Chris Hoover

The IT and Security Risk Management Journey

Blog Post created by Chris Hoover Employee on Jun 23, 2016

An important benefit from our recent release of RSA Archer 6.1 is an alignment of organization maturity with the technology to support it. Building a mature IT and Security Risk Management program takes time and commitment.  It requires and is marked by a balance of the right technologies, processes, and people. 
The progression of an organization’s IT and Security Risk Management program maturity can be characterized in stages:

Less-mature organizations are typically very reactive and compliance-oriented. They attack individual risks and compliance initiatives within an isolated strategy. Their strategy relies on the constant fire-fighting modes of their front line and functional employees.  Their focus is so much on compliance and tactical risks that they cannot see beyond the immediate. 
Organizations at this level have the basic capabilities to detect and remediate threats and defects and they can manage incidents, but their tools and process are siloed. This leads to poor reporting and visibility and maximum pain and stress for the security admins. Another effect of this culture is that the organization is exposed to individual threats and defects for longer than necessary.

In order to transition from the Siloed to the Managed stage of maturity, organizations need to focus on integration between tools and how to use automation where possible to streamline assessments and compliance activities.  When tools and people are better integrated and share data more freely, visibility is improved, new insight s can be made, and these insights lead to better decision making.
Another hallmark of this stage of maturity is the transition from compliance-driven to risk-driven. This means that instead of prioritizing things based on which compliance activity is due (or overdue), decisions are made using meaningful security metrics (ex: what can I fix right now that is introducing the most risk?) For these reasons, the Managed stage of maturity is the point where processes become more repeatable, consistent, and less painful for the security team to perform.

In order to transform an organizations program from Managed to Advantaged, organizations need to manage known and unknown risk, and identify new business opportunities.  They do root cause analyses to prevent repeats of findings. They also need to strive to roll business context into all risk decisions.  Lastly, the frequency of control assessments needs to change based on this business context. This means that the Advantaged organization has a risk view that is current and complete but does not overwhelm the staff.
An organization in this position is now ready to realize the competitive advantage of harnessing risk – beating competitors to market, launching new products and services with calculated efficiencies, avoiding those major issues that affect reputations and the bottom line.  Organizations in this phase focus on speaking “business language” instead of “risk language”. 

With the release of RSA Archer 6.1 we are making individual IT and Security Risk Management use cases available that align to this maturity journey.  
Recognizing the fact that risk management programs go through multiple stages of maturity, maturing over time, with RSA Archer 6.1 we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their IT and Security Risk Management program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use. The IT and Security Risk Management -related activities (or use cases) we typically see implemented as organizations build their risk management program are as follows:

RSA Archer IT and Security Policy Program Management
provides the framework for establishing a scalable and flexible environment to manage corporate and regulatory policies and ensure alignment with compliance obligations. This includes documenting policies and standards, assigning ownership, and mapping policies to key business areas and objectives. Out-of-the-box content includes the most current security frameworks and control catalogs, such as the ISO 27000 series, COBIT 5, NIST 800 series, and PCI-DSS.

RSA Archer IT Controls Assurance
provides the ability to assess and report on the performance of controls across all IT assets and automate control assessment and monitoring.

RSA Archer IT Security Vulnerabilities Program
offers security teams a big data approach to identify and prioritize high risk threats. Proactively manage IT security risks by combining asset business context, actionable threat intelligence, vulnerability assessment results, and comprehensive workflows in one place. IT assets can be cataloged with a full business context overlay to prioritize scanning and response. The consolidated research platform for vulnerability management enables centralized tracking and remediation of related issues.

RSA Archer IT Risk Management
enables you to comprehensively catalog organizational hierarchies and IT assets to ensure all business critical connections are documented and understood in the proper context of IT risk management. This use case forms the basis for completeness when populating the included Risk Register with all relevant IT risks. Pre-built IT risk assessments, threat assessment methodology, and IT control repository enable you to document and assess IT controls.

RSA Archer PCI Management
enables organizations to streamline the compliance process, simplify stakeholder participation, and reduce overall compliance effort and cost. It allows organizations to jumpstart a PCI compliance program by conducting continuous assessments and providing visibility to manage and mitigate risk. PCI Management guides merchants through the completion of relevant self-assessment questionnaires (SAQs). It also provides packaging and export of compliance program results and attestation articles in a properly formatted PCI Report on Compliance (ROC) for easy submission and review.

RSA Archer Security Incident Management
enables you to address security alerts through managed processes designed to effectively escalate, investigate, and resolve security incidents. Organizational and IT assets can be centrally cataloged with a full business context overlay to drive appropriate prioritization of security events. Built-in workflows streamline the process and enable teams to work effectively through their defined incident response and triage procedures. Any issues related to incident investigations can be tracked and managed in a centralized portal to enable full visibility and reporting.

RSA Archer Security Operations and Breach Management
enables you to centrally catalog organizational and IT assets, to establish a full business context overlay to drive incident prioritization.  Built-in workflows and reporting for security incidents enable security managers to stay on top of the most pressing issues. Best practices and procedures for incident handling help security analysts effectively and efficiently triage alerts. Any issues related to incident investigations can be tracked and managed in a centralized portal, enabling full visibility and reporting. Finally, the security operations manager can effectively monitor key performance indicators, measure control efficacy, and manage the overall SOC team.

RSA Archer IT Regulatory Management
provides organizations with the necessary tools and capabilities to document external regulatory obligations. Organizations can establish a systematic review and approval process for tracking changes to regulatory obligations, understand the business impact, and prioritize a response.

RSA Archer Information Security Management System (ISMS)
allows you to quickly scope your information security management system (ISMS) and document your Statement of Applicability for reporting and certification. You can also catalog individual resources related to your ISMS, including information assets, applications, business processes, devices, and facilities, and document and maintain related policies, standards, and risks. This centralized view of your ISMS makes it easier to understand asset relationships and manage changes to the infrastructure. Issues identified during assessments can be centrally tracked to ensure remediation efforts for gaps are consistently documented and monitored and effectively addressed.
The RSA Archer IT and Security Risk Management solution pulls all of the use cases mentioned above to enable greater business context, greater cohesion between the elements of the program, and better visibility.

We realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone in IT security and risk processes, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.”


For more information about RSA Archer IT&SRM, click here.


Thanks for reading.
Email me with comments or questions.