Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2015 > August

I need your help with something. How many books exist about the fine art of being more persuasive? Do they work? Whether it’s to win & influence, breach the inner circle, or just get a date, there’s seems to be no shortage of resources available. What do they all have in common? Probably nothing beyond a desire to influence people to buy them so we can magically learn how to be more influential! However some interesting research by Cornell University Professor, Vanessa K. Bohns suggests there actually is a universal trick to influencing people that’s both real and much easier than we might think. What’s the secret? Just “ask.”


In her Harvard Business Review article Professor Bohns describes a set of simple experiments her team designed to evaluate the accuracy of the average person’s beliefs about their own powers of influence. The basic approach was to analyze the delta between the subjects’ perceived difficulty versus how difficult it actually was to get strangers to do things for them. Some interesting baselines came out of it suggesting the average person is far more influential than they realize. Professor Bohns says we “persistently underestimate our influence,” (on the order of about half according to her stats.) In one experiment the subjects were supposed to get passersby to complete a questionnaire. Ahead of time the subjects predicted it would take them asking ten people just to get one to agree. Yet the results were not 1 in 10 but rather 1 in 4!


How can we apply this in the world of risk and compliance? The article cites a classic whistleblower scenario that reiterates how challenging it can be getting people to speak up. Another example that comes to mind is the difficulty in establishing consistency and repeatability when trying to embed compliance activities into business processes. We often seem to draw attention to the consequences of non-compliance (regulatory penalties) as a way to compel people to work differently, implement additional steps, fund projects, etc. Yet these consequences are often so ethereal it’s hard to cast them in a relatable context.


The Cornell team suggests a better approach may be to simply ask for help instead. Part of the rationale is based on the psychology that people are more inclined to willingly participate when they emotionally believe their effort will truly help. For instance a compliance process owner in need of better departmental cooperation might try an empathetic appeal: “Hey I know it’s a pain. But after the last audit finding it now falls on me personally if we have another issue and I can’t do it alone. So I really need your help. Can you please make sure these compliance checks get done each night?”


A compliance manager trying to win executive support could try an approach like this: “Mr./Mrs. Executive I know resources are tight, especially your time. But I also know how much you care about keeping a tight operation too. You have my word we’ll always run as lean as possible to keep spending down. Honestly, in many ways a few words of vocal support are worth more than budget dollars. If you could put some wind in our sails on this compliance initiative with a call to action for the stakeholders, we’d have a much better shot at getting them engaged quickly to ratchet things down with minimal expense.”


Is this really so shocking? It certainly seems more sensible than trying to command a bunch of pre-trained personality habits on the fly by simply memorizing a few acronyms. Or are they "backronyms"? Regardless, the results of the experiments seem to suggest a simpler, more tangible alternative. As to why this may not be more widely understood already, the researchers offered a few explanations ranging from people incorrectly believing their ability to influence was primarily governed by position or standing (e.g. title), to a theory that it’s simply inherently harder for people to physically say “no”.


Feel like giving this a try yourself? The Cornell team suggests the following tips:

  • Just ask: It really can’t hurt and people want to say yes more than we realize.
  • Be direct: Although it may seem polite to drop hints, it’s not as effective and people don’t actually respond as positively as we think.
  • Ask again: Persistence pays. Obviously you don’t want to be a nuisance. But statistically if you’ve only gotten a single “no”, it’s in your favor to ask again.
  • Skip the incentives: Depending on the request people are on average just as likely to comply whether they get something in return or not.


If you’ve made it this far then my attempt to influence you into reading my blog was indeed successful. Wow it really does work! Thanks Cornell!




As outlined in my blog last week, the Defend the Kingdom blog series follows the adventures of a security administrator as he, and his alter ego, battle the forces of evil.   The inaugural blog was released today on Speaking of Security:


Follow the adventure every Tuesday as the story unfolds and the Kingdom is defended.



In an earlier post, I outlined the three lines of defense model and the need for organizations to robustly embrace these functions for an optimized risk management program.  Business unit managers, the first line of defense, are integral to the success of an operational risk program.  Their responsibilities address the risk of loss resulting from inadequate or failed internal processes,  people and systems or from external events.




Managers have always been responsible for defining and managing processes within their business units.  Business processes are nothing more than a collection of related tasks executed to achieve some objective, typically to deliver a product or service to a customer or internal stakeholder.


No one knows the business processes delivered by a business unit better than the business unit’s manager.  Since there are
almost always operational risks associated with a business process, and risk treatments (such as internal controls and risk transfer) associated with most risks, it only makes sense that the business unit manager is also the best individual to understand the risks and risk treatments for their business processes.





It is in this sense that Business Unit Managers and their teams are in the best position to act as the first line of defense in the management of risk for their business unit.  From a risk perspective, business unit managers:

• Document their business processes and associated policies and procedures

• Identify existing and emerging, internal and external risks associated with their processes;
• Perform periodic assessments of processes, risks, and controls;
• Treat risks and assign accountability to manage them
• Review and approve loss events, perform root cause analysis and remediation; and
• Monitor key metrics of risk and performance.



Although business unit managers may not use risk management terminology a lot, they are ultimately responsible for maintaining a culture of sound risk management within their areas by promoting appropriate policies and procedures and by establishing explicit accountability for business processes, risks, and control procedures.  In addition, they have to report on and assure that the business unit's risk profile, emerging risks, loss history, and internal controls are being managed in accordance with the organization’s tolerance.  These activities are a high priority these days because the Executive team and the Board are paying attention.


According to a Deloitte & Society of Corporate Secretaries and Governance Professionals joint 2014 survey,
the top two goals of boards of directors are strategy and risk oversight.  Board of Directors prioritizing Strategy seems intuitive enough but why is the second goal risk oversight?  Because risk reduces the likelihood that strategy will be achieved - the two goals go hand-in-hand.


Business unit managers are critical for success but unfortunately, they may not be executing as well as hoped.  In a February, 2014 Harvard Business Review Analytic Services survey of 610 senior-level and executive management respondents from companies with more than 100 employees, 77% stated that frontline managers are important or extremely important in helping their organization reach its business goals. Yet only 33% and 21% scored their frontline managers competent in business-based decision making and strategic thinking, respectively.


This disconnect between board priorities and the perceived competence of frontline managers is problematic and must be addressed to align resources to priorities.  The causes of the disconnect vary as business unit managers:

• May not always have a clear understanding of their role in managing risk;

• Have limited time and resources to devote to risk management; and
• Use inconsistent approaches to assessing risk such that risk-based decisions are inconsistent.


Each of these problems can and should be addressed across business lines. And many issues can be addressed by establishing a common risk management framework in cooperation with technology, like RSA Archer Operational Risk Management.  In this way, the overall first line of defense is strengthened and Board goals are better achieved.


Are you interested in engaging your business unit managers in the risk management process?  On September 24, 2015, RSA is sponsoring a webinar in collaboration with OCEG to highlight how organizations are improving business operations by engaging the first line of defense.  Register here and join us for this event!

It Started Like Any Other Day

Posted by PatrickP Employee Aug 21, 2015

You don’t know when a disaster is going to strike.  The day usually starts like any other day. Disasters come in all shapes and sizes - natural and man-made, personal tragedies, workplace related events and others, and if you’ve ever experienced one you know it changes you.  Many thoughts run through your mind such as, “Why is this happening to me, are my loved ones safe, where do we go and what do we do?“ Afterward, you reflect on what more you could have done to prepare, because once the disaster strikes, the time for preparation has passed.  The following account of the Leidenheimer Baking Company’s response during Hurricane Katrina in 2005 illustrates my point and teaches some valuable lessons.


Sandy Whann is the president of the family owned-and-operated Leidenheimer Baking Company founded in 1896 in New Orleans, Louisiana.  As a lifetime citizen of New Orleans, Sandy has become adept at hurricane planning through the years. When the hurricane alert was issued on Saturday, August 27, this veteran immediately put his family emergency plan into effect as his wife and two children prepared to leave the city. Sandy remained near his bread production facility to keep a close eye on his company and keep production working at a minimal capacity. With his family out of the city, Sandy now focused on his employees and their families.


On Sunday, after meeting with his upper management, Sandy uncharacteristically decided to shut the bakery down, secure its exterior, gas lines and doors and encouraged his employees to prepare their own homes and loved ones for the storm and potential evacuation. After most of his employees had left, only Sandy, his plant manager, and chief engineer, all of whom play key roles in the business's preparedness plan, remained in New Orleans.


Once Sandy and the others had completed their assigned duties in the emergency shutdown, they left as well. While driving to meet his family in Baton Rouge, Sandy was struck by the unusualness of the event, particularly because the drive, which normally takes one hour, took seven hours.


"Things were very different this time around," said Sandy. "But in the gridlock I still made the most of the little time we had before the storm hit. Having an emergency preparedness plan helps you focus your priorities and helps you know what you need to be doing with the limited time you have in any situation."


En route, Sandy checked with his insurance provider, accountants, legal consultant, and spoke with customers to keep them abreast of the situation and the affect of his shutdown on their supply of baked goods. Sandy's business evacuation kit played a large part in his success. Sandy's kit included: financial and payroll records, utility contact information, updated phone lists for his customers and employees, back-up files and software, as well as computer hard drives. Well before the evacuation Sandy placed the kit in a mobile waterproof/fireproof case that could be taken with him at a moment's notice. As part of Sandy's written plan, he set-up a satellite office for the company in Baton Rouge where he made contact with his bank, forwarded phone lines, and was receiving mail within two days.


Sandy breathed a sigh of relief that his family and his company had escaped a major disaster. Fortunately, Sandy was able to return to his plant within a week of the storm. When he returned, he saw widespread damage. The roof had severe damage, there was no power, no usable water, and no one was permitted back into the city except the National Guard.


Despite caring deeply for his business, the most important thing to Sandy was his employees and he felt fortunate that all of them were safe. In summing up his experience Sandy said, "Katrina was severe enough to teach even us experienced hurricane survivors a few new things about emergency planning."


I hope we can all learn a few things about organizational and personal preparedness and focus a little more during National Preparedness Month on building a more resilient society for all of us. Contact me at and @pnpotter1017



We’re very excited to share some great news – RSA Archer won a 2015 People’s Choice Stevie Award for Favorite New Product in the Software - Governance/Risk category.


As you may know, the Stevies are premier awards as part of the American Business Awards – essentially the equivalent of the film industry’s Academy Awards.  This year, the Stevies winners were selected from more than 3,300 nominations in a wide range of categories.


The People’s Choice award is a particularly special award,  selected by more than 16,000 people who voted for their favorite product or service. This makes the People’s Choice a tremendous honor for RSA Archer, with our customers voting for Archer as the standout GRC product.


We have you – our Archer customers and practitioners – to thank for this honor. We’re incredibly proud to have so many customers who have implemented successful GRC programs. Every day, you’re creating value for your organization by leveraging Risk Intelligence. You’re breaking down barriers and driving in your organization’s risk culture by transforming compliance, harnessing risk and exploiting opportunities to gain competitive advantage. For that, we extend to you our sincere appreciation.


Thank you again for making the Stevie Awards “People’s Choice” honor possible. We appreciate you continuing to make RSA Archer an integral part of your GRC program.

Vulnerability.  Threats. Defense.  For those of you in ‘the risk industry’, these words roll off your tongue with the practiced agility and grace of a seasoned ballet principal.   We use these words as a carpenter operates a saw and hammer, like a musician manipulates an instrument, like a writer brandishes a pen and paper.  They are part of our craft.  We know these words.  They are old friends.  They are always with us.  They complete us…


I have a theory.  It might be the rant of a madman.  It might be the harbinger of the future.  But it is mine nonetheless.  I believe that today’s security and risk challenges are not necessarily ours to solve.  We just need to keep the ball moving forward until the next generation of security and risk professionals – those that cannot perceive a world before the massive, intricate, complexities of technology – take the mantle and truly rebuild this cyberworld that we have wrought.  It isn’t that our attempts today are in vain.  We must continue to strive to secure our technology.  We must continue to promote trust in a digital world. We must not let the dreams of what technology can bring us die a death due to suspicion, doubt, uncertainty or over caution.  And that is why we do what we do – manage risk, secure our data and wait for the decisive solution to unfold.


I am about to embark on a journey and I hope you join me.  The journey involves an intrepid security admin named Marty, a mysterious villain known as The Maestro and an enchanting Kingdom.  The Defend the Kingdom blog series being launched next week is my attempt to engage in a conversation about risk and security that isn’t bounded by buffer overflows and Monte Carlo simulations.  I am looking to speak to that next generation that may just be entering the security and risk world, or those poised on the brink of a technology profession, or those even mildly interested in what makes security and technology tick.  But the story is not just for the young.  It is for anyone that is looking to understand what it means to take on the enormous challenge of defending a modern organization against today’s threats without digging into the deep technical bits and bytes.  For those of you already neck deep in this fight, I hope you find entertainment and inspiration.


The series which will be published in six episodes broken down into weekly blogs.  It has been an ambitious project resulting in 30 weeks of content.  The story unfolds as Marty uncovers some suspicious traffic and his alter ego in the Kingdom, the Hunter, begins investigating a cadre of mysterious men surveying the Kingdom.  Each episode will be accompanied with a technical dialogue which will address some of the parallelisms between the two worlds.   I hope the experience doesn’t end there though.  If I can spark a conversation, a debate, a discourse, then all the better.  My desire is, through an engaging plot, open the door to share and discuss today’s risk and security universe.

If you want some information about the backstory of the series, check out “What is the Defend the Kingdom series?” or the Video.  Follow me on twitter @steveschlarman to engage and let’s explore (and defend) the Kingdom together.

Steve Schlarman

A Pivotal Year

Posted by Steve Schlarman Employee Aug 13, 2015

For the past several years, the information security industry has been saddled with labels annually. 2013: year of the breach; 2014: year of the BREACH (we really mean it); 2015 year of the MEGA breach (its gotten worse!). And with those labels every year I hear the phrase 'this is a pivotal year in the industry'. Is it really a 'pivotal' year when we say it every year? I think yes. But not in the sense it is intended. The implied meaning is a significant redirection of progress or a moment of monumental epiphany. I believe the 'Pivotal Years in Information Security' are more accurately described in terms of moving a heavy piece of furniture.


Ever move something really heavy by yourself? The armoire in your bedroom? That massive bookshelf in the living room? The only way for one person to maneuver something heavy is the old 'pivot' method. Everyone knows this move. Move one corner, move the opposite corner. Repeat as necessary as you slowly walk that behemoth piece of furniture across the room. You move that heavy object one step at a time. And information security is REALLY, really heavy - like armoire-on-top-of-the-bookshelf heavy. So the movement by each pivot in our industry is very small. Or so it seems.


This doesn't mean that important advancements and breakthroughs are not happening in our industry:

  • The dialogue of information security has reached the executive conference room. Questions are being asked; budgets are being loosened; corporate objectives are being set - all due to a rise in awareness around the real threats facing companies today. Catastrophes such as Saudi Aramco and countless others have awakened many an executive making cybersecurity a board level concern.
  • Discourse around the balance of privacy, security, legislation, regulation and the collective future of our technology universe is growing. Jennifer Grannick's keynote at Black Hat last week discussed this imperative. The debate around surveillance and freedom is becoming a frequently discussed topic. Layer on nation state actors and legal restrictions on security researchers and now cybersecurity is a political issue as well.
  • Technology continues to evolve and innovate. There is no shortage of existing and emerging companies with interesting and significant visions in how to attack security gaps. And there is no shortage of digging into the technologies that are rapidly invading our world - most noticeably the vulnerabilities highlighted at BlackHat and DefCon last week such as the Chrysler Uconnect threat and the RSA research released on the Terracotta Army.


