Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Steve Schlarman
1 2 3 4 5 Previous Next

RSA Archer Suite

101 Posts authored by: Steve Schlarman Employee


Issues – we all have them.   I should clarify that statement.   I am not talking about you personally or referring to the ‘lie on the couch, tell me about your relationship with your mother’ types of issues.  I mean – all organizations have issues.   Some are big and some are little but all organizations find gaps in their processes that cause some level of concern.

Security, risk and compliance professionals must feel like therapists at times.  Every Risk and Compliance process identifies issues and most organizations end up with a virtual yellow legal pad of issues (just like a therapist uses).  The story is always the same:  an issue is found and then cataloged in some spreadsheet.  That spreadsheet is then emailed around to various parties who dispute the issue, plan the remediation or assess the risk.  Ultimately, that issue becomes a bullet point on some presentation for management to review.  The spreadsheet ends up on some file share and hopefully, the correct actions are taken to close the Issue mitigating the risk.

This process is replicated across the spectrum of risk and compliance processes.  Risk assessments identify possible risks.  Compliance assessments find ineffective controls. Security assessments find vulnerabilities.  Audits identify regulatory or compliance gaps.   That is nature of GRC – find those areas where the business is at risk.   Each one of those issues represents a possible exposure for the organization.  That control gap could lead to a compliance violation; the security vulnerability could lead to a data breach.  The longer those issues sit, the more likely something bad will come out of it.

I call this phenomenon “The Issues Pit”.   Scattered lists of issues and findings in various documents (Excel, Word, Exchange, Sharepoint) with no consolidated view of outstanding issues related to audits, compliance or risk assessments leads to missed issues that fall through the cracks.  Limited documentation on current or planned remediation efforts to address open risks can lead to missed deadlines or poorly planned projects to remediate identified exposures.  All of this spells doom – or possible doom – for the organization.

Issues Management is one of the foundations of governance, risk and compliance.  Regardless of your level of maturity in risk management, there are issues being raised by some processes.  How those issues are treated and tracked is the deciding point of failure for many organizations.  Sometimes things are missed and there are consequences.  That happens.  But too often, known issues are the root cause of serious consequences such as breaches of personal information, a business disruption or a repeat audit finding.

What can be done?

First, identifying the processes that raise issues to the surface is the best place to start.  Where do the issues come from in the first place?  What is the method of delivering the issue (audit report, spreadsheet, automated system)?  Who owns the process that finds the issues?

Second, determine how issues can be consolidated.  Once you know which processes are identifying the issues and how those issues are delivered, defining a common taxonomy to describe the issue is necessary to start consolidating.  What makes an issue?  What are the best descriptors to “bucket” issues such as business unit, business process, application or organizational function?

Third, work out the process that communicates, tracks and manages the issues.   Issue resolution will be owned by various parties so keep in mind prioritization will be critical in how issues are presented.  Designing a process to fold in more and more business context (what the issue really means in terms of business risk) should be part of the long term plan.

In December, I participated in a webinar through Compliance Week discussing Issues Management.  We talked about the “Issues Pit” and strategies to address this critical part of your GRC program.  Our customer panelist shared his experience with this pressing issue and gave some great advice on how to think about improving your Issues Management process.  In addition, check out this short video that shows how RSA Archer can help with your Issues Management process.

Today’s business environment is fraught with risk. Economic, technology and market conditions affect organizations on a daily basis. The constantly “changing risk landscape” is a discussion point in headlines, industry forums, media outlets and board rooms.   Risk management will become the core capability which separates winners from losers. Organizations that understand and manage risk effectively will prosper while those that can’t will fail.  Success starts with the ability to manage risk in a manner that frees up resources to focus on the company’s long term, strategic objectives. Risk Intelligence gives companies the confidence to harness risk to explore new opportunities.

The RSA Archer Risk Intelligence Index is a simple measurement of the six major dimensions of risk management that organizations must address in order to turn risk into a competitive advantage to fuel the enterprise.  In October 2015, RSA completed a global survey of almost 400 organizations to gather insight into current trends and perceptions regarding Risk Management. The survey utilized RSA’s proprietary Risk Intelligence Index to ask questions around key areas of risk and how organizations are addressing the changing risk landscape.

I am happy to announce the publication of an eBook highlighting the results from the survey.

Download the eBook here.

There is no question organizations today are in a rapidly changing risk environment and the pressure to improve risk management practices is being driven top down from boards and executives. Managing a cultural shift from the reactive checking the box of compliance to a more proactive risk management model requires change and participation across the organization. A cohesive risk environment protects against loss while supporting as much growth as possible.  But this shift relies on common processes for measuring and reporting risk postures across the enterprise being integrated into daily business practices. Plus, organizations must be able to share risk information with stakeholders, provide a thorough understanding of the risk environment, and communicate the potential impact risk could have on the business, both good and bad. When you can proactively link risk management to business objectives, risk becomes a new source of competitive advantage.


In addition,  given the velocity at which risks continue to emerge, risk management can no longer be the sole responsibility of the risk professional. While the risk management team is a critical part of the organization’s risk management framework, business units or operations management must be more directly involved in the identification, assessment and remediation of risk. Business unit managers are the most likely to know what is going on within their business units, what is changing, what risks are emerging and what risk treatments are being implemented. Business units have the best knowledge of which controls are operating and which are not, and they are ultimately accountable for their risk and internal control framework.


Hence the many drivers for Governance, Risk and Compliance are churning away and technology is a key part of those strategies.  When you think of GRC technology solutions, most people immediately focus on the technology itself. However, technology is not just about writing code. Technology today is about inspiring people to change the way they think and live. Think about the piece of technology everyone has in their pocket or purse today. Mobile technologies inspire people to change the way they live every day. They connect to old friends through Facebook, they manage their finances on a daily basis through mobile banking and monitoring stocks, they share a picture of their lunch on Instagram.


GRC solutions must do the same. They need to INSPIRE the users to change the way they think about compliance and risk. Just as the GRC program needs to change the way the business unit managers and front line employees conduct their business, the technology underpinning that effort needs to fuel that shift in thinking.


This is why I am so pleased to announce the upcoming launch of RSA Archer GRC 6 which brings together technology and business processes to inspire everyone to own risk within an organization.  This release offers:

  • A new user experience for all RSA Archer GRC solutions, with new features including a walk-up friendly, task-driven user interface and drag-and-drop advanced workflow capabilities. All solutions will see the updated interface that includes the new color scheme, fonts, icons, navigation and more. Advanced configuration options include task-driven landing screen integration, workflow chevrons, action-driven user interface, multi-layout workflow, and more.
  • New capabilities for RSA Archer Operational Risk Management includes end-to-end support for the self-assessment lifecycle; enhancements for loss event origination, routing, and approval; and metrics management. These features are designed to better engage business unit managers (the first line of defense) and risk managers (the second line of defense) in the organization’s risk management program. Operational risk use cases come with out-of-the-box workflow, reports, user personas and dashboards that align with the “three lines of defense” principle.

Trying to get a clear risk picture across the business is typically chaotic and incomplete, despite an organization’s best efforts. RSA Archer GRC 6 is the latest step in providing a solution that uniquely provides a holistic risk viewpoint, with business context tracked across all risk use cases. Business units can establish the business entities, assets, products, services, and processes that have the highest impact on the bottom line, and use RSA Archer as a lens through which to review different risk types, including continuity, compliance, cyber or security, resiliency, and supplier risk.


Join us for a Virtual Launch event next Tuesday, November 10th at 11:00 EST to hear how RSA Archer 6 can inspire your users.

The 2015 Archer Summit is now in the history books, and what a Summit it was! We were thrilled to have the chance to share all of the exciting things RSA Archer is up to. And, yet again, the incredible contributions and collaboration of Archer customers, partners and sponsors provided an unmatched opportunity for GRC professionals to learn, share and network with their peers.


What’s more, Archer Summit provided the perfect opportunity to recognize the outstanding achievements of our customers and partners who continue to inspire their fellow GRC practitioners in implementing governance, risk, and compliance solutions in unique ways. These award winners are building cutting-edge applications and integrations using RSA Archer to support process automation, collaboration and reporting.


Platinum Award for Excellence

  • Energy Future Holdings -- Energy Future Holdings leveraged RSA Archer to define Controls, manage their assessment/testing process, associate the findings and exceptions and remediation plans, tie the controls to respective regulatory requirements as well as associated risks.

Gold Award for Excellence

  • Center for Medicare and Medicaid Services -- CMS was the first federal customer to deploy RSA Archer Assessment and Authorization and to retire a legacy system. They can now generate near-real-time views into their security posture of systems.

Gold Awards for Innovation

  • Comcast -- Comcast implemented a security self service program that consolidates reports from numerous security tools, provides real-time analysis and visually appealing metrics, and automates remediation.
  • Biogen -- Biogen built a comprehensive risk assessment and monitoring process for corporate compliance, achieving user adoption within three months.
  • The Hartford -- The Hartford built an “Employee Relation Cases” solution to manage employee conflicts with workflow and reporting to analyze root cause of submissions across the organization.

Return On Investment Awards

  • Berkshire Bank -- Berkshire Bank saw tremendous ROI, saving administrators 150 hours per year with policy management and streamlining their incident escalation process.
  • Aetna -- Aetna retired two large platforms for Vendor Management and Audit, bringing those workstreams into Archer. They will recoup investment for these modules and see cost savings within the next year.

Alliance Excellence Award

  • Atento and KPMG -- KPMG Brazil was selected by Atento, one of the largest provider of customer relationship management and business process outsourcing globally, to develop and support their SOX Program. Atento has combined several Archer solutions  to create cultural transformation to a Risk and Compliance minded company where risk management and controls are now incorporated throughout the company.

Community Advocate Award

  • Scott Hagemeyer, U.S. Bank  -- This is the first year for the Community Advocate Award. The Archer ‘Community’ is broad reaching and includes offline and online activities, from the RSA Archer GRC Summit, Roadshows, and regional user groups to the online Archer Communities of Practice. In just the past three years, the membership of the Archer Communities has grown by more than 65% -- growth that is directly related to the continued support and engagement of Archer customers like Scott.


We’d like to extend our hearty congratulations to these well-deserving award winners, and we’d like to thank all of our customers, partners and sponsors who made this year’s Archer Summit a resounding success. We look forward to seeing you at the 2016 Archer Summit in New Orleans (Oct. 26-28, 2016)!

It’s not hard to believe that in our 12th year of the RSA Archer GRC Summit, we continue to be inspired by the shared expertise and experiences of Archer practitioners and experts. The passion and energy of this gathering is exceptional and it’s contagious. Today, I heard the Archer Summit lovingly referred to by colleagues as a “family reunion” for so many of us “GRC veterans.” It’s so true. It’s also been a pleasure to welcome so many new faces this year -- one more sign of the growing emphasis on risk and compliance for organizations of all sizes, in all industries.


The face of risk is changing. We all read about high profile risk-related issues that continue to plague companies. Boards, executives, regulators, auditors and shareholders see those same headlines, and they are demanding more due diligence and visibility into GRC programs. This scrutiny is moving downstream to smaller enterprises, and risk management becoming a pervasive issue for organizations of all sizes, in all industries. We all know risk is a multi-dimensional problem – and it continues to become increasingly more complex. This ever-changing risk landscape requires agility


We heard yesterday from David Walter, RSA Archer Go To Market Lead, how important it is to “Inspire Everyone to Own Risk.” That means everyone must act as a “risk manager” within their own role. Your organization’s business units -- the first line of defense – will have more pressure to manage business risk. And our roles as risk and compliance experts will change as organizations lean more and more on our expertise. The future of risk and compliance will require everyone to own risk.


RSA Archer’s role is to merge market needs, customer requirements and technology to create solutions that inspire organizations like yours to change the way you think about risk management. We want to inspire your users, your fellow employees to change the way they think about compliance and risk and how they conduct business. Archer technology needs to provide you and your executive team with the insight you need to take advantage of new opportunities – and to take on the risks that will make your organization successful.


As Archer Summit attendees well know, GRC is not a challenge that can be solved with simply technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within an organization, making risk management part of how everyone in the organization thinks and acts. That’s what Archer Summit is all about!

It’s official – the 12th annual RSA Archer GRC Summit is off and running in the great city of Chicago!  After a surprise visit from the Blues Brothers - Jake and Elwood, (aptly played by David Walter and Shai Cohen) we got down to business and kicked off our annual event with great style.


When you think about it, Chicago is very apropos as the location for Archer Summit, given this city’s storied past of overcoming

challenges. At the forefront of the United States’ expansion westward, Chicago was a stronghold as the frontier opened up and became a key trading hub. In fact, Chicago mirrors some of the core tenets of governance, risk and compliance:


  • GRC acts as a stronghold against risk elements as your business faces new frontiers.
  • GRC fosters and protects growth of your business as you explore new opportunities.
  • And GRC must be an integral program for organizations going forward.


Each year, the Archer Summit continues to grow – from the number of attendees and the maturity of the GRC industry, to our understanding of the challenges managing a rapidly changing risk landscape. Today's challenging business environment demands scale. Boards and regulators are increasing their scrutiny of business risks. Executives are demanding more organizational agility while at the same time maintaining control. What’s more, organizations’ continued dependence on information technology and the ever-increasing severity of attacks on IT means digital risk is now equally considered with financial, liquidity and supply chain risk.


This is where a scaleable GRC program gives organizations the ability to better manage risk and compliance activities, to focus resources

where they can make the greatest difference to the business. Scale for your GRC program can be defined by two factors. The first is results, which is getting the most value out of your GRC efforts. The second is reach, in creating a common view of risk across various functions throughout your enterprise. As your organization grows in results and reach, your overall GRC program matures and achieves scale.


As risk continues to evolve more rapidly than ever, organizations are decentralizing risk management to put it as close as possible

to where the risk is most visible. At the end of the day, GRC is about how you manage risk for your organization. You are the safety net for when things out of the business' control go wrong, and you provide the environment for strategic initiatives for your GRC program to succeed. But you can no longer do this alone.


The media is constantly alerting us about data breaches, operational losses and compliance violations. The rapid pace of technological

development and shifting business models will result in more and more of these events. Organizations need to mature their program to embed risk management beyond the risk team. We know that if the “first line of defense” (business units) was properly engaged in the risk management process, we could prevent more losses and create an early warning system for potential risk. We could limit attacks, eliminate operational inefficiency, and better enable organizations to achieve their most strategic growth objectives.


That’s why our collective mission must be to “Inspire Everyone to Own Risk.” That is our passion. That is our commitment. 

We have a jam-packed schedule of Archer Summit sessions, demos, working groups and other events designed to inspire attendees with ways to mature their GRC programs.


And we’re just getting started!

The exciting tales of Marty Bishop have begun and last week Episode #1 - Enter the Maestro concluded.  We find our intrepid hero investigating a series of interesting traffic patterns flowing over the corporate network.   In the world of The Kingdom, this translates into a mysterious band of men surveying key parts of Marty's imagined world.   A simple malware infection?  A serious breach?  More unfolds as we learn more in Episode #2 - The Maestro's Score.




If you missed it you can recap by reading each blog:

Introducing Marty Bishop

In the Hunter's Sights

The Cat Prowls

The Wizard


To find out what this all means to you as a risk or security professional, see the Technical Dialogue.


For those of you who want to read the story offline or binge read, check out the eBook.


Hooked?  Great! You are ready to move on and see Marty begin to unravel this mystery in the first part of Episode 2.

As outlined in my blog last week, the Defend the Kingdom blog series follows the adventures of a security administrator as he, and his alter ego, battle the forces of evil.   The inaugural blog was released today on Speaking of Security:


Follow the adventure every Tuesday as the story unfolds and the Kingdom is defended.



Vulnerability.  Threats. Defense.  For those of you in ‘the risk industry’, these words roll off your tongue with the practiced agility and grace of a seasoned ballet principal.   We use these words as a carpenter operates a saw and hammer, like a musician manipulates an instrument, like a writer brandishes a pen and paper.  They are part of our craft.  We know these words.  They are old friends.  They are always with us.  They complete us…


I have a theory.  It might be the rant of a madman.  It might be the harbinger of the future.  But it is mine nonetheless.  I believe that today’s security and risk challenges are not necessarily ours to solve.  We just need to keep the ball moving forward until the next generation of security and risk professionals – those that cannot perceive a world before the massive, intricate, complexities of technology – take the mantle and truly rebuild this cyberworld that we have wrought.  It isn’t that our attempts today are in vain.  We must continue to strive to secure our technology.  We must continue to promote trust in a digital world. We must not let the dreams of what technology can bring us die a death due to suspicion, doubt, uncertainty or over caution.  And that is why we do what we do – manage risk, secure our data and wait for the decisive solution to unfold.


I am about to embark on a journey and I hope you join me.  The journey involves an intrepid security admin named Marty, a mysterious villain known as The Maestro and an enchanting Kingdom.  The Defend the Kingdom blog series being launched next week is my attempt to engage in a conversation about risk and security that isn’t bounded by buffer overflows and Monte Carlo simulations.  I am looking to speak to that next generation that may just be entering the security and risk world, or those poised on the brink of a technology profession, or those even mildly interested in what makes security and technology tick.  But the story is not just for the young.  It is for anyone that is looking to understand what it means to take on the enormous challenge of defending a modern organization against today’s threats without digging into the deep technical bits and bytes.  For those of you already neck deep in this fight, I hope you find entertainment and inspiration.


The series which will be published in six episodes broken down into weekly blogs.  It has been an ambitious project resulting in 30 weeks of content.  The story unfolds as Marty uncovers some suspicious traffic and his alter ego in the Kingdom, the Hunter, begins investigating a cadre of mysterious men surveying the Kingdom.  Each episode will be accompanied with a technical dialogue which will address some of the parallelisms between the two worlds.   I hope the experience doesn’t end there though.  If I can spark a conversation, a debate, a discourse, then all the better.  My desire is, through an engaging plot, open the door to share and discuss today’s risk and security universe.

If you want some information about the backstory of the series, check out “What is the Defend the Kingdom series?” or the Video.  Follow me on twitter @steveschlarman to engage and let’s explore (and defend) the Kingdom together.

Steve Schlarman

A Pivotal Year

Posted by Steve Schlarman Employee Aug 13, 2015

For the past several years, the information security industry has been saddled with labels annually. 2013: year of the breach; 2014: year of the BREACH (we really mean it); 2015 year of the MEGA breach (its gotten worse!). And with those labels every year I hear the phrase 'this is a pivotal year in the industry'. Is it really a 'pivotal' year when we say it every year? I think yes. But not in the sense it is intended. The implied meaning is a significant redirection of progress or a moment of monumental epiphany. I believe the 'Pivotal Years in Information Security' are more accurately described in terms of moving a heavy piece of furniture.


Ever move something really heavy by yourself? The armoire in your bedroom? That massive bookshelf in the living room? The only way for one person to maneuver something heavy is the old 'pivot' method. Everyone knows this move. Move one corner, move the opposite corner. Repeat as necessary as you slowly walk that behemoth piece of furniture across the room. You move that heavy object one step at a time. And information security is REALLY, really heavy - like armoire-on-top-of-the-bookshelf heavy. So the movement by each pivot in our industry is very small. Or so it seems.


This doesn't mean that important advancements and breakthroughs are not happening in our industry:

  • The dialogue of information security has reached the executive conference room. Questions are being asked; budgets are being loosened; corporate objectives are being set - all due to a rise in awareness around the real threats facing companies today. Catastrophes such as Saudi Aramco and countless others have awakened many an executive making cybersecurity a board level concern.
  • Discourse around the balance of privacy, security, legislation, regulation and the collective future of our technology universe is growing. Jennifer Grannick's keynote at Black Hat last week discussed this imperative. The debate around surveillance and freedom is becoming a frequently discussed topic. Layer on nation state actors and legal restrictions on security researchers and now cybersecurity is a political issue as well.
  • Technology continues to evolve and innovate. There is no shortage of existing and emerging companies with interesting and significant visions in how to attack security gaps. And there is no shortage of digging into the technologies that are rapidly invading our world - most noticeably the vulnerabilities highlighted at BlackHat and DefCon last week such as the Chrysler Uconnect threat and the RSA research released on the Terracotta Army.


So what is the answer? We continue to slowly pivot the heavy object across the room. However if you really want to move furniture around your house, what is a better approach? It's easy - invite a few friends over, order some pizza and get to work. Hearing the phrase 'this is a pivotal year' for our industry should be a clue that we need to continue to collaborate, share information and communicate. One final note to consider: Moving that piece of furniture is not a matter of everyone grabbing hold and pushing and/or pulling. Without coordination and direction, you are more likely to cause more damage than anything. Every year is a pivotal year for information security. What part are you going to play?

The Defend the Kingdom blog series is a fictional storyline following the adventures of Marty Bishop, a skilled, imaginative security administrator fighting cybercrime on the frontlines of the massive multi-national conglomerate MagnaCorp.   Starting as an intern within Information Technology as a college sophomore, Marty's acumen for technical concepts garnered interest from the security team early on in his career.  While he toiled away at running cables and debugging simple code, he kept his eyes open and learned more and more every day under the tutelage of the MagnaCorp techie clique.  His mild, introverted manner hides an intense curiosity and a boundless imagination that he wields with power as he tracks down the digital adversaries of MagnaCorp.  Aided by Greg Townsend, his cubemate and fellow security administrator, he has become THE go-to guy when cyber criminals come knocking at the gates of MagnaCorp.  Marty walks the halls of MagnaCorp as shadow behind the scenes clad in his trademark designer t-shirts and extensive sneaker collection but armed with the knowledge that he stands all too often as the last barrier between MagnaCorps sprawling global business and the brink of digital chaos.


MagnaCorp is a multi-national conglomerate with controlling interests in a wide variety of companies. Based in New York, the company has regional headquarters in all of the major financial hubs with offices, branches and manufacturing facilities in almost every corner of the world.  Its holdings include:

  • a financial powerhouse with banking, insurance and personal & corporate investment operations;
  • significant holdings in healthcare providers including several major regional hospital systems within large urban areas;
  • a software subsidiary that produces enterprise applications for finance and healthcare industries;
  • a manufacturing arm that fields an impressive array of service machines including ATMs for banks (supporting its own finance division) and drug distribution workstations (supporting its interest in major hospitals); and
  • an investment arm that holds interest in companies ranging from real estate management to utilities to retail chains.

Chaired by the reclusive multi-billionaire genius Wayne Manson, the company operates at a level of unprecedented reach.   Sometimes criticized for having too many irons in the fire and wielding too much influence in the world, MagnaCorp is a continuously shifting operation acquiring and divesting, buying and selling, and moving and shaking the business world.


When Marty enters the vast digital infrastructure of MagnaCorp, he transforms into The Hunter his alter ego protecting "The Kingdom", an immense medieval-like landscape populated with threatening, shadowy criminals.   The Kingdom is a nation of ultra-prosperity with a wide range of natural resources including mines laden with minerals and ores, a rich agricultural heritage, a well protected and active harbor and bustling trade routes with a wide variety of neighbors.  Only the neighboring Natiostatsia, a rival and menacing nation just beyond the bordering mountain range, threatens the Kingdom with its industrial power.  Armed with his powerful bow and aided by his pet The Cat, the Hunter prowls the Kingdom searching out and battling evil.  Trusted and directed by the Wizard, the protector of all Kingdom secrets, the Hunter staves off attacks from rival countries, local thugs and the minions of the mysterious Guild.


The Guild is a mysterious criminal organization that haunts the Kingdom.  With threats ranging from simple theft to more nefarious plans, the shadowy Guild deploys its minions across the Kingdom.  The members of the Guild are many - but rarely seen or known. The Guild operates from unknown places and is possibly under the control or in league with The Kingdom's mortal enemy Natiostastia.  When anything bad happens in the Kingdom, most likely the Guild is to blame.


The Hunter, along with a host of other characters representing the many aspects of security and risk management, work together to protect the good citizens of the Kingdom.   Each episode follows Marty's dual life in MagnaCorp and the Kingdom as he battles cyber crime and helps Defend the Kingdom against the threats of the world.  As the story line progresses, personas in MagnaCorp are revealed as both members of MagnaCorp and as characters in The Kingdom.


The blog series will be launched August 25, 2015 on the RSA Speaking of Security Blog site so prepare to Defend the Kingdom.  The enemy is here...


Check out the Video


The Hunter series is authored by Steve Schlarman (twitter:@steveschlarman) and illustrated by Allison Johnson.

All characters appearing in this work are fictitious. Any resemblance to real persons, living or dead, is purely coincidental.

Steve Schlarman

Mind Your Metrics

Posted by Steve Schlarman Employee Jun 29, 2015

Last week I participated in a joint event with KPMG hosted by the New York Stock Exchange Governance Services.  The roundtable topic was Information Security Metrics programs – every security manager’s favorite.  Why?  Because security is so squishy.  What metrics could effectively capture the state of something that changes on a regular basis, has no uniformity and can take a left turn just when you think you know where you are going?   With today’s complex and frankly dangerous technology issues, security is a regular topic that reaches the board level.  All companies represented at the table reported regular board level reporting on information security.   Naturally the discussion started with this challenge of coming up with some measurable, repeatable metrics that provide a view into information security and are tangible and meaningful for the executives.



The discussion was vibrant and meandered over many different aspects of a metrics program.  A certain level of maturity must be attained generally to measure and monitor metrics.   The typical maturity journey around building a program requires processes to be defined, documented and then monitored and measured to drive metrics.  However, many companies begin gathering and reporting metrics early on to drive performance improvements.  So which comes first – maturity or metrics?   Can an ‘immature’ security program sustain a metrics program?   A metric only really gives insight when measured over time.  Measuring something once or twice really doesn’t give an indication of true risk.   But waiting until a metric becomes a true risk indicator may take too long and there could be value in measuring metrics in the short term such as a “surge” in specific risks or internal initiatives.


We also talked about a variety of other topics including the growing conversation CISOs/InfoSec Executives are having regarding the financial impact of both cyber risk and the investment into security technology.  Financial metrics related to security spend and investment can factor into your strategies if you are able to bridge the gap between technology speak and the business context related to security risk.  Reporting metrics should drive better decisions.  Performance optimization – for the business and not just security - is the ultimate output.


Identifying what the key metrics are that help inform on possible incoming risks or on the efficiency and effectiveness of the security program is no easy feat.  The trick is to find metrics that trigger management interest.  Something that informs and educates was a key factor especially on those executives who are just learning to navigate the information security universe.   One of the critical points is to view metrics reporting as storytelling – shaping the perceptions and knowledge of management while building a clearer and clearer picture of what is happening in both the industry and internal efforts.

Maxwell Street.  John Lee Hooker growling out “Boom, boom, boom, boom”.  Four whole fried chickens and a Coke.  The Blues Brothers. That’s my immediate vision when I think of Chicago. As a devout fan of the blues, Chicago holds a special place in my heart.  In the 1940s, artists flocked to the city, establishing one of the most unique and vibrant musical scenes in our history.  The legacy carries forward today as Chicago continues to be a city bustling with activity and the wail of the blues.


In 2014 we celebrated our 11th RSA Archer GRC Summit in Phoenix, Arizona with more than 1,000 GRC professionals. Over the course of three days, the group participated in 56 educational breakout sessions led by RSA customers, partners and RSA Archer product experts covering eight tracks.  Sessions addressed program, process, and technical topics giving our customers a platform to share their experiences with each other, to network with fellow GRC professionals, and to grow their GRC and RSA Archer capabilities. The theme of 2014 event was “Harnessing risk. Exploring opportunity.” and highlighted the journey all of our customer’s embark on when pursuing GRC excellence.


This year’s RSA Archer Summit is being held in conjunction with our larger user forum and conference named RSA Charge and takes place in Chicago.    This year’s theme –Recharge, Retool, Reignite – is fitting for such a venue. This is why I have visions of smoky, blues filled dance halls to mind.   The Chicago blues is not all heartbreak and woes.   What is more invigorating than an electric charged blues boogie fueled by howling guitars, wailing harp and a thumping beat?   Take a listen to Howlin Wolf or Muddy Waters and try to keep your foot from tapping.  This year’s conference is the perfect opportunity to network, learn and build your vision for your GRC journey.  With the combined conference you can also benefit from sessions available for all of RSA’s product portfolio.


The Call for Speakers is still open and I highly encourage you to take this opportunity to share your knowledge and insight.  Pull up a chair, bring your guitar, get your Mojo working and sing your heart out.

Last week, I announced the release of the RSA Archer Maturity Model series of white papers that discuss the different phases and the key capabilities organizations should pursue in building maturity across different segments of risk management. IT and Security risk is one of those key areas and for good reason.  At this point, business and technology is inseparable.   I have written about it before and the general consensus if you do a straw poll among any risk minded individuals is that business risk and IT risk range from inescapably linked to synonymous.   So what does this have to do with Wally World?


The journey to maturity in IT Security Risk Management is much like the popular movie National Lampoon’s Vacation.  For those of you unfamiliar with the movie (or haven’t seen it in ages), let me refresh your memory on the epic tale of the indomitable Griswold family as they embark on a cross country trip to the fabled amusement park “Wally World”.  Along the way, our intrepid heroes fall into multiple calamitous events:

  • They take the wrong turn off the highway and end up in a dangerous, seedy part of town where their car is vandalized.  (Sound like the business unit of yours that thought it was a good idea to outsource an IT initiative without security oversight?)
  • Clark, the beleaguered husband, becomes distracted by an attractive woman leading to disastrous results.  (Ring any bells on that technology that promised to solve all your security issues only to become a quagmire of disillusionment?)
  • Upon reaching their destination, they find the park closed and their hopes of a fun family outing are smashed.  (A reminder that not all strategies come to fruition as many times the rules change, the business evolves, or the plan just doesn’t work out.)

There are several instances in the movie that could draw a parallel with organizations’ struggle to achieve risk management maturity.  My point is that any journey you undertake has its pitfalls and obstacles.  No journey, including the drive for maturity in your IT Security Risk program, will avoid every setback.  However, a journey well planned is a destination half reached.


The RSA Archer IT Security Risk Management maturity model focuses on four key capabilities that enable a sustainable, agile program:

  • Establish business context for security;
  • Establish security policies and standards;
  • Identify and resolve security deficiencies; and
  • Detect and respond to attacks.

An organization focusing on these competencies sets itself apart from the reactive, compliance driven security function and positions the security capabilities to deal with the growing IT Security risk.  A security function that understands the business context of security requirements and issues can prioritize efforts, marshal the right resources and drive controls to the most important part of the business.  Policies and standards set the bar for an organization and, when aligned with both regulatory and corporate compliance, become the foundation for a maintainable program.  Protecting resources requires stout security defenses with limited deficiencies. Finally, no fortification is impenetrable and the organization must be able to detect and respond when attacks pierce the barricades.  There are many moving parts in this strategy and the journey is substantial.  But just like the Griswolds chasing their dream vacation, organizations seek to avoid complications and reach their Wally World – a technically strong, business agile security function that becomes a competitive advantage for the company.


The RSA Archer IT Security Risk Management white paper discusses these capabilities at length and posits where different competences fall into our Maturity stages.  Read the White Paper – and check out our other papers – on the RSA Archer Community at  The paper may not be exactly a ticket to Wally World, but hopefully it helps plan your journey.

The 2014 ‘Gartner CEO and Senior Executive Survey: 'Risk-On' Attitudes Will Accelerate Digital Business’ report indicated 64% of senior executives listed Growth as the number 1, 2 or 3 priority.   Companies have many paths to fuel growth such as mergers, acquisitions, launching new products and services and broadening out to new markets.   However, all of these activities involve risk.  Without the proper handling of risks, compliance obligations and the general preparation it takes for the business to take on these strategic initiatives, growth can be in peril.  In the same report, executives reported that they were more likely to grow the business IF they had good sense of the risks involved – and the ability of the organization to deal with those risks.  This is why Governance, Risk and Compliance programs have risen from the humble beginnings of point efforts, grass roots initiatives and a select few practitioners huddling in the corner at organizations to become a board level discussion today.  While GRC placed 11th on the list of priorities in this survey, managing risk is an absolute imperative for the organization to meet that #1 priority of Growth.


When it comes to building any enterprise GRC program – and truly affecting change in an organization – the journey has many twists and turns.  Organizations must go through a transformative process of maturing processes from localized, concerted efforts into a broader, comprehensive strategy.  The maturity of a GRC program is the sum of many parts.  Some organizations are just embarking on this journey; other organizations have been trekking this path for several years.


I am pleased to announce the RSA Archer Maturity Models – a series of white papers that outline the six major dimensions of risk management.  The RSA Archer Maturity Models focus on key capabilities enabled by the RSA Archer solutions.  As a technology enabler, RSA Archer provides the critical infrastructure to leverage processes, share data and establish common taxonomies and methodologies.  Our vision is to help organizations transform compliance, manage risk and exploit opportunity with Risk Intelligence made possible via an integrated, coordinated GRC program.


The RSA Archer Maturity Models outline multiple segments of risk management that organizations must address to transform their GRC programs and articulates the five stages of Maturity an organization experiences during the journey from Siloed efforts to an Advantaged state of risk management.  Each white paper discusses the different phases and the key capabilities that organizations should pursue in building maturity across the core components of a GRC program:

  • Operational Risk Management,
  • IT Security Risk Management,
  • Regulatory and Corporate Compliance,
  • Third Party Governance,
  • Business Resiliency,
  • Audit Management, and
  • Assessment & Authorization/Continuous Monitoring (Federal solution).


The GRC Strategy team will be posting a series of blogs highlighting the maturity models over the next few weeks.    As with all journeys, we expect that your organization may have taken its own unique path as your pursue GRC Maturity.  We welcome your feedback as you research our positions in these domains.


The White Papers are available to members of the RSA Archer Community at



Gartner report:

Filter Blog

By date: By tag: