for the foreseeable future. The DoD and Intelligence Community may get a little consideration for their classified systems, but overall, the federal community knows we cannot throw resources at security problems like we have in the past.
Fortunately, this fits in with the evolution examples I just gave. Moving to embrace real risk management and real risk-based allocation doesn’t just save money, it will actually force federal organizations to think and behave in ways which make them more secure.
To this end, at RSA, we strive to make tools to enable true risk management and inspire it within organizations. This is why I’m happy to announce the upcoming launch of RSA Archer GRC 6. I don’t want to derail the risk message I’m building up to by stopping to describe the new features, so here is a short video that hits the high points and shows the new interface, etc.
Back to my point: Federal organizations need to continue to infuse more risk-based decision making into their cultures. What do I mean by that? As part of the launch of RSA Archer GRC 6, we had a virtual launch event. I would recommend you watch the launch video here . I mention the video because my colleagues centered the event on the theme “Inspire Everyone to Own Risk”. This theme strikes the perfect tone because, first, it showcases the best new features of Archer v6, but, more importantly, it ties in with the evolution thread above.
Federal organizations must empower more, if not all, employees to understand risk, and to make risk decisions and help manage risk at their own respective levels within the organization. In the launch video I mentioned, one of my colleagues points out an excellent white paper from COSO related to this subject. It is similar in many ways to federal documents like NIST SP 800-37 and 39, but adds a few extra elements and is refreshing and enlightening to hear these topics being discussed by a different community, with a slightly different perspective. This doesn’t just mean FISMA and OMB compliance. It means getting the teams within your organization to agree on a common risk taxonomy and common goals. It means ORM/ERM and using resources like AFERM and the Maroon Book in your organization.
It is for all of these reasons that when I see our new RSA Archer GRC 6, I notice and appreciate most the new features focused on role-based views and reports, task-driven landing screens, and advanced workflow capabilities. These features break down the silos between teams and empower each layer in the organizational hierarchy to own and manage their piece of the risk.
Inspire everyone to own risk.
Thanks for reading. Comments or questions? Email me.