Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Jonathan Gregalis

RSA Archer Suite

3 Posts authored by: Jonathan Gregalis Employee

The following is a guest blog from industry writer, David Strom. More on him below.


One of the best takeaways I got from attending the RSA® Archer Summit 2018 was the opportunity to listen to customers tell their deployment stories. I have put together a series of tips based on advice from several speakers who have been using the product for many years. 


One speaker, a director of risk operations for a large retailer and a long-time user of RSA Archer, talked about the challenges of their initial deployment.  Things didn't start out very well initially - their first deployment was less than successful.  They originally were running three different instances of RSA Archer. It broke easily and was implemented so poorly that it was hard to make changes, they told conference attendees. Plus the data quality was poor and none of these instances used a common data repository. As a result, it had a bad rap with the Information Security department. They had to reset and evaluate their environment.  But now, their RSA Archer deployment is a different story, as you will see below.


Here are my top ten tips to ensure that your RSA Archer deployment won’t die on the vine.


1) First, know your stakeholders. When this large retailer began its project, they spent a lot of time analyzing who was eventually going to use RSA Archer. They researched and found their key influencers who had been passionate (both positive and negative) about the platform and what their initial impressions were about using the product.  Then, they created a scale that went from defy to neutral to advocating for the platform.  Next, they looked at what it would take to move each influencer in a more positive direction. Part of this stakeholder analysis included various business unit owners that would eventually benefit from using RSA Archer.


2) Make sure you look for influencers in non-obvious departments, too. The retailer wanted to woo their Chief Legal officer, even though they knew it would be a hard sell. This was because they face many regular legal situations, such as slip and fall accidents, or having to find someone who is fired so they can get their last paycheck.  Sometimes, it would take weeks to track down this ex-employee. The IT Manager for the retail though showed how RSA Archer could speed things up and got their legal department on board.


Matt Hancock went into more detail in another session at the conference. He is the principal advisor for risk at Rio Tinto, an Australia mining company with more than 47,000 global employees. They matched their existing risk register with their organizational structure, to ensure that they were going after the right targets. Matthew Hancock of Rio Tinto talks about the company's risk management journey with RSA Archer.

Matt Hancock of Rio Tinto, presenting at RSA Archer Summit 2018


3) Do a demo. Demos can help bring people together to understand how the product can be used, according to a security engineering manager at a consultant for a large DC-area government agency.  Given their size, it is no surprise that data was kept in numerous silos and had no standard schemas whatsoever. RSA Archer can help to get everyone on the same page.


4) Understand your requirements and try to avoid creeping expansion. “Everyone had different requirements when we started with our RSA Archer project,” said the risk manager at the retailer. “As soon as people realized how quickly they could configure RSA Archer, that is when our requirements exploded,” said the government consultant. The trick was managing these expectations.


5) Centralize your RSA Archer governance team. Several IT managers mentioned this suggestion at different conference sessions, but I liked what the manager from Rio Tinto said in his session. Their governance committee is drawn from various organizations and complemented with additional teams to handle the delivery of RSA Archer applications. This team includes an architect, DevOps, reporting and data lead staffers. You might want to map out this structure too before deployment.


6) Build trust, listen to your users’ point of view and keep them frequently informed. This shouldn’t come as a surprise, but is still worth mentioning.


7) Use RSA Archer as a unifying force. “Before we started using RSA Archer, there wasn’t a lot of interaction between our risk assessment and audit teams. It has really brought us together,” said the government consultant. “Consistency is key. Just because your dashboard shows something is red is meaningless if you also show other shades of red. All alarms and exceptions should be treated the same,” said Hancock of Rio Tinto.


8 Understand your processes up front and get this right before you deploy. Part of this effort should create a taxonomy and strategy plan that will work corporate-wide. The retailer spent six months refining their processes before they ever touched any RSA Archer code. While that sounds like a lot of time, it eventually saved them a lot of grief down the road and avoided reworking their assumptions and wasted effort. Indeed, one person did nothing but process mapping with various stakeholders, according to their risk manager. Other presenters mentioned similar pre-planning time periods. “Integrated risk is all about people, processes and systems, and they all have to work together. We have to get our culture right before we can build good systems,” said Hancock.


9) Explain how RSA Archer is going to help your various stakeholders in their daily work life. The retailer presented how RSA Archer would produce certifications and compliance reports with a lot less work than they were doing previously. The other presenters had similar stories about how they sold the benefits of the platform to their users.


10)  Finally, simple is usually better. Streamline everything. Consolidate your risk technologies. Aim for more holistic reporting and better transparency.


In another session, Mat Bonderud who is the IT Risk Manager for FedEx, said, “Quantifying risk is a journey, not a destination. There are certain steps along the way. The important thing to remember is that you need actionable data-driven reporting that can stand up to criticism. If you produce a report that says it is raining on your house, you need to know how many raindrops are actually getting through your roof -- that is the actionable number.”


Good luck on your journey towards more risk-based decision making.



David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.

The following is a guest post from industry writer, David Strom. 


So, the RSA® Archer Summit 2018 is over, and we are all back in our usual digs. I wanted to take some time to reflect on what I saw and where I think the company is going, based on what I heard at the event.


“The world has changed again,” said Rohit Ghai, President of RSA, at the opening keynote. “Data is the fuel of the digital economy and what makes the new value chain.” David Lemon, RSA Archer VP and Global Head of Sales said, “We have to give the business context to the security team and provide an end-to-end context so they can identify biggest priorities.” Here are some megatrends.


Going wide for a larger user base within each customer. At Summit, it was clear that the RSA Archer product line has a very loyal customer base, with people applauding for feature enhancements such as breadcrumbs. But the company has to move to a broader acceptance within the IT establishment, not just cultivate its product champions that may only number a few people within even the largest organizations. Part of the announcements and innovations at the conference were to appeal to a widening customer base and an interpretation of finding and winning over users beyond the risk folks – even within their existing customer base.


The success of RSA Archer will be if it can move beyond selling to the largest of customers too. “Our business opportunity is the less mature and medium-sized enterprise,” said David Walter, VP,  RSA Archer. Thus RSA Archer has to both widen and deepen its customer base. “We have to engage more people in the risk management conversations,” said Walter. One IT manager at the conference said, “Integrated risk is all about people, processes and systems, and they all have to work together. We have to get our culture right if we are going to stay in business.”


David Walter, VP, RSA Archer delivers his keynote at RSA Archer Summit 2018


Trusting more SIs/VARs to sell and spread the word, rather than DIY. Another sign of maturity is how the more significant announcements at Summit were partnerships with Mendix and Konexus, both revolving around new mobile enhancements.  This is a big step forward for RSA Archer too, because it shows that it can’t go it alone anymore and needs to branch out to its partners. While RSA has had partners in place, its partner network is evolving. What I saw at Summit were good first steps.


Data integrations are key. The next sign of change with RSA Archer is how the company has recognized that it needs to be more tightly integrated in as many data streams as possible. Product manager Emily Shipman mentioned at the conference that “Data Gateway is changing the way we interact with external data sources. We have released 40 different integrations with Exchange, and have more planned for the coming year.” Walter said “And it isn’t just about getting the data, but using it and making it meaningful -- what I like to call data stewardship.” If the company makes good on these promises, that will be a significant boon in its business.


Greater number of product releases. With 13 different updates in the recent past, RSA Archer is showing that it can be more agile by adding new features and coming out with new versions at an increasing rate. This is another good sign, as it tries to satisfy demands from its very loyal customer base.


Branching out from the token business. Even though RSA SecurID® tokens is still very much a big business for RSA, the latest announcement at Summit show the company is moving into a new, more forward-looking direction. Certainly, MFA tokens won’t disappear tomorrow, but the indicators mentioned above show that the RSA Archer business a few years from now will be very different from what it was just a few years ago.


Is it all rainbows and unicorns? Certainly, there are challenges ahead. RSA Archer has to broaden its appeal with its ultimate success depending on the kindness of others to continue to partner up and branch out. It certainly is interesting times for risk management professionals.

# # #

David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.

The following is a guest blog from industry writer, David Strom. More on him below.


Today at the 15th RSA Archer Summit 2018 conference in Nashville, company executives announced a series of products and partnerships to extend their risk management platform firmly into the mobile arena. None of these are immediately available, although some will be released by November.


“We needed the ability for crisis managers to be able to kick off a communication protocol and have procedures that would help them respond during the middle of a hurricane even though the system is down,” said David Walter, a VP at RSA Archer, during his keynote at the show.  Walter told me that one of RSA Archer's key roles is supporting key staff that need to be involved with risk management conversations. “That means we have to promote incident awareness to a broader corporate culture, and have to provide enabling technology that can help everyone engage in that conversation. It also means we have to bring our technology to the users where they can access their data. This means offering a mobile-ready solution.” They are doing this in three different and complementary directions.


The first announcement is RSA Archer Mobility, a brand new mobile product will include extensions to the RSA Archer Content API. This API was first seen in Archer v6.4 earlier this year and can be used to write JSON apps that make use of RSA Archer data and constructs. To showcase this integration during the show Archer demonstrated its software working with Slack messaging and Google Home voice commands for handling simple data queries. The mobility product will be available next year.


David Walter, VP, RSA Archer introduces RSA Archer Mobility at RSA Archer Summit 2018


The second mobility announcement was the RSA Ready partnership with Konexus, a leading provider of world-class crisis management and collaboration tools. “We found that we have a lot of mutual customers who wanted to migrate data manually between the two tools,” said Walter. Konexus will have its own mobile apps that accesses data from both RSA Archer and its own systems. The apps can access role-based views and make crisis reporting more efficient with event-based escalation paths.


They demonstrated the app in their booth at the show in Nashville.


Finally, the third announcement was integrating RSA Archer with the low-code mobile app development platform from Mendix, which has become another RSA Ready partner. I got a chance to try out the app that was built in Mendix at the show and was impressed that it was created in less than a day’s worth of coding. RSA will supply the necessary components for its Mendix integration, called widgets, to help its customers develop their own custom apps. RSA Archer v6.4 SP1 is required to support the Mendix integration and potential customers can email inquires here.  The sample app is only available until the end of August. “Not every company is going to want to develop their own mobile app from scratch but would like to have the look and feel and branding and other customizations,” said Walter.


Both the Mendix and Konexus integrations will be included the RSA Exchange release 6 available this November

# # #

David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.

Filter Blog

By date: By tag: