Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Steve Schlarman
1 2 3 Previous Next

RSA Archer Suite

101 Posts authored by: Steve Schlarman Employee

(Authored by Steve Schlarman, Portfolio Strategist, RSA)

It was Mark’s big shot. He finally had a meeting with Sharon, the CIO. Her schedule was so busy it was legendary, and for her to spend time with a risk analyst was a clear indicator she recognized the new challenges facing their company. Although he only had 15 minutes, Mark was prepared  – notepad at the ready, brimming with nervous energy. After some brief chit chat, he got down to business – ready to drill into a conversation about their company’s biggest obstacles; the most impactful concerns; the top of mind issues; the coup de grace that could spell disaster for the organization. He took a deep breath and went to his big money question… ‘So, what keeps you up at night? What are you worried about?’ 

Sharon beamed. She spun around to her whiteboard and spewed a litany of projects fueling their company’s digital transformation – an IoT project, implementation, a massive VMWare migration and their hybrid cloud, the new employee work-at-home program, the impending customer mobile portal…

While that question got Sharon started, let’s think about this a bit differently.

With all the benefits the new digital world offers, there are a host of risks that must be managed. The major areas of risk remain the ‘usual suspects,’ such as security, compliance, resiliency, inherited risks from third parties and operational risk. However, digital business amplifies uncertainty for organizations today.  For example:

  • Digital business, by its very nature, increases the threat of cyber incidents and risks around your intellectual property and customer data.
  • The expanded connectivity and expectations of the ‘always on’ business stresses the importance of resiliency.
  • Business has evolved into an ecosystem of internal and external services and processes leading to a complex web of ‘inherited’ risks.
  • The disappearing perimeter and digital workforce is challenging how organizations engage their customers and employees.

Factors such as these are why digital initiatives are forcing organizations to rethink and increasingly integrate their risk and security strategies. 

The objective for today’s risk professional is not just about defending against the bad. Just like Mark discussing the parade of initiatives with Sharon that clearly impact their company’s future, you must be ready to help usher in a new age of digital operations. Merely riding the buzzword wave – IoT, social media, big data analytics, augmented reality... – is not enough. 

You must look at opportunities to enable innovation in your business while building trust with your customers and throughout your enterprise. Your business must be comfortable embracing risk and aggressively pursuing market opportunities offered by new technology. To do that, risk associated with the use of emerging or disruptive technology in transforming traditional business processes needs to be identified and assessed in the context of fueling innovation. You also must keep focus on the negative side of risk. Your business today demands an open, yet controlled, blend of traditional and emerging business tactics. You must help manage the ongoing risk as these transformed business operations are absorbed into the organization fully, i.e., the new model becomes the normal model of doing business.

Risk is, by definition, uncertainty. Everyone is concerned about uncertainty in today’s world. However, if we go back to the simple equation (risk = likelihood * impact), risk should be something we can dissect, understand, and maybe even calculate. While you are helping your organization embrace the advantages (positive risk) of technologies like IoT, data analytics, machine learning, and other emerging digital enablers, the volatile, hyperconnected nature of digital business amplifies the negative side of risk. It is anxiety about the unknown that leads us into that executive conversation, but it shouldn’t lead to worry.

Worry is about fear. Your executives shouldn’t be afraid in today’s world. They should have informed concerns. And you – as the security or risk person in the room – should be feeding insights to raise their visibility of the likelihood of events and diminish their distress on the negative impacts. Risk is part of riding the waves of business opportunities.

Risk is not something you should WORRY about... it is something you should ACT on.


To learn more about digital risk management, click on our new Solutions Banners located in the right-hand column of each RSA product page: Third Party Risk, Cloud Transformation, Dynamic Workforce, and Cyber Attack Risk.

My final theory of my Riskicist’s Guide for you to contemplate borrows from an interesting phenomenon in nature. Synchronization of seemingly random events in nature is not uncommon. Flocks of birds and schools of fish synchronize to ward off predators. Inanimate objects can even synchronize. The point is there is no one master object is necessary to give direction for these things to synchronize. In some cases it is instinct, some cases it is physics. But out of chaos comes order.

What does this have to do with the future of risk management?

Culture has a lot to do with risk management. In some respects, culture is one of most direct influences on how well your risk program works. Your program relies on people. And people have personalities. Just like we have dominant personality traits, every employee in your company has a risk personality and they display that personality in everyday life. Do they instinctively speed up when the stoplight is yellow or do they immediately go for the brake? Or do they take a split second to calculate? Do they play the lottery every week or is it only for suckers and a waste of money? Do they wait until the prize is big enough for them to wager?  These personality types vary across a company – and depending on the level of influence a person has within the organization – this risk personality affects the company’s culture. We have seen companies where risk taking – fueled by these personalities - has built empires or destroyed from within.

We need to contemplate the emerging views on what is risky and how that will affect our organization’s culture. We need to contemplate the expectation of the future workforce when it comes to managing risk through technology – and using technology to manage risk.

My last theory is: 

The forces of SYNCHRONICITY will affect your organization’s approach to risk management

MORE than any other force.

Your workforce - including the entry level risk analyst or security admin you hire in the future - is being built on digital natives – those not knowing a world without technology. Their RISK PERSONALITY will continue to change - and be different than many of the established cultural norms. As these new personalities enter your workforce, they will bring much potential. However, your culture will change and eventually your organization will synchronize to these new ways of thinking.

In a future digital world that will be based entirely on data, it will be the personalities of your organization that will be the difference between success and failure. These personalities may be difference between taking a risk that pays off – or missing an opportunity due to caution. For the risk management professional, we must anticipate that synchronization. More importantly, WE need to be ready to change with it and become open to controlled, risk taking. We must become comfortable with the uncomfortable.

So what does the future of risk management look like? As much as I would like it, I can’t see into the future. Even with these theories, it is difficult to know exactly what will come. We know amazing technological advances are coming our way. We know we will change how we think about risk. Your digital transformation will force new paradigms; your workforce will demand new approaches.

When it comes to what we, as a risk management community, need to think about going forward, we have some clear indicators. One thing I know is risk management will be all about speed. Risk management cannot be a hindrance in your organization moving forward. You are faced with a complex and fast-moving landscape that requires an evolution towards Integrated Risk Management. We can use a Cartesian space – horizontal and vertical integration through people, processes and technology - to guide us. We can prepare ourselves for the rapid changes in risk. We will need to factor time into our risk equations. We must also anticipate this synchronization factor.

Our industry is on an evolutionary path and sitting on the precipice of a new digital world.  RSA has been leading the pack in building technology solutions over the past 35 years and proud to be part of your journey. My final thought to leave you with is this…

The future is not in FRONT of you…

It is BUILT on you.

I know you are up for the challenge.


This blog series is based on my keynote from the RSA Archer Summit 2018.

In my last blog in my Riskicist’s Guide, I posed the Theory of Exponential Growth highlighting the rapid change of risk in today’s world and the need for automation. With automation we can gain better visibility. We then have much more data to drive insights and actions – BUT as things move faster we need to better understand WHEN to deal with an issue as well as how it impacts the business. This brings me to another aspect of my riskics – TIME.  The most constant, ever present variable in hyper risk management is TIME. In fact, time could be one of the most critical variables in the Digital Risk Management transformation.

For example, most data classification schemes are one-time affairs and answer What is the value of this piece of data today? However, the value of data – the currency of the digital transformation – can change over time. I wrote about this in a blog in 2014 entitled “The Data Classification Curve”. In a nutshell, the criticality, value or sensitivity of data depends on time – financial numbers go from extreme confidentiality to public knowledge overnight; the sensitivity of personal data hits a threshold as elements are combined or collected over time.

The point is risk associated with your business, like data sensitivity, goes up or down depending on time. When we apply that concept to our traditional definition of likelihood and impact, we clearly can see both are affected by time. The likelihood of an event may go up or down depending on the time of day. The impact of a financial system outage at the end of the quarter is different than the middle of the quarter.


This leads to my next theory:

Measurement of risk will REQUIRE an element of TIME.

Risk when approached with this concept of time becomes less of a dashboard more like a stock ticker. A loss exposure at one time could be $3M, another time $1M, another time $5M… it all depends on time. Going back to our traditional risk formula, risk still depends on likelihood and impact – but each must be considered in relation to time.


This concept could be applied to any gap identified during a risk or compliance process. It could also apply to prioritization of events and alerts. RSA’s experience gives us a leg up in helping risk management processes utilize time as an input. RSA Netwitness’ user behavior analytics and RSA’s Adaptive Authentication risk engine already uses this type of approach.

Time as an input to risk management processes in the digital era affects calculating risk exposure and driving action. A security incident may be more or less critical based on the time of the day. A Business Continuity plan may need to factor in the time of the month of a potential event. Not that you would leave an event to chance or ignore something based on this time element but the timing of events will need to factor into prioritization and measurement.

As risk management processes begin to become more and more data driven, fueled by the digital transformation of the business, there will be a need to tighten up the response to that data and prioritize based on the data. As insight into risks are produced, time will be a major input into what actions are needed, when they are needed and how to prioritize those actions. Risks will need to be prioritized not only on automated business context flowing in from different systems – but prioritized based on the time.


Join me for my last theory in my next blog as I wrap up my Riskicist's Guide to the Universe.

As I continue my Riskicist’s Guide to the Universe, my first theory regarding the future of risk management deals with change.

In very simple terms, the change of Risk in the past can be thought of as growing on a mainly linear scale as a function of the organizational size or complexity. In other words, a straight line. But there is more to it. Your company has market dynamics within your industry that force change. As your competitive pressures increase and your market changes, it affects your risk. The rate of risk change is therefore a function of your market, or F(x) = Y * x where Y is a measurement of your market volatility. If your market is changing rapidly, the coefficient is > 1. The line is steeper, the rate of risk is higher. If the market pressures are relatively slow than the rate of change is between 0 and 1. The line isn’t as steep – or risk is not expanding as fast. Don’t begin thinking these are actual mathematical models – this is a conceptual depiction – but the logic applies.

Prior to the digital revolution, this might have been an adequate way to graph a simple rate of change of risk. However, risk in the digital world doesn’t grow in this linear fashion. It grows at an exponential rate.


This leads to my first theory:

The GROWTH OF RISK will follow an exponential curve based the rate of change of your market taken to the power of your digital transformation.


In this conceptual model, Y is your market changes, Z is the rate of adoption of technology within your organization. The market pressures have been a constant force affecting industries. It is the Digital Transformation that can be a massive shift. As your business goes digital, it can represent an explosion of elements in your risk management framework. More systems, more data, more threats, more EVERYTHING. It is this exponential factor that fuels hyper growth and changes how we think of some of our fundamental needs in our risk program.

The main impact of this rapid risk growth I want to explore is the impact on understanding the business context around risk. Business Context is the relationship of any risk management framework element – like an incident or a control – to the business. Business Context sets the aperture by which risk can be viewed - the more context, the more clarity. When you have Hyper Risk Growth, you need Hyper Risk Management. Hyper Risk Management requires Hyper Business Context.


Hyper Business Context must be fueled by automation. Manual cataloging anything related to the risk management process in this new world will quickly fall behind. In short, the hyper growth of risk forces us to look to automated inputs with a frequency and reliability that exceeds today’s capabilities. We must rethink what it means to create the relationships to formulate business context. Your risk program must build business context from the insights it gathers – and not rely solely on manual efforts.

The good news is RSA has a unique position when it comes to the future of business context. RSA Archer already helps you build context for your risk program. But we can also think outside the box when it comes to building business context. For example, why not let the systems tell us what is important? Network monitoring systems like RSA Netwitness can tell us how much a system is used to identify availability risks. Identity Management systems like RSA SecurID can connect applications to user profiles building relationships between business functions and IT infrastructure. These are byproducts of those technologies that we can use to inform business context.


Automation and integration will be key in ensuring your context keeps up with the data flowing from your many systems especially as your business continues along its digital transformation.


Join me next week for my next blog that discusses an ever present variable that will have a tremendous impact on measuring risk in the future. 

It’s that time of the year. As we wrap up another celestial measurement of time, people begin predicting things that will happen in the future. I don’t know why it is – but my crystal ball says over the next few weeks you will see a slew of predictions about what will be coming over the horizon of 2019. In the spirit of the season, I wanted to contribute my thoughts towards this time-honored tradition.

I must admit I do a lot of thinking about the future of risk management. Earlier this year, we held our 15th RSA Archer Summit. Last month, we also held our EMEA Summit. These events are highlights for the RSA Archer community - a time to gather and share insights – and I had the honor of addressing the community at both events on the future of risk management. That opportunity got my wheels turning as I contemplated this thought provoking topic.

We all know technology has moved blindingly fast and the coming years will be mind boggling. The way we do business today will not be how we conduct business in the future. The Digital Transformation is undeniable. For us in risk management, while the Digital Transformation is unfolding, there must be a Risk Transformation that moves at the same pace, and I would argue even faster. Risk has so many variables. It is really overwhelming as we try to investigate the future and predict how risk management will transform. When I started to think about the future of risk management, I knew I had to approach risk like something else really, really complex… like the universe.

And it hit me… If theoretical physicists can pose theories to understand the universe, a theoretical riskicist can pose theories on the future of risk management. I have been using Schrodinger’s cat as an analogy for Risk and Opportunity for years so it seemed like a good fit. Plus I have seen every Big Bang Theory episode numerous times… You know it’s bad when your wife says “Ok – Sheldon – just give me the cliff notes…” on a regular basis. But before one explores a universe – a Cartesian coordinate system to describe the space comes in handy.

The first dimension we can think of as our X axis is the different domains of risk. Security, compliance, operational risk, vendor management, audit, and business continuity - all of the functions in an organization we traditionally associate with risk management - must be horizontally aligned. Alignment across these domains means you are using the same language to discuss risk. It means that your data, your processes, and your discussions are focused and meaningful to each other.  RSA is blending security and risk management as part of its core strategy. We see these worlds converging. Communication and coordination across operational functions is absolutely critical in dealing with risk.


The second dimension of risk is our Y axis indicating the spectrum of strategic to operational risks.  Our risk management strategies must be vertically aligned to connect strategic objectives to day-to-day operations. Small events can quickly turn into major catastrophes and we have to connect those dots. We need the context to put an operational event into the big picture. We also need the ability to drill into more detail when looking at strategic business risks. RSA’s strategy of integrating threat detection and risk management is a great example of this alignment, for instance, by being able to connect a security alert to a business application that stores personal data. It is the connection between risk management at the strategic and operational levels that creates a true picture of what risks mean to your business.

The final dimension is our Z axis. It may sound cliché but the “People, Process and Technology” paradigm is even more crucial in managing risk today. Moving towards a digital world, the pressure to push the envelope will be on the technology front. There will be much more data for us to consider but we can’t forget the other two elements – we need the right talent pool and we need optimized processes.



This gives us our Cartesian space – our X, Y and Z – as a foundation. As your company matures in each of these dimensions, the view of risk gets clearer and clearer. This space gives us our guideposts to explore our universe. See, that wasn’t so bad…

Over the next several blogs, I will expound on three simple theories for you to contemplate for the future. I hope you join me for my Theoretical Riskicist’s Guide to the Universe.

It seems like yesterday that I announced the release of RSA Archer 6.4 SP1 with updates to several key use cases and some exciting platform enhancements but here we are again with more exciting news.  I am happy to announce general availability of RSA Archer Release 6.5.  This release focused mainly on enhancing several areas of the RSA Archer platform with updates in user interface, performance, workflow and reporting.   Additionally, we continue to see risk programs maturing and have developed a Scenario Analysis and Delegated Authorities approach for the RSA Archer Top Down Risk Assessment use case.  

Use Case Updates

As companies continue to mature their programs and target integrated risk management capabilities, we focused on a key element of our Enterprise and Operational Risk Management solution - RSA Archer Top-Down Risk Assessment.  This use case is designed to help your organization implement a standardized approach to building and maintaining a risk register and supports multiple types of assessment approaches.  We have added a new Scenario application enabling risk teams to create “what if” scenarios, adjust the granularity level of the assessment and tie them to risk register records providing more precise analysis as risk owners assess risk.   These scenarios can be built into a new Scenario Library application. Risk teams can create and manage a set of scenario templates that can be used to easily create new scenario records.  Additionally, new functionality adds the ability to manage Delegated authorities on risks.   This concept is critical in risk management processes allowing risk teams to to route risks for acceptance to users that have been assigned to a defined acceptance level for each business unit.  With Delegated Authorities, risk assessment processes can more quickly and efficiently route risks for review at the appropriate functional level of approval.


Updates to the record permission structure have been made to RSA Archer Crisis Management and RSA Archer Business Continuity & IT Disaster Recovery Planning use cases to prepare for some exciting upcoming integrations.  Keep an eye out for those in the near future.

Platform Updates

RSA Archer Release 6.5 delivers a number of enhancements and new functionality to the RSA Archer Platform. These include performance improvements for faster ingestion and more efficient management of data at scale, new Advanced Workflow functionality for greater ease of use, new export and reporting capabilities, and a variety of usability, accessibility, and User Interface improvements.   These are only some of the highlights so make sure you read the Product Advisory for more details.


Several of the new features focus on Usability, accessibility, and UI enhancements including Field-level encryption for Attachments and Images and Inline edit for Calculated Cross-Reference and Related Record fields.  Our User interface improvements continue with visual adjustments on Record and Questionnaire pages.  Additionally, since RSA Archer is used as a key reporting source for business and executive users, we have added several data export and reporting enhancements.  An updated Content API offers the ability to save content, fetch tasks and retrieve related records improving the ability to integrate into external systems such as business intelligence tools.  We have also made visual improvements for default chart settings and updated the Microsoft Excel-based export functionality allows users to export up to a million records in a single file.  Finally, a new dashboard export to Microsoft PowerPoint format not only streamlines output from RSA Archer for presentations, it also provides users the ability to include data and edit the PowerPoint before sharing RSA Archer dashboards. 


An Advanced Workflow enhancement includes new functionality that allows system administrators to make bulk changes to their advanced workflow business process and move enrolled records to the new workflow version.  UI improvements also have been added to provide a new full-screen option for Advanced Workflow Designer making it easier to view and edit large or complex workflows.


Finally, as usual, we continue to make Performance enhancements.

  • Support for SQL 2016 SP1 and SQL 2017 enables future Platform features and brings several Enterprise Edition capabilities to the Standard Edition, which many customers run to power their RSA Archer implementations.
  • Our new Data Gateway allows customers with large data sets in external system to connect to RSA Archer and continues to expand with the ability to notify RSA Archer of changes in the external subsystem and allows RSA Archer to trigger calculations.
  • Our added support for independent licensing of Elasticsearch for Keyword and GlobalSearch allows for faster and more efficient indexing of content for search purposes, performing "at scale" when large record volumes are present.
  • Bulk Actions Dynamic Field Population enables users to dynamically populate a text field in content created during a Bulk Actions creation activity. This enables text fields to be built from multiple attributes to give fields like Title and Description more context during the bulk creation process.
  • Job Engine improvements help reduce overhead and total runtime and provide additional measures for administrators to control how the Job Engine operates.


For more information, please read the Product Advisory.

They say ‘It ain’t over, until it’s over’. Even though the RSA Archer Summit 2018 came to a close last Friday, we know the challenges of the risk landscape will remain. Last week, we welcomed over 1200 customers and partners to the country music mecca of Nashville in the 15th anniversary version of the RSA Archer Summit. Over the course of 2 ½ day event, we hosted 6 working groups, a customer advisory board, 5 keynotes, over 55 learning sessions, a ‘Choose your own adventure’ lab and an ‘Ask the Expert’ room that was busy the entire conference, and more networking and community celebratory events than you can shake a banjo at.

Risk Management Perspectives

Seeing so many practitioners present best practices, lessons learned and tips and tricks always provides key insights into the state of the risk management. Some key takeaways I heard:

  • Digital initiatives are impacting security and risk management in many different ways. From addressing expanded privacy concerns related to customer facing digital products and services to adjusting risk and compliance efforts around emerging technology, companies are faced with changing requirements and continue to strive towards integrated strategies that cross functional and operational teams. Watch Grant Geyer, VP of Product at RSA, describe the impact of the digital world on risk management.
  • The evolution of GRC towards Integrated Risk Management continues. Call it what you will – GRC or IRM – the emphasis of connecting risk disciplines and building a collaborative, risk based approach to security, compliance, resiliency, third party governance and audit is top of mind for all practitioners.
  • We heard a wide variety of customer stories highlighting tips for success. Engaging your stakeholders, building a strong foundation of both organizational and technical support and thinking strategically are keys to building a sustainable, high value program.
  • I also had a chance to catch up with Jack Jones from the FAIR institute on the future of risk management in the age of risk economics. It was great to get his perspective – watch the interview here.

The Future of Risk Management

Since this year’s Summit was a special anniversary edition, we celebrated the long history of RSA Archer in the risk management industry. Looking back at 2003, the first year of the Summit, stirred a nostalgic feel as we contemplated the past. In 2003, Sarbanes Oxley was only 1 year old and the Apple ITunes store was tech invention of the year according to Time Magazine.   Those ‘simpler’ times dropped hints at the coming challenges – regulatory mandates and shifting requirements, the importance of corporate governance and compliance, the glowing fuse of the digital explosion…

A highlight for me this year was the keynote address by David Houle that gave us a perspective on the future and the challenges across a wide spectrum of risks facing organizations today. I also wrapped up the event with my own evaluation of what risk management looks like as we face the evolution of our industry. Speed, automation, integrated approaches, the merging security and risk disciplines and preparing for a constant shift in both technology and culture make the future of risk management an exciting, and challenging, industry.


The 2018 RSA Archer Summit was just the kick off of the next chapter. RSA is in a unique position to help organizations bridge the worlds of Security and Risk Management as we span across these critical domains.   The strategic vision and the innovations previewed at the Summit for RSA Archer highlight how the solution is geared to help risk and security teams see around the corner and build that truly integrated approach. Through presentation after presentation, our customers articulated an incredible passion in bringing together functions, driving change and unleashing their organization’s potential.   I am happy to say I don’t think there is a company out there that is better suited than RSA to help them continue on their journey forward to the next 15 years.

Are you an RSA Link member? View the RSA Archer 2018 presentations here.

Today is the day… This morning, we kicked off the RSA Archer Summit 2018 - the 15th anniversary edition of this annual event.  Fresh off a fantastic welcome reception last night, the crowd was buzzing with excitement as they gathered for the opening keynotes.  To get the Summit up and running this year, Rohit Ghai, David Lemon and David Walter welcomed over 1200 customers, partners and RSA staff outlining RSA’s vision and the future of RSA Archer.   After celebrating the 15 years of the RSA Archer community, Rohit highlighted RSA’s role in helping our customers navigate through the risky – yet opportunity filled – digital transformation.   His mantra of the forces affecting all companies today – Modernization, Malice and Mandates – emphasized the need for integrated strategies to address risk.  David Lemon then greeted three long time customers for an insightful look into the risk management practitioner world.  Finally David Walter and a host of product managers – Emily Shipman, Susan Read-Miller, Corey Carpenter and Brian Schaefer – walked through RSA Archer’s product vision and roadmap and along the way discussed key innovations that make RSA Archer the industry’s leading risk management platform.


The big surprise came at the end of David’s product keynote when he outlined RSA Archer’s mobility strategy.  RSA Archer mobility strategy aims to bring the power of RSA Archer and its data to the users, where they are and in the form they want. The strategy included several facets including the ability to approve by email, developing digital assistants and providing options for mobile device experience including building a RSA Archer native app.


David also announced two key RSA Ready partnerships.   The first partnership with Konexus provides crisis management capabilities – fitting nicely into the RSA Archer Business Resiliency solution.  The second partnership with Mendix, a leading mobile application development platform, unveiled a prototype of a mobile app built on the Mendix platform.  David invited customers present at the RSA Archer Summit to download the app – a prototype of an Exception Request and Approval application – and provide feedback.  The excitement in the room was palatable as David sketched out the strategy for bringing mobility capabilities to RSA Archer and the Mendix app was a big first step.


Such an exciting start to the event… The remainder of the Summit will be full of customer presentations, learning labs, more keynotes, fantastic networking events and plenty of opportunities to celebrate this 15th anniversary of the RSA Archer Community.  I am looking forward to the rest of this wonderful event.

Take Control of Your Controls

Managing risk today isn’t easy.  Many times, your success in reducing risk is dependent on the effectiveness of the controls within business operations.  The design and implementation of control activities are key for your organization to reduce the possibility of negative events such as compliance violations, business disruptions, data breaches and a host of other scenarios.


I am happy to announce general availability of RSA Archer Release 6.4 SP1.  This release includes updates to several key use cases that are critical in managing control documentation, testing and reporting.  In other words, this latest RSA Archer platform and use case release focuses on helping customers ‘take control of your controls.’. Following on the heels of RSA Archer Release 6.4 in April , RSA Archer 6.4 SP1 leverages features introduced in RSA Archer Release 6.4 within several use cases and includes additional updates to the RSA Archer Platform.


Use Case Updates

  • RSA Archer IT Security Vulnerabilities Program – One of the most prevalent security controls is the identification and remediation of vulnerabilities on IT systems.  These vulnerabilities are the foothold today’s security threats need to compromise systems, ultimately leading to data breaches.  The process that identifies those vulnerabilities and ensures proper patches are implemented is critical in reducing the ‘attack surface’ of an organization.


The RSA Archer IT Security Vulnerabilities Program use case is designed to offer security teams an integrated approach to identifying and prioritizing high-risk cyber threats, proactively managing IT security risks by understanding the criticality of various assets to business operations, and combining those insights with actionable threat intelligence, vulnerability assessment results and comprehensive workflows.


Updates to this use case in this release improve performance of data feeds, introduce new workflows, update the integration to the National Vulnerability Database (NVD) and add a new Vulnerability Tickets application to track remediation actions needed to address vulnerabilities identified by scanners.


Updates to these use cases within this release streamline the compliance testing and controls management processes with improved planning for Compliance testing and support for multi-phase tests throughout the year.  One of the most exciting additions is the End-to-End Compliance Project Management, allowing compliance teams to scope controls and plan and generate appropriate Control tests as needed.   Additionally, a new Control Procedure Hierarchy provides a method to create a master list of Controls with automated creation of Control Instances via the Control Generator for different business entities and infrastructure. A new Evidence Repository application is now also included providing a single repository for evidence gathered in the Compliance testing process.


Additional updates to the RSA Archer PCI Management,  RSA Archer Assessment & Authorization and RSA Archer Issues Management use cases carry on the theme of streamlined control management.


Platform Updates

This latest RSA Archer release also includes new and updated Platform features.  One of the key new features is the addition of an Electronic Signature using RSA Archer authentication or emailed PIN authorization.  This feature strengthens customers’ ability to log and track user actions and support non-repudiation of attestations.


In addition, other Platform updates in this release include:

  • Data feed performance and scalability improvements when using the Batch Content Save Token
  • Additional filtering capabilities for Calculated Cross-Reference and Report Object hierarchical values lists
  • Dynamic Field Population via Mapping for Bulk Action to populate fields with content assigned from a related field
  • Performance improvements for hierarchical values lists


For more information, see the RSA Archer Release 6.4 SP1 Product Advisory.

Are you tired of the GDPR discussion yet? I hope not. GDPR represents a tremendous opportunity to discuss risk management in a much wider context. GDPR – being all about personal data – is the opening you need to discuss how data is fueling your organization.

Why is Data Governance so important?

Data is so widely distributed in organizations today and the power of end users is tremendous. Just a simple download of Personal Data from a central, controlled system into a spreadsheet by a marketing person for a one-time use is a risk. So not only do you need to understand where the managed systems are that contain Personal Data, but also the possible outputs from those systems.

Processing activities can be extremely complex. This is where engaging those process owners is so important. First, you need to educate them on the risks and second, get their help in working out the data flows. Third parties are also a major challenge in this area. Many companies are leveraging cloud service providers or external vendors for many types of data processing. You must be able to identify these vendors, and then understand if they access or process personal data.

Shadow IT or functional groups working directly outside the scope of IT with external vendors are a major challenge. Policies, education and better options have to come into play. You may not be able to eliminate all of the instances where a functional group works with an outside firm – but you can certainly ensure policies and training are in place to educate those groups on the potential risks.

While the discussion with your business may start with personal data, it isn’t a long shot to talk about other elements of data, the importance of data governance and the controls needed to secure all types of data. Once you cross that chasm of discussing data, the opportunity to talk about internal and external threats is open.



What to learn more about data governance and GDPR?  Check out our solution brief or take a look at the RSA Archer Data Governance use case.

GDPR has come – and gone?  Not really.  Despite the deadline passing without the sky falling, GDPR is something that can’t fall off your radar.  If your legal and compliance team raised the GDPR flag as something you need to address, then you should certainly be thinking long term.  GDPR is not just a regulation - it is an opportunity.


New regulatory requirements are a great opening to take a close look at controls in general.  When Sarbanes Oxley hit organizations, they responded by focusing obviously on the financial reporting processes.  But over time, companies realized a strong control strategy has benefits beyond those processes.  It raised the awareness of managing not only compliance – but of managing risks to the business.  GDPR can play that same type of role.  While the immediate focus may be on security of personal data – the changes GDPR can bring in policies, processes and technical controls can benefit areas of your business outside of Personal Data. 


What Comes after GDPR?

If your organization understands how important it is to protect personal data because of regulatory requirements, then the time is ripe to ask the question – what about other data?   GDPR represents a shift in how businesses must address data governance, breach preparedness and risk and compliance management.   Those controls can evolve into a better strategy across the enterprise.  Take the opportunity – have the discussion.



What to learn more?  Check out RSA's perspective on GDPR or read the white paper on how GDPR is affecting your future.

It can be lonely sitting out on Risk Management Island.  I have some good news for you - your closest friend, Compliance, has dropped a break in your lap – GDPR.  I know it isn’t easy to see it but GDPR can be a rallying cry to improve your risk management, security and compliance world.  Although the deadline was over a month ago, companies continue to adjust their processes in response to the regulation.


GDPR and the Risk Management Process

There are certainly many dimensions to GDPR – from the technology implications to the business operations changes needed.  One area I would like to highlight is the risk assessment angle of the GDPR.  This is an emerging topic in the regulatory compliance world.  No longer are regulators saying you must do A, B and C.  They are requiring a risk based approach – meaning, your company has to determine the risks and design and operate controls that effectively manage that risk.  We see this not only in GDPR but other regulations, PSD2 for instance, and it is a trend that will continue.

Organizations need to bulk up their risk assessment processes – how are risks identified and assessed, how are decisions made to address those risks, then how are the risks treated and monitored.   This must be a demonstrable process that can be inspected.   Those steps and the decisions made during the process should be documented to show how the organization arrived at its conclusions.


GDPR changes things from a ME thing to a WE thing.   Rally the troops.  Your friend Compliance will appreciate it.


As the excitement builds towards the RSA Archer Summit 2018, I am happy to announce nominations for the annual customer awards is now open.   Every year, we honor customers as they push the envelope, innovate and enable their Integrated Risk Management programs with RSA Archer.   Bringing GRC excellence to an organization is no simple task.  It requires hard work, commitment and a steady stream of progress.  The companies that have won these awards in the past have these traits down pat - not only addressing risk but providing business value as they help their organizations navigate the uncertainty and volatility in business today.   Our past winners include organizations of all sizes across all industries and represent the 'creme de la creme' of the risk management world.


I invite you to submit your organization for the award.  The process is simple - download the form and submit it to the RSA Archer team.  The only criteria for nomination is to be an RSA Archer customer.


The nomination form is available on the RSA Link Community along with instructions.  Don't delay - the deadline for award submissions is June 15, 2018.


I hope to see you at the RSA Archer Summit 2018!  The event promises to be a premier opportunity to learn and network with your peers.  Register today if you haven't already!

We have all heard it.  In one way or another.  The Yanny vs. Laurel sound clip is raging across the internet.  Mainstream media has thrown major fuel on the fire.  Jimmy Fallon spent considerable time debating on his show with Questlove throwing in his own version.  Which camp are you in?  It is amazing how an audio trick manipulating the pitch of a sound clip can get so much attention.  Clever?  Yes.  Earth shaking?  Not really, but a distraction from the normal day-to-day grind.  While not as hot of a topic – I doubt Ellen or The Today Show will pick up the story – risk management has its own Yanny and Laurel.


The term GRC has been in the industry for over 15 years and while it has been accepted and grown to represent a core business process in many organizations, it also has built perceptions around the feasibility and applicability of these programs.  In some organizations, GRC has taken hold and is an accepted term.  In other organizations, though, GRC represents a bureaucratic, complex concept requiring heavy operational processes resulting in little value.


Today, organizations are faced with a much more complex and fast moving challenge that GRC programs may, or may not, be equipped to address.  Many organizations are being overwhelmed by the magnitude, velocity and complexity of existing and emerging risks – struggling to respond to business risks, rather than seizing opportunities that drive the business forward.   The reason is that many organizations’ current risk management mechanisms are undeveloped, disconnected or ineffective.


Organizations must manage risk with more agility and integration than ever before.  The strategies driving business success – for example, technology adoption or market expansion –introduce more risk.  The interdependence of digital and business strategies have converged cybersecurity and business risks creating a complex set of problems.  Industry and government requirements fuel increased scrutiny by regulators.  Organizations have an increasing reliance on external parties including service providers, contractors, consultants and other third parties that complicate their business risks.  Executives and boards demandi the business manage risk without excessive costs affecting the bottom line.  The media is ready to pounce on any incident – from a data breach to a compliance failure to a corporate scandal.  Increasing reliance on technology exposes businesses to the explosion of dangerous cyber threats.  Any delay or setback in meeting business objectives can mean the difference between success and failure in today’s highly competitive market.


Integrated Risk Management (IRM) represents the next evolution of GRC.  IRM covers many of the same concepts as GRC but stresses the agility and flexibility needed by today’s modern enterprise.  IRM highlights the integrated nature of risk:

  • Horizontally – Risk management must integrate across risk domains (security, compliance, resiliency, etc.) since no risk today stands alone.  For example, a security issue can be a compliance issue, result in a business disruption, involve a third party and result in financial losses and reputational damage.   Establishing a common program to cross operational functions and foster a multi-disciplinary approach to risk management is the horizontal element of IRM.
  • Vertically – Risk management must connect operational risks to the business strategies and vice versa.  Taking that same security issue as an example, if you can articulate the business impacts of a security incident, you are creating a more relevant starting point for the business to understand what is going on.  As risk and security teams are being asked to protect the business, they must then understand the business they are protecting.  Connecting strategic objectives to operational events, risks and controls are the vertical element of IRM.

As risk management programs mature in these two directions – horizontally and vertically – the organization starts building a truly integrated view of risk and is better positioned to adjust risk management strategies to address the volatile nature of risk in today’s enterprise.


So which do you hear when your organization says ‘we need to deal with emerging issues and the uncertainty related to strategic business objectives”?  GRC?  Or Integrated Risk Management?  It’s unlikely this dispute will become fodder for late night talk shows, but it is worthy of a discussion in your organization today.  Now if we could only settle the Blue Dress/Gold Dress argument

A key to delivering a solid risk management program is the quality and performance of the processes fueling your organizations’ strategy. Getting solid results through efficient processes enables your program to achieve the reach necessary across the enterprise to address risk effectively. These two facets – quality and performance – were the key themes of our most recent release.

I am pleased to announce the general availability of RSA Archer Release 6.4. RSA Archer 6.4 delivers enhanced capabilities for RSA Archer Platform focused on improved data quality and feed performance and greater performance and serviceability.

Integration is critical in gathering the information for your risk program. RSA Archer’s integration capabilities are core to the platform and the 6.4 release enhances the data feed capabilities in RSA Archer with more ability to transform inbound data before it is brought into the RSA Archer Platform. Release 6.4 also improves the performance of data feeds by batching records and calculation improvements.

In addition, there are some fantastic new features that improve the user experience and make life easier for administrators. The ability to embed reports on application forms and calculate cross-references based on data filters are two new capabilities that will improve how users view data and how administrators can streamline data input.   For easier serviceability of the RSA Archer Platform, a new permissions investigation console has been added to simplify the role and group access control troubleshooting. Additionally, the expansion of advanced workflow capabilities captures advanced auditing insight and logging workflow history within the History Log field.

RSA Archer Release 6.4 also introduces new capabilities for RSA Archer IT & Security Risk Management use case offerings:

  • The new RSA Archer Cyber Incident and Breach Response use case is designed to align security to business risk. It provides a consistent measure of control efficacy and centralizes the process for responding to business impacting security incident.
  • New capabilities for the RSA Archer Information Security Management System (ISMS) use case enable users to automate scoping of ISMS resources, conduct a gap analysis, and generate a Statement of Applicability.

These are just some of the highlights of the release.   With the release of 6.3 in October 2017 and this release, we continue on our journey to make RSA Archer the system of engagement and insight and help your organization implement high quality, high performance risk management processes.

For more information, see the Product Advisory.

Filter Blog

By date: By tag: