Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2017 > March
2017

I recently had the pleasure of presenting with a panel of RSA Archer customers on the topic of “Building Resiliency Across the Value Chain” for a Disaster Recovery Journal webinar.

 

Two key questions were posed to the 80 attendees. The first question was: “Where is your organization on the business resilience scale?”  The responses were:

 

  • Recovery only (5%)
  • Mainly recovery with some focus on resiliency (53%)
  • Mainly resiliency with some focus on recovery (18%)
  • Very resiliency-oriented (18%)
  • Other (5%)

 

The second question was: “How closely do your business continuity/IT disaster recover/crisis management teams work with or integrate with operational risk teams?”  The responses were:

 

  • Not at all (2%)
  • Sporadic discussions when required (32%)
  • We are working with ORM more and more (28%)
  • BC/DR/CM is well aligned with or a part of ORM (32%)
  • Other (6%)

 

90% of respondents indicated they are addressing resiliency at some level, and 92% have BC/DR/CM teams integrated with operational risk management (ORM) teams. The alignment of responses to these two questions is no coincidence.  There is a direct correlation between business resiliency and effective risk management that more and more organizations are benefitting from as they continue to mature their operational risk management and business continuity or resiliency programs.

 

What does GRC maturity look like? The RSA Archer maturity model defines three stages for GRC maturity:

 

Diagram 1 – RSA Archer Maturity Model

 

As organizations mature their operational risk management programs, their business resiliency capabilities grow as well, often due to three factors:  

 

  1. Methodologies – deploying risk assessment and treatment approaches (e.g., ISO 31000) and common business impact analyses (BIA) consistently across the organization
  2. Priorities – consistently applying common methodologies drives more aligned priorities and higher consensus 
  3. Actions – clear priorities drive better understanding, prioritization, and execution

 

These three factors initiate proactivity, consistency, and alignment in both the risk management and resiliency practices and culture of the organization.

 

Risk management is, by its very nature, a proactive practice, as is business resiliency. The two go hand in hand.

 

For comments, contact me at Patrick.potter@rsa.com or @pnpotter1017.

Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:

 

  • 'A storm in a teacup' – Cicero; or ‘Billows in a ladle’ – translation of Cicero’s writings
  • 'A storm in a glass of water' - Netherland
  • 'Tempest in a potty' - Hungary
  • ‘A storm in a wash-hand basin’, or ‘A storm in a cream bowl’ - England

 

Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain.

 

Most organizations perform some type of risk management activities. They usually include identifying risks that could impact the organization and its reputation, profitability or strategies; or its key assets, business processes, IT systems and locations. Once the most potentially impactful risks are identified and analyzed, they are treated with controls and other mitigation activities to drive down the residual risk within the organization’s tolerable risk limits. This is all well and good, but what if the elements of the organization (e.g., business processes) that the risk could impact are not that critical and how do you know?

 

Let me give you a simple example. A cyber attack could potentially impact both an organization’s financial and non-financial systems. The financial system is probably more important to protect, right? Oftentimes, organizations have no reliable way to identify what is critical versus non-critical causing them to spend the same level of time, attention and resources to protect the less critical areas; this is the ‘tempest in a teapot’ syndrome.

 

It stands to reason that the organization should have a methodology to identify what is critical so that risks can be properly treated relative to what they might impact. Some impact areas and their importance are obvious, such as inputs into the organization’s most important product or service. However, there are so many moving parts to today’s complex enterprises that there must be a methodical way to identify, analyze and prioritize what is truly critical to protect. This methodology is a business impact analysis, or BIA.

 

A BIA is a way to catalog and prioritize business processes and assets, building context to connect risk issues to business impacts. It is a well-known methodology inside business continuity (BC) circles as these teams have performed them for decades to determine what business assets are most important to recover after a disruption. More broadly, the BIA needs to be a prominent part of the framework of a good risk management program. However, often it is not and this is a common problem many organizations’ risk management programs experience.

 

To strategically address business risk, enterprises need a well-rounded program. There are specific areas to include to create a healthy and sound foundation for growth. RSA has implemented the RSA® Archer Suite Ignition program to help organizations do just that – establish a solid risk management program foundation focusing on four fundamental capabilities:

 

  • A process for Issues Management to eliminate ‘churn’ around risk and compliance issues from audits, risk assessments, and internal compliance processes. Check out my Issues Management blog: Facing a Tsunami of issues
  • A Business Impact Analysis framework to catalog and prioritize assets and build the context to connect risk issues to impacts to the business;
  • The ability to catalog and monitor risks to establish a strategic method to view and understand risk across the enterprise; and
  • The ability to identify and track third parties used by the business to understand the emerging ecosystem that affects business risk.

 

The RSA Archer Suite provides a common platform to address these processes. You can learn more about the program here: RSA Archer Ignition Program.

 

The Duke of Ormond's letters to the Earl of Arlington in 1678 put it best - "Our skirmish seems to be come to a period, and compared with the great things now on foot, is but a storm in a cream bowl."

 

The Duke must have had a good BIA such that he did not have to worry that his risk management program would cause him a 'tempest in a potty' (that was for you Elly ;). For comments, contact me at Patrick.potter@rsa.com

               

 

We are pleased to announce that the latest version of the Navigator is ready for you to take it for a spin – kick the tires, put the pedal to the metal and see what the Navigator 2.0 can do to help you take control of your learning and power your path to Archer success.

 

RSA Archer offers a wealth of assets to help you achieve time-to-value with your Archer investment, from classroom to on-demand training through RSA University, to comprehensive user documentation, to technical videos.

 

But, this wealth of assets is also a double-edged sword  – how do you know which of these assets at your disposal is right for you, based on your Archer Role within your organization, and equally as important, your Level of Archer Expertise.

 

We took your feedback from the initial Navigator launch in October and incorporated many of your suggestions over the last few months into the new Navigator 2.0. We now have six filters to help you with finding the assets that are right for your Role and Level of Expertise. And, speaking of Level of Expertise, we changed the levels to Beginner, Intermediate, and Advanced; we also changed the Focus to more clearly define the content – General Product; Platform; Modules; Release Notes and Advisories; Solutions and Use Cases; Use Case Guides; Training; and Troubleshooting.  You can also filter the list of available assets by Version 6.x or 5.x, by Cost - free or fee, and by Media Type.

 

We hope you are pleased with these updates to Navigator 2.0.

 

We want to be a partner in your Archer success. May we ask once again for you to share Navigator 2.0 comments and feedback with us?  We will, in turn, continue our quest to make the final version of the Navigator, due mid to late 2017, a support tool that can provide easy viewing and functionality on today's popular digital products such as tablets and phones, as well as on RSA Link.

 

In conclusion, if you don’t see a particular asset you’re looking for, we want to hear about this too. We have provided an easy-to-use drop down form on the Navigator 2.0 page for you to click and tell us what we’re missing. 

 

Thank you in advance for sharing your comments with us.  Remember, you're in the driver's seat with Navigator 2.0 - now, enjoy the trip!

 

Another year, another RSA Conference. At this point, I have lost count of my appearances at this annual gathering of all things security – I believe it was number 15 or 16 for me. I say “appearances” because the days blur into such a steady stream of meetings, discussions and general sensory overload that at the end of the week, I know I ‘appeared’ many places, but still wish I had time to participate in more. There is so much that happens at this event it can be both inspiring and intimidating. A walk through the Exhibitor floor quickly gives one the sense of magnitude of our industry. So when I reflect back on the conference, it feels as if someone sat on the fast forward button on the remote control for my DVR and flashed through the episodes of The Big Bang Theory, Marvel Agents of S.H.I.E.L.D. and Scandal waiting for me when I return from the conference.

First up, RSA Conference is a collection of geniuses contemplating a massive digital universe. Just like the Big Bang Theory, brain power plays a big role in fueling our industry. The innovation and pure technical skill of the security profession is on full display at RSA Conference. But the cast of the Big Bang Theory is more than a bunch of techie whizzes spouting geeky Star Trek references. The stories contain genuine friendship, acceptance and diversity as the characters navigate their lives. At RSA Conference this same sense of community can be felt. It is evident that the security world is a small world with many old friends coming together to share their diverse experiences and thoughts.

Next, Marvel’s Agents of S.H.I.E.L.D. For those fans of the TV show, you know that the team of agents work fearlessly to keep the world safe.   We have our own version of these agents in our industry. No security event would be complete without the many super heroes fighting the forces of evil.   Our industry is on the front lines of some serious conflicts. As Zully Ramzan stated in his eloquent keynote, the security and risk profession is the barrier between opportunity and the edge of chaos.

Finally, the intrigue of Scandal awaits.   Scandal, if you haven’t seen the show, has an endless series of twists and turns as the characters weave their way from one treacherous skirmish to the next.   While I suspect most organizations do not face the political turmoil chronicled in the TV show, businesses today face a constantly shifting environment of threats that would seriously challenge Olivia Pope, the savvy protagonist of Scandal. The threats facing organizations today are immense and require individuals dedicated to doing the right thing. In Scandal, they are referred to as ‘gladiators’ and our industry is full of them.

This year’s RSA Conference had many highlights. But the highlight for me, is that this conference, year after year, continues to push our industry forward. Great minds come together and share experiences. Those new to the profession learn new skills; seasoned veterans are inspired to keep learning.   I am proud that RSA is such a vibrant contributor to this conference. Whether we are inviting you to reimagine your identity strategy, push the boundaries of the detection of attacks, ignite your business risk management program or get out in front of fraud, RSA continues to change the game and help organizations implement business driven security. It was a great conference for 2017…I can’t wait to appear at RSA Conference 2018.

Filter Blog

By date: By tag: