Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2017 > April

In my last blog "Translating Security Leadership into Board Value" I introduced RSA's most recent Security for Business Innovation Council report along with the concept of Business Driven Security.  A business driven security strategy is of great value to existing CISOs, information security leaders and the organizations they serve.


To explore business driven security concepts a little more, imagine that you have just accepted a job at a different company, to be responsible for the company’s entire information security program.  You know very little about your new company except what you have read on their website, via Google searches, and from published financial statements.  You are very excited to start your new job and you know your first priority is to complete a preliminary assessment of information security in a very short period time. 


On day one, you know you don’t know:

  • The information most important to the organization;
  • The information security regulations imposed upon your organization;
  • How much important information needs to be protected;
  • Where the important information resides inside the organization and with third parties the organization does business with;
  • What technical and organizational measures the organization has in place to manage and monitor information risk;
  • Whether the technical and organizational measures that are in place are commensurate with the level of information security risk; and
  • Whether technical and organizational measures are designed and sufficient to tell you the potential impact to the organization should the measure fail, a vulnerability arise, or breach occur.


By utilizing RSA Archer and consistently applying risk management principles such as those outlined in ISO 31000, you are able to build the foundational elements of a business driven security strategy for just about any type of information that is important to the organization whether it is intellectual property; imposed by contractual obligation, such as PCI; or imposed by regulations such as GLBA or EU-GDPR.


The following diagram provides a condensed view of where RSA Archer would be used to enable a business driven security strategy.  RSA Archer is used to document the identification of information at risk, assess inherent and residual risk around the information, evaluate the acceptability of the risk; document the technical and organizational measures to mitigate risk; document decisions regarding the acceptance of risk; performing control tests; and to monitor the on-going risk profile, related key risk and control indicators, and outstanding risk issues to be remediated.  Lastly, RSA archer is used to capture vulnerabilities, incidents, and control gaps, provide insight into their business context and the amount of associated risk so that problems are remediated based on their priority and significance.



By utilizing RSA Archer as your foundation for Business Driven Security you are able to answer the questions you set out to answer.  You now know:

  • What information is most important to the organization;
  • What information security-related regulations are imposed upon the organization;
  • How much important information needs to be protected;
  • Where the important information resides inside the organization and with third parties
  • What technical and organizational measures the organization has in place to manage and monitor information risk;
  • Whether the technical and organizational measures in place are commensurate with the level of information security risk;
  • Whether the risk treatment measures are designed and sufficient to tell you the potential impact to the organization should the measure fail or indicate that a vulnerability or breach has occurred; and
  • Whether the information security risk profile is changing and why it is changing


All of this information informs your conversation with executive management and the board.  You are able to articulate the amount of risk in business terms, justify security expenditures, and state how much various breaches might impact the organization, should they occur.  Finally, with your documentation and methodical approach, you are able to demonstrate to all of your stakeholders, including regulators, that you have a sound, logical, and defensible risk-based approach to information security.


Learn more about how Archer can enable a business driven security strategy in your organization with this just released white paper: 7 Steps to Build a GRC Framework Aligning Business Risk Management for Business-Driven Security.


CISOs find themselves increasingly engaged directly with their Board and Executives because the Board and Execs see the volume and impact of security incidents increasing.  In fact, Oxford Economics just reported that serious breaches permanently shave nearly 2% off public company value.  This is in addition to the substantial expense ($4 million per breach on average) and turmoil organizations experience when incidents do occur.  Executives and Boards are left wondering if management understands the risk – where it resides, how much it is, and whether it is being adequately addressed. 


When CISOs get the call from their boards and Execs, they are often not able to answer these questions and to converse in a way the Execs and Board want.  CISOs are extraordinarily adept at understanding security risk that arises around the technologies employed by their organization but translating their technical understanding into business terms can be difficult.  Communicating technical risk into business risk is a paradigm shift for most organizations.  Effective information security programs are becoming “Business Driven Security” programs.


RSA just released a Security for Business Innovation Council Report regarding this problem, “What Boards Want to Know and CISOs Need to Say” that discusses the translation of security leadership into board value.  A Business Driven Security strategy is core to the translation of CISO technical expertise into Board terminology but it also enables CISOs to better understand where they should implement technical and organizational measures to protect the most important information to the organization.  This understanding can be more easily conveyed to the Board and executive team before spending millions of dollars on security initiatives and human resources.  It provides the what, where, how, and why they are spending the money, that it's being spent properly, on the biggest risks, and that there are procedures to monitor that the spend has been effective.  In my next blog I will describe how you can use RSA Archer to drive a Business Driven Security strategy.



Looking for information on Archer and how to get the most out of it?  The Archer Information Design and Development team (formerly known as Technical Publications) has your back.  I’m Elizabeth Wenzel, and I have the pleasure of managing a talented team of content developers that are working hard to deliver the information that you need to get the most value out of your Archer investment.


We are currently working to not only strengthen and deepen the coverage in the existing documentation but also to add additional content and manuals to help you on your business-driven security journey with RSA Archer. Of course, having a lot of material to use is both a blessing and a curse – you know that the information is ‘somewhere’ but where?  This is where the new RSA Archer Navigator 2.0 comes in.


Use the Navigator on RSA Link to filter the Archer assets by your role and expertise in using Archer, the area you are focused on (Platform, Use Cases, and so forth), and the product version. Navigator shows you the assets that meet your filter criteria, allowing you to jump right in and get the right information so you complete your task.


While all of the documentation content, other than technical content (installation, sizing, and Archer Control Panel) is included in the Archer online Documentation system built into the Archer product, we’ve anticipated that you may have the need to access that information in a printable book format (PDF) – all of the content in the online Documentation is also available within PDF guides (the same content in two formats): What’s New Guide, Platform Administrator’s Guide, User Guide, RESTful API Guide, and Use Case Guides.  Combine these with the technical documents such as Installation and Configuration Guide, and it adds up to a lot of content at your disposal! Now, I recommend you use the Navigator to hone in on just what you are looking for. If we’ve missed something, we have even provided an easy way for you to share this with us, right on the Navigator home page.


We hope you agree that the Navigator 2.0 a helpful tool; find your path to success with the RSA Archer Navigator 2.0


Watch the RSA Navigator video to maximize your Navigator experience. 

So time flies… It seems like yesterday when the RSA customer community gathered in New Orleans to share experiences and learn new tactics and strategies. 2017 marked the 13th year of the RSA Archer user community summit and believe it or not, year number 14 is just around the corner.   Last week, we announced the call for speakers for RSA Charge 2017 and I cannot wait to start seeing the speaker submissions flowing in.  

We have put together a stellar team to construct the learning tracks to optimize your experience. As content chairperson for the RSA Archer portion of RSA Charge, I have the privilege of seeing this process unfold. While this will be my 9th user group conference with RSA and Archer, it is still inspiring to hear you tell the stories of your successes - how you overcame challenges or leveraged an innovative approach to deliver strategic value to your organization.

If you are contemplating submitting a session, know that this is a very rewarding experience. Presenting to your peers can be a bit unnerving but the satisfaction and return is well worth it. To teach others is to learn about oneself. Thinking through your experiences, applying your new found knowledge and acknowledging your successes and lessons learned is as much of a benefit as imparting your wisdom to others.

A few topics come to mind as food for thought if you are looking for ideas:

  • We always welcome stories about how your long term strategies unfolded in your companies. Our Take Command of Your Risk Management Journey track is dedicated to hearing how you built your plans, gathered forces and conquered the difficult path that risk and compliance efforts can sometimes take.  
  • As the market moves toward concepts of Integrated Risk Management, the Inspire Everyone to Own Risk track needs content focused on engaging all lines of defense to manage risk. How your company is blending different risk initiatives - Operational Risk, Resiliency, 3rd Party Risk and Audit – is a topic of keen interest.
  • We can’t forget the Compliance world either. Many of your GRC and risk management efforts were borne out of compliance drivers and our Transforming Compliance track is THE place to tell your tale. One topic that keeps coming up is the impending General Data Protection Regulation (GDPR). Any story of how your organization was better prepared for GDPR or any new regulation based on the RSA Archer implementation is a great learning topic for all participants.
  • And what RSA user group conference is not complete without stories of how IT & security risk is being managed. RSA Archer has a great legacy when it comes to helping IT & security teams manage risk processes. Vulnerability and threat management, security incident processes, IT compliance and general IT risk strategies are top of mind subjects for every organization today and perfect for the Managing Technology Risk in Your Business track.
  • Last but certainly not least are the RSA Archer Technical Tracks. This is where the innovation, creativity and expert chops of RSA Archer administrators come to the forefront.   The topics in these tracks range from inventive workflows to state-of-the-art API integrations and more.

I invite all of you to take a look across your implementation of RSA Archer and pull out those nuggets to share with your peers. RSA Charge is the perfect venue to help others navigate their own challenges. Hope to see and hear you in Dallas!

Check out our webinar in preparing to submit your proposal.



Believe it or not, the RSA Charge 2017 event is only six months away, Oct. 17-19 in Dallas at the Hilton Anatole. Visit the RSA Charge microsite, now open!  And this means, 'Call for Speakers' submissions are now being accepted as well.  


In case you were not able to attend one of the two live RSA Charge 'Call for Speakers' webinars in April, 'What You Need to Know About Submitting Your Speaker's Proposal'  the webinar replay is now available for your listening pleasure. 


To help you get those creative juices flowing, the following 2017 Submission Tracks have been identified for RSA products; for full session descriptions please see attachment:


Security Operations, Identity, Anti-Fraud

  • Detecting and Responding to the Threats That Matter
  • Identity and Assurance
  • Reducing Fraud, while Not Reducing Customers
  • Secrets of the SOC


Governance, Risk and Compliance

  • Inspiring Everyone to Own Risk
  • Managing Technology Risk in Your Business
  • Taking Command of Your Risk Management Journey
  • Transforming Compliance
  • RSA Archer Suite Technical
  • RSA Archer Suite Advanced Technical


It is recommended that you once you listen to the replay, you use the 'offline' form,' available on the microsite as your draft before submitting. You may also have more than one submission. RSA Charge official  'Speaker' Submission Form is also available on the microsite.


Please Note: 'Call for Speakers' closes on May 26.'

Marshall Toburen

Completing the Puzzle

Posted by Marshall Toburen Employee Apr 14, 2017

In a previous blog I reviewed the real world pay back for being a risk leader.  Let’s say your company gets it, they know that good risk management increases the likelihood that objectives will be fulfilled and profits improved, and now you’ve been given the assignment to start the risk management program and make your organization a risk leader.  Where do you start, how far do you take the program, and how do you get from start to finish? 


Today, most organizations operate based on a complex interrelationship of business processes, technology, telecommunication, supply chains, and outsourced activities.  Putting the puzzle pieces together may not be easy in your organization.  No one talks about risk the same way.  Capturing the pieces and analyzing and understanding them is challenging, and it is difficult to convey them to the boss in a consistent manner with the limited resources you have available, within the deadlines you have been given.


Since our inception we have worked with thousands of companies to help them build a risk and compliance program tailored to their most pressing needs.  We have learned that most organizations just starting out tackle the same problems and follow the same general path.  We have consolidated these pieces into the RSA Archer Ignition Program.


The RSA Archer Ignition Program is a fast track, economical, approach to launch the foundational elements of a business risk management strategy to help organizations get up and running as quickly and easily as possible.  The ignition program includes:

  • The ability to catalog and monitor Risk, to establish a strategic method to understand risks across the enterprise;
  • The ability to identify and track Third Parties used by your business to understand the emerging ecosystem that affects risk;
  • A process to manage Issues that arise from audits, risk assessments, and internal compliance activities;
  • A Business Impact Analysis framework to quickly catalog and prioritize assets and business processes to build the context to connect risk and prioritize technical and organizational risk treatment measures;
  • Fixed-price deployment and quick launch professional services to let you quickly stand up your environment; and
  • Insights and best practices from RSA University.


In my prior post, I discussed the Risk Catalog component of the RSA Archer Ignition Program.  With organizations outsourcing so much of their business activities these days, it is also a critical, foundational component, to understand and manage these outsourced relationships.  As part of the RSA Archer Ignition Program, the RSA Archer Third Party Catalog allows you to document all third party relationships, engagements, and associated contracts, as well as the business units and named individuals in the organization that are responsible for each third party relationship. With RSA Archer, you can understand the significance of your outsourced relationships. You can report on all third party information, including profiles, engagements, third party business hierarchy, internal contacts, facilities, third party contacts, and more within a single repository.

Key Features of the RSA Archer Third Party Catalog allow you to:

  • Catalog organizational elements of your business for third party reporting
  • Catalog suppliers, partners, service providers and other third parties
  • Capture important details related to third parties, including contracts
  • Map internal business units to third parties
  • Manage contacts with third parties
  • Efficiently manage your third party relationships
  • Establish accountability for each third party relationship
  • Track exceptions related to third party relationships


With the RSA Archer Third Party Catalog, you can:

  • Obtain Awareness of all third party relationships throughout the organization
  • Reduce time spent identifying third party relationships and contracts
  • Build awareness of manager’s Accountability for individual supplier relationships and quickly identify relationship owners
  • Track contract terms, including notification of key contract events such as contract obligations and renewal and expiration dates


The RSA Archer Ignition Program empowers organizations of all sizes to complete the puzzle, to respond to risk with data-driven facts using a streamlined, fast time-to-value approach.

I’m glad the world didn’t end during DRJ Spring World 2017 conference last week, because over 1,000 of the world’s business continuity and disaster recovery specialists were there!


It was another great conference and I had the pleasure of presenting on building resiliency across the organization’s value chain and the key relationship between business resiliency and operational risk management. Both topics were on the minds of attendees as shown by their questions:


  • Outside of surviving a high profile disaster, how do we make customers understand the value that our resiliency program adds to our product or service?
  • If the company has a critical Third-Party vendor and that vendor outsources, who owns the relationship and the potential risk exposure?


Also, over 20% of the sessions at DRJ dealt with resiliency or risk which shows experts are thinking about the importance of business resiliency on the organization and how risk should be considered more broadly than just recovery.


I mentioned in a previous blog, Driving Resiliency Through Operational Risk Management, that there is a direct correlation between driving business resiliency (versus recovery only) and operational risk management (ORM). I believe collaboration between ORM and business continuity programs is a precursor to improving business resiliency, and the top three reasons are:


  1. The bigger picture – looking outside typical business continuity type risks, like natural or man-made disasters, broadens our horizon. Considering the potential risk and impacts from supply chains, reputation impairment, social media, regulatory compliance, or even the risk culture within the organization highlight new risks that could have larger affects on the organization’s resiliency that were never dealt with before. Coupled with a view across the value chain, resiliency teams are better able to anticipate how these new risks might impact the going concern of the organization.
  2. Aligns the Forces – the ORM “umbrella” by its very nature aligns risk functions across the organization, including their methodologies, approaches, resources and outcomes. The key is ORM gets these separate functions on the same page, working together, aligned on priorities, and striving toward agreed upon and appropriate outcomes. Individuals or siloed groups trying to manage risk may feel that their efforts don’t affect the outcomes, but a larger, more coordinated approach does.
  3. Drives Risk Maturity – as risks become more complex, fluid and pervasive, risk approaches need to mature to enable the organization to become resilient to those risks. ORM is a discipline that continues to evolve and mature, unlike siloed risk functions in every organization that attempt to deal with risks reactively, as best as they can. Every organization should evaluate their holistic risk management capabilities against a maturity model (refer to my blog above), determine where they currently stand and what the end goals is in terms of risk maturity.


Organizations that are able to align siloed risk functions under the auspices of their ORM programs have a better chance to become risk-proactive, even opportunistic. As ORM and Business Resiliency are considered together and measured against the bigger picture of the organization’s value chain, functions like business operations, business continuity, supply chain management and internal audit can understand the risks that impact their organization and implement better measures to ensure the resiliency of the organization.


Send me your comments at or connect with me @pnpotter1017.

Many of you know that implementing an effective governance, risk, and compliance program can be a costly and time-consuming effort: Hardware, software, and the active engagement of a lot of people in the 1st, 2nd, and 3rd lines of defense.  Before implementing a program and periodically throughout the life of the program, the question always arises from senior management: Is this REALLY worth the cost and effort?


I have very good news for you. The return on investment (ROI) in implementing a GRC program using RSA Archer is probably better than most any other investment your organization can make!


Over the past 5 years we have engaged three independent assessments of the ROI of RSA Archer.


The first independent analysis of RSA Archer customer ROI was conducted by Forrester in April, 2012. This analysis showed a 3 year composite ROI of 572%.  Even we were stunned and a little skeptical of Forrester’s estimate.


In November, 2014, GRC 20/20 took a look at one of our largest financial institution customers and confirmed that they were achieving annual savings in excess of $1.5 million / year while increasing assessments 317%, without increasing staff.  We were feeling a little more confident that the ROI was huge.


Finally, just last month, IDC completed an independent analysis of a cross section of Archer customers and concluded that the 5 year ROI related to their Archer implementation was 496%; with average annual benefits of $4.1 million per organization, or $17,931 per user.  That represents a payback period of only 11 months!


The IDC Report attributes the ROI of RSA Archer to 3 factors: improved risk mitigation, greater business productivity, and IT infrastructure cost savings.  I encourage you to read the IDC report.  Your organization’s results might vary based on the scope of your program but you will be able to see the individual breakout for each of the areas where they identified positive returns:

  • Network security breach response
  • Auditing
  • Disaster recovery management
  • Third-party risk management
  • Risk management assessments
  • Regulatory compliance


Whether you have a small program or a large, mature program, it is safe to say that you are probably seeing a significant, positive return on your investment in Archer.  Based on these independent assessments, upward of 500%.  If you don’t believe it, try estimating your own ROI.  I explain how to estimate your ROI in an earlier blog and we have made a template available for you to do so.

Marshall Toburen

Capture the Prize

Posted by Marshall Toburen Employee Apr 5, 2017

Risk is the effect of uncertainty on objectives.  Organizations that manage risk well increase the certainty that their objectives will be achieved.  Not surprisingly, organizations that lead in the management of risk “capture the prize”.  They more frequently achieve their objectives and are actually more profitable and less likely to experience a negative profit margin than those organizations that don’t manage risk well. 


                    Source: PWC 2015 Risk in Review Survey

Pretty compelling stuff, right?  You would think that everyone would be chasing this certain prize.  Yet, there are still a lot of organizations that think it too difficult and time consuming to set up a basic risk management program.  With this in mind, earlier this year we
announced the RSA Archer Ignition Program – a fast track approach to launch the foundational elements of a business risk management strategy to help your organization get its program up and running as quickly and easily as possible.  The ignition program includes:

  • The ability to catalog and monitor Risks to establish a strategic method to view and understand risks across the enterprise;
  • A process to manage Issues from audits, risk assessments, and internal compliance processes;
  • A Business Impact Analysis framework to quickly catalog and prioritize assets and business processes to build the context to connect risk and prioritize technical and organizational risk treatments;
  • The ability to identify and track Third Parties used by your business to understand the emerging ecosystem that affects risk;
  • Fixed-price deployment and implementation services to let you quickly stand up your environment; and
  • Insights and best practices from RSA University.


A central element of the RSA Archer Ignition Program is the RSA® Archer® Risk Catalog.  It provides the foundation to record, assess, and track risks across your enterprise, and establish accountability by named first and second line of defense managers. It provides a three-level rollup of risk, from a granular level up through enterprise risk statements. Inherent and residual risk can be assessed utilizing a top-down, qualitative approach, with assessed values rolling up to intermediate and enterprise risk statements.

Key Features

  • Consistent approach to documenting risk, assigning accountability, and assessing risks
  • Oversight and management of all risks in one central location
  • Ability to understand granular risks that are driving the big risks across your enterprise
  • Consolidated list of prioritized risk statements


With RSA Archer Risk Catalog, you can:

  • Obtain a consolidated list of the organization’s risk
  • Enforce a consistent approach to risk assessments
  • Prioritize risks to make informed decisions about risk treatment plans
  • Create accountability for the ownership of risks


The RSA Archer Ignition Program empowers organizations of all sizes to respond to risk with data-driven facts using a streamlined, fast time-to-value approach. Contact us to learn how we can help you capture the prize.



Looking for more information on the RSA Archer Use Cases?  The new RSA Archer Navigator 2.0  can help guide you to a ton of useful information that can help organizations that are in the midst of integrating their business processes into Archer.


From the Navigator, select  “Solutions and Use Cases” from the Focus menu to discover some outstanding Use Case-focused materials that you and your team members can leverage to better understand how to get started including architectural design requirements and installation requirements.    You can also access 3-5 minute videos demonstrating various Use Cases using RSA Archer.   And, you can take advantage of the various On Demand training options that explore the RSA Archer Use Cases.    Consider taking one of the “Deep Dives” where you can see a video demonstration, a mock planning session that can provide some best practices, and access to hands-on practice with all use cases within a virtual lab environment. 


Enjoy your journey with RSA Archer Navigator 2.0.





Filter Blog

By date: By tag: