One of the best takeaways I got from attending the RSA® Archer Summit 2018 was the opportunity to listen to customers tell their deployment stories. I have put together a series of tips based on advice from several speakers who have been using the product for many years.
One speaker, a director of risk operations for a large retailer and a long-time user of RSA Archer, talked about the challenges of their initial deployment. Things didn't start out very well initially - their first deployment was less than successful. They originally were running three different instances of RSA Archer. It broke easily and was implemented so poorly that it was hard to make changes, they told conference attendees. Plus the data quality was poor and none of these instances used a common data repository. As a result, it had a bad rap with the Information Security department. They had to reset and evaluate their environment. But now, their RSA Archer deployment is a different story, as you will see below.
Here are my top ten tips to ensure that your RSA Archer deployment won’t die on the vine.
1) First, know your stakeholders. When this large retailer began its project, they spent a lot of time analyzing who was eventually going to use RSA Archer. They researched and found their key influencers who had been passionate (both positive and negative) about the platform and what their initial impressions were about using the product. Then, they created a scale that went from defy to neutral to advocating for the platform. Next, they looked at what it would take to move each influencer in a more positive direction. Part of this stakeholder analysis included various business unit owners that would eventually benefit from using RSA Archer.
2) Make sure you look for influencers in non-obvious departments, too. The retailer wanted to woo their Chief Legal officer, even though they knew it would be a hard sell. This was because they face many regular legal situations, such as slip and fall accidents, or having to find someone who is fired so they can get their last paycheck. Sometimes, it would take weeks to track down this ex-employee. The IT Manager for the retail though showed how RSA Archer could speed things up and got their legal department on board.
Matt Hancock went into more detail in another session at the conference. He is the principal advisor for risk at Rio Tinto, an Australia mining company with more than 47,000 global employees. They matched their existing risk register with their organizational structure, to ensure that they were going after the right targets.
Matt Hancock of Rio Tinto, presenting at RSA Archer Summit 2018
3) Do a demo. Demos can help bring people together to understand how the product can be used, according to a security engineering manager at a consultant for a large DC-area government agency. Given their size, it is no surprise that data was kept in numerous silos and had no standard schemas whatsoever. RSA Archer can help to get everyone on the same page.
4) Understand your requirements and try to avoid creeping expansion. “Everyone had different requirements when we started with our RSA Archer project,” said the risk manager at the retailer. “As soon as people realized how quickly they could configure RSA Archer, that is when our requirements exploded,” said the government consultant. The trick was managing these expectations.
5) Centralize your RSA Archer governance team. Several IT managers mentioned this suggestion at different conference sessions, but I liked what the manager from Rio Tinto said in his session. Their governance committee is drawn from various organizations and complemented with additional teams to handle the delivery of RSA Archer applications. This team includes an architect, DevOps, reporting and data lead staffers. You might want to map out this structure too before deployment.
6) Build trust, listen to your users’ point of view and keep them frequently informed. This shouldn’t come as a surprise, but is still worth mentioning.
7) Use RSA Archer as a unifying force. “Before we started using RSA Archer, there wasn’t a lot of interaction between our risk assessment and audit teams. It has really brought us together,” said the government consultant. “Consistency is key. Just because your dashboard shows something is red is meaningless if you also show other shades of red. All alarms and exceptions should be treated the same,” said Hancock of Rio Tinto.
8) Understand your processes up front and get this right before you deploy. Part of this effort should create a taxonomy and strategy plan that will work corporate-wide. The retailer spent six months refining their processes before they ever touched any RSA Archer code. While that sounds like a lot of time, it eventually saved them a lot of grief down the road and avoided reworking their assumptions and wasted effort. Indeed, one person did nothing but process mapping with various stakeholders, according to their risk manager. Other presenters mentioned similar pre-planning time periods. “Integrated risk is all about people, processes and systems, and they all have to work together. We have to get our culture right before we can build good systems,” said Hancock.
9) Explain how RSA Archer is going to help your various stakeholders in their daily work life. The retailer presented how RSA Archer would produce certifications and compliance reports with a lot less work than they were doing previously. The other presenters had similar stories about how they sold the benefits of the platform to their users.
10) Finally, simple is usually better. Streamline everything. Consolidate your risk technologies. Aim for more holistic reporting and better transparency.
In another session, Mat Bonderud who is the IT Risk Manager for FedEx, said, “Quantifying risk is a journey, not a destination. There are certain steps along the way. The important thing to remember is that you need actionable data-driven reporting that can stand up to criticism. If you produce a report that says it is raining on your house, you need to know how many raindrops are actually getting through your roof -- that is the actionable number.”
Good luck on your journey towards more risk-based decision making.