So what is the answer? We continue to slowly pivot the heavy object across the room. However if you really want to move furniture around your house, what is a better approach? It's easy - invite a few friends over, order some pizza and get to work. Hearing the phrase 'this is a pivotal year' for our industry should be a clue that we need to continue to collaborate, share information and communicate. One final note to consider: Moving that piece of furniture is not a matter of everyone grabbing hold and pushing and/or pulling. Without coordination and direction, you are more likely to cause more damage than anything. Every year is a pivotal year for information security. What part are you going to play?

The Defend the Kingdom blog series is a fictional storyline following the adventures of Marty Bishop, a skilled, imaginative security administrator fighting cybercrime on the frontlines of the massive multi-national conglomerate MagnaCorp.   Starting as an intern within Information Technology as a college sophomore, Marty's acumen for technical concepts garnered interest from the security team early on in his career.  While he toiled away at running cables and debugging simple code, he kept his eyes open and learned more and more every day under the tutelage of the MagnaCorp techie clique.  His mild, introverted manner hides an intense curiosity and a boundless imagination that he wields with power as he tracks down the digital adversaries of MagnaCorp.  Aided by Greg Townsend, his cubemate and fellow security administrator, he has become THE go-to guy when cyber criminals come knocking at the gates of MagnaCorp.  Marty walks the halls of MagnaCorp as shadow behind the scenes clad in his trademark designer t-shirts and extensive sneaker collection but armed with the knowledge that he stands all too often as the last barrier between MagnaCorps sprawling global business and the brink of digital chaos.


MagnaCorp is a multi-national conglomerate with controlling interests in a wide variety of companies. Based in New York, the company has regional headquarters in all of the major financial hubs with offices, branches and manufacturing facilities in almost every corner of the world.  Its holdings include:

  • a financial powerhouse with banking, insurance and personal & corporate investment operations;
  • significant holdings in healthcare providers including several major regional hospital systems within large urban areas;
  • a software subsidiary that produces enterprise applications for finance and healthcare industries;
  • a manufacturing arm that fields an impressive array of service machines including ATMs for banks (supporting its own finance division) and drug distribution workstations (supporting its interest in major hospitals); and
  • an investment arm that holds interest in companies ranging from real estate management to utilities to retail chains.

Chaired by the reclusive multi-billionaire genius Wayne Manson, the company operates at a level of unprecedented reach.   Sometimes criticized for having too many irons in the fire and wielding too much influence in the world, MagnaCorp is a continuously shifting operation acquiring and divesting, buying and selling, and moving and shaking the business world.


When Marty enters the vast digital infrastructure of MagnaCorp, he transforms into The Hunter his alter ego protecting "The Kingdom", an immense medieval-like landscape populated with threatening, shadowy criminals.   The Kingdom is a nation of ultra-prosperity with a wide range of natural resources including mines laden with minerals and ores, a rich agricultural heritage, a well protected and active harbor and bustling trade routes with a wide variety of neighbors.  Only the neighboring Natiostatsia, a rival and menacing nation just beyond the bordering mountain range, threatens the Kingdom with its industrial power.  Armed with his powerful bow and aided by his pet The Cat, the Hunter prowls the Kingdom searching out and battling evil.  Trusted and directed by the Wizard, the protector of all Kingdom secrets, the Hunter staves off attacks from rival countries, local thugs and the minions of the mysterious Guild.


The Guild is a mysterious criminal organization that haunts the Kingdom.  With threats ranging from simple theft to more nefarious plans, the shadowy Guild deploys its minions across the Kingdom.  The members of the Guild are many - but rarely seen or known. The Guild operates from unknown places and is possibly under the control or in league with The Kingdom's mortal enemy Natiostastia.  When anything bad happens in the Kingdom, most likely the Guild is to blame.


The Hunter, along with a host of other characters representing the many aspects of security and risk management, work together to protect the good citizens of the Kingdom.   Each episode follows Marty's dual life in MagnaCorp and the Kingdom as he battles cyber crime and helps Defend the Kingdom against the threats of the world.  As the story line progresses, personas in MagnaCorp are revealed as both members of MagnaCorp and as characters in The Kingdom.


The blog series will be launched August 25, 2015 on the RSA Speaking of Security Blog site so prepare to Defend the Kingdom.  The enemy is here...


Check out the Video


The Hunter series is authored by Steve Schlarman (twitter:@steveschlarman) and illustrated by Allison Johnson.

All characters appearing in this work are fictitious. Any resemblance to real persons, living or dead, is purely coincidental.

In the first blog in this series, I used the analogy of a rocket lifting into space with the countdown, 3...2...1... equating to the Three Lines of Defense (LOD) model, and how an organization truly achieves “lift off” or success really comes down to the 1st LOD.  In this blog, I’d like to focus on the 1st LOD and three ways to help them achieve lift off for your organization.


Walk In Each Someone Else’s Shoes

I’ve found that when I don’t understand someone else and may be at odds with them, then I need to try to understand their perspective.  When I do this I become more understanding, the other side often tries to do the same, we’re both better able to soften our position and we typically start to get along better.  We might even start to change some things we do for the better.  Often, the three LODs are so entrenched in their own individual objectives being separate groups just coming together, that they don’t understand what the other LODs do and why.  Let me give you an example.  Internal Audit is pretty good about understanding what a function does as they are auditing that function.  They review their processes and controls and then determine where to spend their time auditing.  However, it rarely goes the other way.  A completely worthwhile exercise is for each LOD to understand each other because it promotes better understanding, more alignment and will begin to effect change for the better.


No One Likes to Be Audited

There are not many things worse than hearing that your department is going to be audited.  You begin to wonder if you’ve made mistakes that are going to be disclosed and if you’ll be in trouble, not to mention the time it’s going to take away from getting your work done.  Audits are a necessary practice but what most “auditees” don’t know is how to reduce the impact of audits.   To my firstpoint above, do business operations take the time to understand why Internal Audit decides to audit them and what they can do to reduce the impacts of an audit? I’m not talking about being sneaky to avoid an audit but understanding Internal Audit’s concerns and objectives and then making real changes to improve, to not only reduce impacts of audits in the future but to actually strengthen controls and processes and reduce risk.


Replace Good with Better

Ever thought about how you could do your job better?  What is the definition of “better"? I’ll bet if you were to ask your CEO, she or he would define “better” as owning and improving your job so the company can save money and drive growth.  Ask the 2nd and 3rd LODs and they’ll say “better” means improving controls and reducing risks.  However, who knows your business processes better than you business operations people - the 1st LOD?  Yes, experts can recommend process changes and auditors can recommend controls, but you live the process day in and day out.  Now, it’s tough to come up with new changes in a vacuum, meaning you have to look for ideas to improve and that’s where walking in someone else’s shoes comes in handy, but the more you really look at making good processes and controls better, the lesser the impacts of audits on your organization will be.


In closing, until the 1st LOD better understands the 2nd and 3rd LOD objectives around risk and control, and autonomously strengthen processes and controls to really get at the heart of mitigating risk, your organization will never achieve the real benefits and you’ll be frustrated at the unending parade of audits coming your way.  Believe me, the auditors get tired of it too.  Conversely, the more the 2ndand 3rd LODs understand the 1st LOD perspective, the smarter their approaches will be. As a result, all thee LODs will better work together toward – 3…2…1… lift off!


Marshall Toburen is doing a great blog series that explains the Three Lines of Defense in It Takes a Village: The Three Lines of Defense Model.  Check that out to get a thorough understanding of the 3LoD model. Also check out my first blog in the series Blog Series: 3...2...1...Liftoff!


Contact me at with feedback and follow me at @pnpotter1017.  Thanks for reading!


Filter Blog

By date: By tag: