Skip navigation
All Places > Products > RSA Archer Suite > Blog > Authors Steve Schlarman
1 2 3 4 Previous Next

RSA Archer Suite

100 Posts authored by: Steve Schlarman Employee

The 2018 RSA Archer Summit, hosted in Nashville this year, is dedicated solely to RSA Archer customers - a unique opportunity to network and celebrate our vibrant community of professionals in the risk, compliance, GRC, security (and all of the other hats we wear) industry.  This year’s Call for Speakers for the 2018 RSA Archer Summit deadline has been extended to March 30, 2018.   For those of you already submitting for the original February 28, 2018 deadline, please send in your submissions now but there is now additional time for you to get your submissions in for consideration.

As a reminder, we have three main topics for speakers to consider:

Business Risk Management in Practice

Sessions should focus on best practices in enterprise and operational risk management, IT risk management and security, operational risks, third party governance, compliance, business continuity risk or audit.  The audience for this track will be risk, security, compliance, audit and continuity professionals tasked with execution of these processes. Content should include best practices, case studies or war stories. Examples include how to identify, assess and monitor risks, risk assessments, security operations, BC/DR planning and compliance processes and how RSA Archer is being used in your organization to support these practices. The presentation should include an explanation of the business problem, desired outcomes, required functionality, solution outcomes and metrics used to measure success.

 

The RSA Archer Journey

Sessions should focus approaches, strategies and recommendations for the implementation of your business risk management program from an organizational perspective. The audience for this track will be individuals responsible for overall program execution, strategy, project managers, GRC champions or those tasked with getting a program up and running. Content should include case studies and recommendations for assessing maturity, changing organizational culture, building long term strategies or removing organizational barriers or obstacles. Examples include how to achieve consensus, measure value of the program, reporting on return on investments, organization change management or strategic roadmaps.  The presentation should include an explanation of the approach taken (centralized, top-down, decentralized, federated, or some combination), the rationale, the phases of organizational achievement, and the major milestones in risk and compliance maturity.

 

RSA Archer Technical

Sessions should cover beginner to advanced uses of the platform, custom objects, data feeds, on demand applications, integrations, etc.   The audience for this track is RSA Archer administrators, developers, integrators or those tasked with operational support of the RSA Archer platform. The content must include demonstrations of a business problem that is addressed using the RSA Archer platform. Screen shots, recorded or interactive demonstrations are required. This should be a “How To” presentation to instruct the audience on optimal platform configuration.  Other technical presentations may cover topics such as the administration of the platform, backup/recovery, system architecture, etc.

 

In addition to submitting a presentation, you may also volunteer to participate in a Panel discussion. For those submissions, fill out the form and check “I am interested in participating in a panel discussion if this session is not selected.” If you are ONLY interested in participating in a panel and do not wish to submit a presentation, select that same option in the form and put the topics you are interested in speaking on in the Abstract of the submission form.

If you are contemplating submitting a session, know that this is a very rewarding experience. Presenting to your peers can be a bit unnerving but the satisfaction and return is worth it. To teach others is to learn about oneself. Thinking through your experiences, applying your new found knowledge and acknowledging your successes and lessons learned is as much of a benefit as imparting your wisdom to others.

The Submission process is simple:

  1. Download the form.
  2. Fill out the form completely.
  3. Send the form to RSAArcherSummit2018@rsa.com. Include “Speaker Submission” in the subject line.

 

If you have any questions or issues with the form, contact RSAArcherSummit2018@rsa.com.

MARK YOUR CALENDARS: The Call for Speakers ENDS MARCH 30, 2018.  

Selections will be communicated with speakers once the selection committee reviews all submissions.

Even if you aren’t looking to speak, don't forget to REGISTER.  Looking forward to seeing you in Nashville in August!

What were you doing 15 years ago? I was working at PricewaterhouseCoopers straddling multiple engagements ranging from helping some companies prepare for SOX (Is it really that long ago?) to developing CISO strategies to working on a little product that was to lead to my current tenure at RSA Archer. 15 years in this industry is a long time. A very long time. In the security world, 15 years ago the L0pht and Cult of the Dead Cow had slowly faded into the distance but information security was taking wild, bold new steps. I still had ToneLoc installed on my laptop for war dialing but we certainly saw huge technology shifts coming our way. GRC was just in its infancy.  Wikipedia says the first scholarly research was in 2007 but some forward leaning companies were already thinking in broader terms of compliance and risk management.

According to legend, a small group of individuals gathered in a hotel conference room - an equal number of Archer Technology employees and customers - to talk about a product just starting its journey. The Archer Summit (as it was called then) was born.  Some of you might have been there or work for companies that were part of that important event. Fast forward a decade and a half, and from that humble beginning, this event is on the cusp of celebrating its 15th Anniversary this August.

Registration for the 15th Annual RSA Archer Summit is open and last week I announced the Call for Speakers. The 2018 RSA Archer Summit, hosted in Nashville this year, is dedicated solely to RSA Archer customers in honor of our big anniversary.  The Summit is a unique opportunity to network and celebrate our vibrant community of professionals in the risk, compliance, GRC, security (and all of the other hats we wear) industry.

This year’s event will continue in the tradition of our user conferences. As with years past, we will have several tracks dedicated to risk, compliance and RSA Archer technical practices along with plenty of social events to learn and share from your colleagues. We will be within walking distance of B.B. King’s Blues Club (a personal highlight for me), the Country Music Hall of Fame and the historic Second Avenue District of Nashville. As always, it will be a great experience to broaden your horizons, dig into what is working for other companies and share your own insights.

The Summit will provide invaluable face-to-face opportunities to discover best practices, hear about the latest product innovations, network with other customers, and meet one-on-one with RSA Archer experts and executives. RSA Archer Summit 2018 is your chance to let us know what product advances you’d like to see in future releases, connect with other leaders in your industry and gain firsthand knowledge that you can’t get at your desk.

In the coming months, we will continue to share more information as the Summit gels together. Keep tuned for updates and get ready to plan your week. Meanwhile, check out some videos from last year’s summit: Rohit Ghai’s keynote on “The RSA Advantage” David Walter’s keynote “The Future Vision of Risk Management”, my keynote on “What the Wild West Taught us about Risk Management” or check out the RSA Charge 2017 materials available on RSA Link.

As we announced last year at RSA Charge, the RSA Archer Summit this year is in Nashville. Registration is now available on the RSA Archer Summit website.

I am pleased to announce this year’s Call for Speakers for the 2018 RSA Archer Summit is open.  Each year we have a wide range of submissions to contemplate as we build the conference agenda. Given the GRC and Risk Management universe is so broad, this year we are simplifying the categories for our education tracks.

There are three topics for speakers to consider:

Business Risk Management in Practice

Sessions should focus on best practices in enterprise and operational risk management, IT risk management and security, operational risks, third party governance, compliance, business continuity risk or audit.  The audience for this track will be risk, security, compliance, audit and continuity professionals tasked with execution of these processes. Content should include best practices, case studies or war stories. Examples include how to identify, assess and monitor risks, risk assessments, security operations, BC/DR planning and compliance processes and how RSA Archer is being used in your organization to support these practices. The presentation should include an explanation of the business problem, desired outcomes, required functionality, solution outcomes and metrics used to measure success.

 

The RSA Archer Journey

Sessions should focus approaches, strategies and recommendations for the implementation of your business risk management program from an organizational perspective. The audience for this track will be individuals responsible for overall program execution, strategy, project managers, GRC champions or those tasked with getting a program up and running. Content should include case studies and recommendations for assessing maturity, changing organizational culture, building long term strategies or removing organizational barriers or obstacles. Examples include how to achieve consensus, measure value of the program, reporting on return on investments, organization change management or strategic roadmaps.  The presentation should include an explanation of the approach taken (centralized, top-down, decentralized, federated, or some combination), the rationale, the phases of organizational achievement, and the major milestones in risk and compliance maturity.

 

RSA Archer Technical

Sessions should cover beginner to advanced uses of the platform, custom objects, data feeds, on demand applications, integrations, etc.   The audience for this track is RSA Archer administrators, developers, integrators or those tasked with operational support of the RSA Archer platform. The content must include demonstrations of a business problem that is addressed using the RSA Archer platform. Screen shots, recorded or interactive demonstrations are required. This should be a “How To” presentation to instruct the audience on optimal platform configuration.  Other technical presentations may cover topics such as the administration of the platform, backup/recovery, system architecture, etc.

 

If you are contemplating submitting a session, know that this is a very rewarding experience. Presenting to your peers can be a bit unnerving but the satisfaction and return is worth it. To teach others is to learn about oneself. Thinking through your experiences, applying your new found knowledge and acknowledging your successes and lessons learned is as much of a benefit as imparting your wisdom to others.

I invite all of you to take a look across your implementation of RSA Archer and pull out those nuggets to share with your peers. The RSA Archer Summit is the perfect venue to help others navigate their own challenges and for you to pass on (and receive) knowledge and experience.

The process is simple:

  1. Download the form.
  2. Fill out the form completely.
  3. Send the form to RSAArcherSummit2018@rsa.com. Include “Speaker Submission” in the subject line.

MARK YOUR CALENDARS: The Call for Speakers ENDS FEBRUARY 28, 2018.  

Selections will be communicated with speakers once the selection committee reviews all submissions.

Texas. What’s the first thing you think of when you hear the name Texas? The Dallas Cowboys, football and Friday Night Lights? J.R. Ewing, oil rigs and Texas Tea? I like to picture scenes from the Wild West – cattle drives, gamblers playing Texas Hold’em and the dusty streets of Laredo. How about the largest GRC user group coming together to share experiences, learn about the risk and security industry and make new connections? They say everything is bigger in Texas and this year – we aim to make Texas proud.

That’s right, RSA Charge is right around the bend charging toward us like an old stagecoach careening through the sage brush and cacti of the Texas countryside. Hosted in beautiful Dallas, this year’s event is full of best practices, lessons learned, tips and tricks and the best GRC community experience this side of the Rio Grande – actually ANY side of the Rio Grande. With this being the 14th year of the Archer community gathering, this could very well be the most varied and strong collection of content we have ever had.

For those of you that haven’t looked into the Agenda, you will find it full of great sessions. We had a tremendous amount of submissions this year - over 200 submissions from customers and partners. After long hours and some tough decisions, we have rustled up the best of the best. Over 70 companies from a wide range of industries and geographies, along with a great representation of government agencies, are participating in our sessions this year.   We have a fantastic mix of old-timers – veteran presenters from Bank of the West, Citizens Bank, Humana, US Bank and others – and newcomers (just don’t call them tenderfoot!) – on the Agenda. Our customers’ stories, our sponsors’ insights and our product vision and roadmap will be on full display.

Just a few of the highlights:

  • We will have keynote addresses from RSA’s Rohit Ghai, Grant Geyer and Zully Ramzan. 
  • The RSA Archer SuperSession gives us the opportunity to gather as a community with keynotes and discussions highlighting RSA Archer’s vision and product strategy and industry perspectives.  As usual, we will also recognize our leading customers with our annual awards.
  • Marc Goodman, global security advisor and founder of the Future Crimes Institute will provide his unique perspective on the emerging threats of today’s business environment.
  • Our sponsors will be providing a wealth of industry expertise through their sessions and presence in our exhibition hall.
  • We will have great networking events, birds-of-a-feather lunches, hands-on labs, working groups and plenty of one-on-one time with your peers.

And so much more…

Over the next few weeks, the individual track owners will be giving you some highlights of the agenda through a series of blogs. Stay tuned to learn more about what is charging your way and make sure to register early. I look forward to seeing you in Dallas!

 

RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17 – 19 at the Hilton Anatole in Dallas, Texas.

So time flies… It seems like yesterday when the RSA customer community gathered in New Orleans to share experiences and learn new tactics and strategies. 2017 marked the 13th year of the RSA Archer user community summit and believe it or not, year number 14 is just around the corner.   Last week, we announced the call for speakers for RSA Charge 2017 and I cannot wait to start seeing the speaker submissions flowing in.  

We have put together a stellar team to construct the learning tracks to optimize your experience. As content chairperson for the RSA Archer portion of RSA Charge, I have the privilege of seeing this process unfold. While this will be my 9th user group conference with RSA and Archer, it is still inspiring to hear you tell the stories of your successes - how you overcame challenges or leveraged an innovative approach to deliver strategic value to your organization.

If you are contemplating submitting a session, know that this is a very rewarding experience. Presenting to your peers can be a bit unnerving but the satisfaction and return is well worth it. To teach others is to learn about oneself. Thinking through your experiences, applying your new found knowledge and acknowledging your successes and lessons learned is as much of a benefit as imparting your wisdom to others.

A few topics come to mind as food for thought if you are looking for ideas:

  • We always welcome stories about how your long term strategies unfolded in your companies. Our Take Command of Your Risk Management Journey track is dedicated to hearing how you built your plans, gathered forces and conquered the difficult path that risk and compliance efforts can sometimes take.  
  • As the market moves toward concepts of Integrated Risk Management, the Inspire Everyone to Own Risk track needs content focused on engaging all lines of defense to manage risk. How your company is blending different risk initiatives - Operational Risk, Resiliency, 3rd Party Risk and Audit – is a topic of keen interest.
  • We can’t forget the Compliance world either. Many of your GRC and risk management efforts were borne out of compliance drivers and our Transforming Compliance track is THE place to tell your tale. One topic that keeps coming up is the impending General Data Protection Regulation (GDPR). Any story of how your organization was better prepared for GDPR or any new regulation based on the RSA Archer implementation is a great learning topic for all participants.
  • And what RSA user group conference is not complete without stories of how IT & security risk is being managed. RSA Archer has a great legacy when it comes to helping IT & security teams manage risk processes. Vulnerability and threat management, security incident processes, IT compliance and general IT risk strategies are top of mind subjects for every organization today and perfect for the Managing Technology Risk in Your Business track.
  • Last but certainly not least are the RSA Archer Technical Tracks. This is where the innovation, creativity and expert chops of RSA Archer administrators come to the forefront.   The topics in these tracks range from inventive workflows to state-of-the-art API integrations and more.

I invite all of you to take a look across your implementation of RSA Archer and pull out those nuggets to share with your peers. RSA Charge is the perfect venue to help others navigate their own challenges. Hope to see and hear you in Dallas!

Check out our webinar in preparing to submit your proposal.

Another year, another RSA Conference. At this point, I have lost count of my appearances at this annual gathering of all things security – I believe it was number 15 or 16 for me. I say “appearances” because the days blur into such a steady stream of meetings, discussions and general sensory overload that at the end of the week, I know I ‘appeared’ many places, but still wish I had time to participate in more. There is so much that happens at this event it can be both inspiring and intimidating. A walk through the Exhibitor floor quickly gives one the sense of magnitude of our industry. So when I reflect back on the conference, it feels as if someone sat on the fast forward button on the remote control for my DVR and flashed through the episodes of The Big Bang Theory, Marvel Agents of S.H.I.E.L.D. and Scandal waiting for me when I return from the conference.

First up, RSA Conference is a collection of geniuses contemplating a massive digital universe. Just like the Big Bang Theory, brain power plays a big role in fueling our industry. The innovation and pure technical skill of the security profession is on full display at RSA Conference. But the cast of the Big Bang Theory is more than a bunch of techie whizzes spouting geeky Star Trek references. The stories contain genuine friendship, acceptance and diversity as the characters navigate their lives. At RSA Conference this same sense of community can be felt. It is evident that the security world is a small world with many old friends coming together to share their diverse experiences and thoughts.

Next, Marvel’s Agents of S.H.I.E.L.D. For those fans of the TV show, you know that the team of agents work fearlessly to keep the world safe.   We have our own version of these agents in our industry. No security event would be complete without the many super heroes fighting the forces of evil.   Our industry is on the front lines of some serious conflicts. As Zully Ramzan stated in his eloquent keynote, the security and risk profession is the barrier between opportunity and the edge of chaos.

Finally, the intrigue of Scandal awaits.   Scandal, if you haven’t seen the show, has an endless series of twists and turns as the characters weave their way from one treacherous skirmish to the next.   While I suspect most organizations do not face the political turmoil chronicled in the TV show, businesses today face a constantly shifting environment of threats that would seriously challenge Olivia Pope, the savvy protagonist of Scandal. The threats facing organizations today are immense and require individuals dedicated to doing the right thing. In Scandal, they are referred to as ‘gladiators’ and our industry is full of them.

This year’s RSA Conference had many highlights. But the highlight for me, is that this conference, year after year, continues to push our industry forward. Great minds come together and share experiences. Those new to the profession learn new skills; seasoned veterans are inspired to keep learning.   I am proud that RSA is such a vibrant contributor to this conference. Whether we are inviting you to reimagine your identity strategy, push the boundaries of the detection of attacks, ignite your business risk management program or get out in front of fraud, RSA continues to change the game and help organizations implement business driven security. It was a great conference for 2017…I can’t wait to appear at RSA Conference 2018.

If as a child you marveled at watching the simple, fascinating micro-example of physics of a pebble dropped into a puddle, you know what the results are. The pebble drops; the water’s surface is broken; ripples fan out from the point of impact… such an unassuming yet beautiful study of cause and effect.   Now imagine instead of a puddle, it’s a lake, with stones dropping at a continuous and rapid rate, all in different spots. I am sure you can visualize the effect - the water agitated in all directions, waves tossing to and fro…

Many organizations today face this churn when it comes to risk. It is not that organizations aren’t thinking about risk. Survey after survey indicates risk is a board level topic.   But the rocks keep falling. Those that are tasked with managing risk are riding the roiling waves. Issues are identified through a variety of sources such as audits, risk assessments and security assessments but are not managed properly to closure. Prioritization of these issues is near impossible because there is no common understanding of the business criticality of business assets and processes affected by these issues. Companies then lack any consolidated view of general risks or have very manual (spreadsheet) based approach to cataloging and assigning risks. And the lake and those falling rocks aren’t always in the control of your company. Third parties (outsourcers, contractors, service providers, business partners, etc.) are becoming increasingly important and organizations just don’t know what entities are impacting their risk profile.

To address this churn, RSA Archer is pleased to announce the RSA Archer Ignition Program – a fast track approach to launch a business risk management strategy. To strategically address risk, enterprises need a strong foundation for their program. While the risk management program vision may be long term initiative, there are some specific areas that need to be addressed at the beginning of the effort that not only provide quick value to the organization but set up a much healthier and sounder foundation for the future. A strategic foundation needs:

  • A process for Issues Management to eliminate ‘churn’ around risk and compliance issues from audits, risk assessments, and internal compliance processes;
  • A Business Impact Analysis framework to catalog and prioritize assets and build the context to connect risk issues to impacts to the business;
  • The ability to catalog and monitor Risks to establish a strategic method to view and understand risks across the enterprise; and
  • The ability to identify and track Third Parties used by the business to understand the emerging ecosystem that affects business risk.

 

The RSA Archer Ignition package includes integrated use cases to address these four key areas via RSA Archer Use Cases with Quick Launch services and education offerings to get your program off the ground quickly.   This package is priced and scoped based on the size of the organization allowing you to maximize your initial return on your investment.   Once your organization gets these processes in place, RSA Archer provides a maturity driven approach to build on these foundations to develop a strategic approach for Business Risk Management.   Our suite of use cases allows you to grow your risk management program to the level of maturity necessary for your business and ensure your lake, while still full of waves, is manageable and navigable.

For more information, see the RSA Archer Ignition Program.

What a week! This pre-Halloween week, we held RSA Charge 2016 in New Orleans, the most haunted city in America – and what a phenomenal turnout! We’re thrilled to have more 2,000 attendees join us this week to share best practices for GRC, security and business risk management and to gain invaluable insights from their peers and subject matter experts alike. And the stories shared at RSA Charge are just a small sampling from the more than 1,300 organizations who have implemented Archer.

 

The spirits of RSA Archer gatherings past – this being our 13th year – give us this opportunity to look at how much the industry has grown and how GRC is shifting. Risk and compliance management is out of the shadows, transitioning from a functional role to an enterprise-wide strategic perspective. Looking at the “Ghosts of GRC Past, Present and Future” helps provide perspective on the continuing growth and transformation of this increasingly business-critical practice.

 

The “Ghost of GRC Past” had organizations trying to keep up with new regulations and emerging compliance requirements.  GRC was anything but a strategic program for the business, focusing on very discrete problems and a few, select processes. Archer was there in 2000 at GRC’s beginning, as companies began investigating technology enablers.

 

The “Ghost of GRC Present” has companies formally adopting practices based on industry and international standards, implementing combined strategies to tie together data and consolidate processes, and instituting frameworks to guide procedures. While technology is a cornerstone of risk management strategies, many organizations still have “skeletons in their closet” pockets of disconnected risks that can cause serious damage.

 

The “Ghost of GRC Future” shows growing emphasis on determining how risks impact your company’s overall performance. The very strategies that fuel your company’s growth are the same initiatives that introduce more risk into your organization. GRC can no longer be considered separate from business strategy and objectives, and evolves to become Business Risk Management.

 

Business Risk Management is more than connecting dots – it’s anticipating where the next dot will be. That means gathering the right information from the right sources to get the complete risk picture you need to analyze and predict your risk landscape, rather than merely survey it. Clearly, it’s time for the “Ghost of GRC Past” to be laid to rest. It’s time to evolve to beyond GRC to Business Risk Management.

Skyline-Regular-1393x492.jpg

We have all had that moment walking out of the shopping mall or the airport.  Everyone knows the feeling when that rush of doubt takes hold of our brains.  We stand frozen and frantically wait for our cerebral cortex to do its thing and pluck that single memory out of our vast network of synapses… “Where did I park my car?”   I am pretty sure this momentary lapse of memory has something to do with the radiation levels of the lights in Exit signs.  The frequency that I experience such occurrences couldn’t be the result of distractions from the avalanche of my daily thoughts and surely has nothing to do with my age.

For those of you who have been seeing the communications about RSA Charge, I hope you have not suffered this same tinge of hesitation.   Of course, I am referring to any questions as to the whereabouts the legendary RSA Archer Summit, the premier GRC event of the year.    The Archer Summit is alive and waiting for you – parked in a well-lit, spacious place, protected and ready to go – at RSA Charge.

Last year, the Archer Summit was referred to by name and co-located with RSA Charge as the user event for all RSA products.  This year, we have completed the transition and now refer to entire event as RSA Charge.   RSA Charge harnesses the innovative power of thought-leaders, industry experts and the RSA community, providing you with insightful educational sessions, hands-on training, and valuable expert & peer networking opportunities.

In the tradition of the Archer Summit, we will have many customer led sessions highlighting the most innovative and forward thinking GRC programs.   You will learn how to inspire your organization to own risk.  We will discuss approaches, strategies and recommendations for building organizational capabilities that bring maturity to your overall risk and compliance program.   Case studies ranging from how companies are approaching critical IT Security and IT Risk challenges to how Archer is used to transform compliance programs will give insight that can immediately be applied when you return to your desk after the conference.   Technical presentations, labs and training will dig into the details for beginners and advanced administrators.

This year will be the 13th gathering of Archer customers.  Every year the assembly has gotten bigger and better.  With RSA Charge 2016, you will feel like you walked out to the parking lot and your 2003 Toyota Camry has transformed into a 2016 Tesla Model S.

RSA CHARGE 2016 will take place in New Orleans, LA, from October 25 – 27!  I hope you will mark the date on your calendars and join me in beautiful New Orleans, to experience in-depth sessions, insightful conversations, interactive product experiences, and much more.

For more information or to register, go to http://charge.rsa.com

We have all heard the adage that great things come in threes. Stooges. Pigs. Blind Mice. The list goes on and on. I have am very pleased to announce another thrilling combination of three – Gartner Magic Quadrants. EMC (RSA) has been positioned in the leader’s quadrant in three Gartner Magic Quadrants: Operational Risk Management, IT Risk Management and IT Vendor Risk Management.

GRC-Leader-in-Three-MQs-920x200-V8.jpg

Today, every organization is facing risk from multiple angles.   The business must understand and respond to risks within operations on a daily basis.   Third parties, vendors, suppliers and host of other participants in the business create a complex ecosystem that must be managed appropriately.  Finally, IT risks ranging from security to resiliency to technology strategy must be tackled for organizations to fully leverage the immense benefits of technology innovations to drive business growth.     The combination of these three vectors of risk produces a tremendous challenge as companies seek to exploit business opportunities while keeping risk in check.

 

We believe these reports highlight RSA Archer’s commitment in providing organizations with the most comprehensive solution to take command control of your risk.  Through our partnerships with our customers and our continued execution towards the goal of inspiring everyone to own risk, we are honored to be recognized by Gartner as leaders in these markets.

For more information, visit our special Gartner Magic Quadrant page.

RSA Archer GRC 6 (6.0) was launched in November 2015 under the theme “Inspire Everyone to Own Risk.”  GRC 6 focused on providing organizations with an industry leading GRC platform to transform risk management by engaging everyone within an organization in the risk process. Today, organizations must implement the “three lines of defense,” making risk part of corporate culture at every level, in every role. The enhanced user experience, advanced workflow and task-driven dashboards introduced with GRC 6 allow business users to quickly and easily understand and complete their assigned risk-related tasks using a centralized platform.

 

I am very pleased to announce the launch of RSA Archer GRC 6.1.  This release takes the theme of “Inspire Everyone to Own Risk” to the next level. Through the implementation of integrated use cases, GRC 6.1 enables organizations of all sizes, regardless of the level of maturity in their GRC program, to implement RSA’s enterprise-class GRC platform. While the journey to risk and compliance maturity varies by organization, RSA Archer’s use case approach, newly implemented in GRC 6.1, nurtures successful risk and compliance programs by enabling customers to start small, seek quick wins, and plot a long-term risk and compliance strategy based on their organization’s objectives.

 

Key highlights of this release:

Our solution areas – Audit Management, Business Resiliency, IT & Security Risk Management, Enterprise & Operational Risk Management, Regulatory & Corporate Compliance Management, Third Party Governance, and Public Sector Solutions – are now comprised of individual use cases designed to solve specific risk and compliance needs. We have implemented a Maturity driven Use Case approach to help organizations of all sizes and business needs realize their risk management strategies:

RSA Archer Solutions - transparent.png

Click graphic for a detailed view

  • Foundation use cases provide a starting point for organizations that are just beginning their GRC journey. These use cases enable organizations to move away from spreadsheets to gain efficiency, accountability and visibility in managing issues and risks.
  • Managed use cases provide organizations that have more mature GRC programs the ability to connect processes to collaborate across several risk functions within the business, integrate multiple data sources, and focus on building repeatable, consistent processes that bring consolidated risk visibility to the organization.
  • Advantaged use cases transform risk into a competitive advantage for the organization. These use cases allow your program to connect risks to business objectives, enabling an open dialog and the visibility necessary to move beyond managing risk to anticipating the business’ needs.

 

All RSA Archer solutions and use cases have undergone updates with the new user interface and features of GRC 6.1. In addition, we’re introducing enhanced functionality for:

  • Business Impact Analysis – a Foundation use case that offers robust assessments allowing business process owners to understand the criticality of their processes based on seven impact categories: financial, compliance, data integrity, data confidentiality, strategic, reputation, and operational.
  • Issues Management – a Foundation use case that engages control owners to own risks and issues related to their business domains. Control owners can manage findings, remediation plans and handle exception requests in one central location, and use Advanced Workflow capabilities to route issues to the right team.
  • Operational Risk Management – an Advantaged use case for the RSA Archer Enterprise & Operational Risk Management solution, it now offers additional assessment targets to allow a risk manager to initiate Control Self-Assessment (CSA), Risk and Control Self-Assessment (RCSA) or Process, Risk and Control Self-Assessment (pRCSA) campaigns focused on business process, business unit, or product/service.
  • Information Security Management System (ISMS) – a use case designed specifically to manage the ISO:27001/2 certification process for organizations implementing the internationally recognized information security standard.

 

A company’s success hinges on its ability to drive growth across the business.  With growth comes risk.  Every growth strategy depends on leveraging today’s constantly shifting technology landscape intrinsically linking cyber and business risk.  RSA Archer, as a recognized leader in both operational and IT risk, enables effective risk management practices that address cyber risk and business risk on equal terms and provide a consolidated view of risk to executives and practitioners.   Built on a common, centralized RSA Archer GRC Platform, RSA Archer GRC 6.1 enables all organizations to own risk with a broad offering of use cases based on risk type -- cyber risk, operational risk, regulatory compliance, business resiliency, third party governance, and audit -- as well as the level of maturity of the organization’s GRC efforts.

 

We have created a host of resources to learn more about this release.  To start, watch our Solution videos to get more information on the RSA Archer Suite of GRC solutions.   For customers and partners, the best place to start is the “Everything 6.1” page on RSA Link.   From videos to white papers to data sheets, this page is a launching point for you to investigate everything that RSA Archer 6.1 offers.  In addition, we have several upcoming webcasts and Tech Huddles highlighting new use cases and features.

In April, I wrote two blogs (How Hungry… and Appetite and Exercise) on the concept of risk appetite. I highlighted the fact that organizations must take on risk to drive growth within the business. That risk must be balanced with activities to manage the risk within a tolerance that is acceptable to the organization. Some organizations will be forward leaning and willing to accept more risk or invest heavily in mitigating risks. Other organizations will be more risk adverse.   Where your organization sits in this spectrum should be an ongoing dialogue within your risk management strategies.

 

Today, the convergence of business and digital risk is undeniable. Business growth and technology strategies are intimately connected.  For example, expectations of healthcare providers are driving IT innovation in clinical analytics, call centers and connectivity of wearable devices. Financial services companies are constantly pushing boundaries for better customer service. Every industry is seeing this renaissance in how technology fuels business growth. With that connection comes the irrefutable union of risk. While business initiatives seek to create value, risk management efforts seek to protect value. “Value” is the common language that both sides of that equation should understand.

 

I am pleased to announce a new white paper “Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise”.  This paper begins our exploration of Cyber Risk expanding beyond the discussion of security threats into the broader dialogue of how technology, risks and sources of exposure affect your organization.

 

One highlight of the paper is the definition of categories of cyber risk.  While the topic of security threats MUST be on the table for all organizations, thinking in broader terms of how technology is fueling your business is also an imperative. The categories include the intersection of Internal or External sources of risk with Malicious or Unintentional motives of threats. This simple quadrant classification gives perspective around the variety of cyber risks your organization faces today and an easy method to organize your efforts.

 

Ask yourself and your risk management peers to what extent do you believe your organization has a clear understanding of its exposure to cyber risk?  Does the organization view cyber risk beyond the headline grabbing data breaches and security threats?  At what point does your organization escalate cyber events (breaches, disruption, etc.) to the most significant level?   These and other indicators will give you a sense of how cyber risk is perceived and what the appetite level is within your organization. I invite you to read the paper and start the dialogue in your organization around cyber risk appetite.

 

Read RSA’s press release in our newsroom. 

 

Also, listen to the new September 13 panel webinar from Risk.Net, 'Cyber Risk: Systematic Threats and Business Continuity Management'

 

Check out RSA's Cyber Risk Appetite microsite for more information.


RSA Charge is the pinnacle conference for Governance, Risk and Compliance and the premier event for RSA Archer every year.  The insights, networking, friendships and experiences shared not only help attendees with their day to day jobs but broaden their careers.   I can personally attest to the value of presenting at conferences such as RSA Charge.  Having been a presenter in countless conferences (and yes, I have been around long enough to consider it countless), I know the commitment and courage it takes to get up in front of a room full of peers and share your own thoughts and opinions.    However, the benefits far outweigh any trepidation or fear.    Making myself rein in my experiences, put together a thoughtful presentation and then share them with my fellow GRCers has given me the best opportunity to learn and grow.

 

For this year's RSA Charge, we have created six tracks for presentations.  Our approach was based on our key messages and themes:

Taking Command of Your Journey

Sessions should focus approaches, strategies and recommendations for building organizational capabilities that bring maturity to your overall risk and compliance program. Content should include maturation criteria, organizational barriers or obstacles and how they were overcome, and case studies or war stories. Examples include how to achieve consensus, measure value of the program, maturity processes, etc. The presentation should include an explanation of the GRC approach taken (centralized, top-down, decentralized, federated, or some combination), the rationale, the phases of organizational achievement, and the major milestones in risk and compliance maturity.

 

Inspiring Everyone to Own Risk

Sessions should focus on how you were able to inspire your organization to own risk - especially in terms of the Three Lines of Defense.  Risks could include operational risks, third party risk, resiliency or enterprise risk. Content should include best practices, case studies or war stories. Examples include how to identify, assess and monitor risk, track loss events, model processes, audit risk, etc. The presentation should include an explanation of the business problem, desired outcomes, required functionality, solution outcomes and metrics used to measure success.

 

Where Cyber Risk Meets Business Risk

Sessions should focus on the approach for leveraging Archer solution(s) to solve a critical IT Security and/or IT Risk business problems. Content should include best practices, case studies or war stories. Examples include how to integrate security tools, address remediation activities, respond to incidents, managing IT Security policy & compliance, IT Business context, etc. The presentation should include an explanation of the business problem, desired outcomes, required functionality, solution outcomes and metrics used to measure success.

 

Transforming Compliance

Sessions should focus on how your organization transformed compliance processes by leveraging Archer solution(s) to solve a critical Corporate and/or Regulatory Compliance or Industry challenge. Content should include best practices, case studies or war stories. Examples include how to develop policies and standards, measure controls, report on compliance posture, audit program management, etc. The presentation should include an explanation of the business problem, desired outcomes, required functionality, solution outcomes and metrics used to measure success.

 

We also have two tracks open for Technical presentations - Basic and Advanced.

Sessions should cover beginner to advanced uses of the platform, custom objects, data feeds, on demand applications, integrations, etc. The content must include demonstrations of a business problem that is addressed using the RSA Archer platform. Screen shots, recorded or interactive demonstrations are required. These should be a “How To” presentation to instruct the audience on optimal platform configuration.  Other technical presentations may cover topics such as the administration of the platform, backup/recovery, system architecture, etc.

 

I highly suggest you submit to present.  Don't discount your story. If you are in the early phases of your GRC program or Archer implementation, your insights can help others in the same situation.   For those of you with mature programs or Archer implementations, sharing use cases, lessons learned or tips and tricks –from a practitioner, technical or program management perspective – can provide inspiration to others.   Don't miss this opportunity to share your experience with others.  Your peers will benefit from your story and  you will be sure to learn something from the experience.

 

Call for Speakers

 

Charge2016CfS.jpg

As someone who tries to watch my diet, I know how hard it is to deal with your own appetite.   Several things that are my weakness – fresh bread, cold beer, pizza, the list goes on – are definitely not the best elements for a balanced diet.  However, at times, my appetite gets the better of me and, before I know it, the breadbasket or mug is empty.  We all face that gnawing hunger at times.  It is inevitable.   When it comes to RISK within your organization though, appetite takes on an entire new meaning.  Too much risk is like too much pizza.  Your organization becomes bloated with risk, the arteries clog and eventually the business will succumb to some bad ending in one way or another. However, if you don’t take some risk, your business will lack the nutrients for healthy growth and wither away as your competitors beat you in the market.  Maintaining a balanced diet and maintaining a good balance of risk in your business are very similar.  Appetite plays a big role in both.

 

The most burning question within every organization today – regardless of industry, size or geography - is “What’s next?”  Where is the business going?  What will be that growth engine that propels this company to the next level?  The next obvious question seems to be ‘Where does technology fit into the equation?’ Every business strategy today, whether it’s a new product or service or a new way to connect with customers or a new approach to eek out more efficiencies in your business processes has a technology component.  The right combination of technology and business growth strategy can be a powerful propellant for your business.   However, each element of that combination has an underlying current of risk.  Hence at some point, the conversation of appetite will arise – what is the right balanced diet of risk to drive growth without becoming unhealthy.

 

This balance hinges on an understanding of the levels of tolerance within the organization.   Even without specifically talking about risk appetite, organizations (or the people running those organizations) inherently have some sense of what is acceptable and what is out of bounds.  Does your technology organization rush to implement the latest operating systems or versions of applications?  What is the lead time it takes to upgrade hardware? Risk appetite and tolerance is woven into operational processes in many ways – it just isn’t called out explicitly. In some instances, though, it is very much a part of an operational process such as patching high risk vulnerabilities quickly.

 

The point is that a Cyber Risk Appetite as a concept is an inherent part of managing technology today. Current security and risk programs must establish a dialogue on appetite and tolerance between technologists and the business.  Since today you cannot separate business and technology risk, building a view of what the balanced diet needs to be must cross the entire spectrum of cyber risks. Hence the discussion of Cyber Risk goes beyond the conversation of pure cybersecurity threats.   The malicious outsider is a well discussed topic – and rightly so.  But for today’s executive discussion, the conversation must also include additional elements of cyber risk.  The challenge is for the business people to clearly understand where cyber risk plays a role in the business strategies and the technology people to connect the risks to the business to the technology efforts.  Connecting these two elements of risk though can be a significant struggle for many organizations. 

 

Establishing what your Cyber Risk Appetite is journey of maturity within the organization.  Right now, most likely there is already a sense of what is acceptable and what is not.  In some organizations that discourse may be an integral part of your risk approach.  If it is not, raising that conversation above the sub-conscious to become a part of the ongoing dialogue between the risk management and business segments of your organization will fuel better decisions as your organization balances out its diet and deals with that gnawing hunger for growth.

IssuesManagement.png

Issues – we all have them.   I should clarify that statement.   I am not talking about you personally or referring to the ‘lie on the couch, tell me about your relationship with your mother’ types of issues.  I mean – all organizations have issues.   Some are big and some are little but all organizations find gaps in their processes that cause some level of concern.

Security, risk and compliance professionals must feel like therapists at times.  Every Risk and Compliance process identifies issues and most organizations end up with a virtual yellow legal pad of issues (just like a therapist uses).  The story is always the same:  an issue is found and then cataloged in some spreadsheet.  That spreadsheet is then emailed around to various parties who dispute the issue, plan the remediation or assess the risk.  Ultimately, that issue becomes a bullet point on some presentation for management to review.  The spreadsheet ends up on some file share and hopefully, the correct actions are taken to close the Issue mitigating the risk.

This process is replicated across the spectrum of risk and compliance processes.  Risk assessments identify possible risks.  Compliance assessments find ineffective controls. Security assessments find vulnerabilities.  Audits identify regulatory or compliance gaps.   That is nature of GRC – find those areas where the business is at risk.   Each one of those issues represents a possible exposure for the organization.  That control gap could lead to a compliance violation; the security vulnerability could lead to a data breach.  The longer those issues sit, the more likely something bad will come out of it.

I call this phenomenon “The Issues Pit”.   Scattered lists of issues and findings in various documents (Excel, Word, Exchange, Sharepoint) with no consolidated view of outstanding issues related to audits, compliance or risk assessments leads to missed issues that fall through the cracks.  Limited documentation on current or planned remediation efforts to address open risks can lead to missed deadlines or poorly planned projects to remediate identified exposures.  All of this spells doom – or possible doom – for the organization.

Issues Management is one of the foundations of governance, risk and compliance.  Regardless of your level of maturity in risk management, there are issues being raised by some processes.  How those issues are treated and tracked is the deciding point of failure for many organizations.  Sometimes things are missed and there are consequences.  That happens.  But too often, known issues are the root cause of serious consequences such as breaches of personal information, a business disruption or a repeat audit finding.

What can be done?

First, identifying the processes that raise issues to the surface is the best place to start.  Where do the issues come from in the first place?  What is the method of delivering the issue (audit report, spreadsheet, automated system)?  Who owns the process that finds the issues?

Second, determine how issues can be consolidated.  Once you know which processes are identifying the issues and how those issues are delivered, defining a common taxonomy to describe the issue is necessary to start consolidating.  What makes an issue?  What are the best descriptors to “bucket” issues such as business unit, business process, application or organizational function?

Third, work out the process that communicates, tracks and manages the issues.   Issue resolution will be owned by various parties so keep in mind prioritization will be critical in how issues are presented.  Designing a process to fold in more and more business context (what the issue really means in terms of business risk) should be part of the long term plan.

In December, I participated in a webinar through Compliance Week discussing Issues Management.  We talked about the “Issues Pit” and strategies to address this critical part of your GRC program.  Our customer panelist shared his experience with this pressing issue and gave some great advice on how to think about improving your Issues Management process.  In addition, check out this short video that shows how RSA Archer can help with your Issues Management process.

Filter Blog

By date: By tag: