by Steve Schlarman – July 28, 2010

The older one gets, the more one forgets what one knows.

We have all seen the enlightened “master” in movies tell the young learner “Your cup must be emptied before it can be filled” or “Clear your mind and the truth will be revealed.” The premise that one must unlearn to learn is such a common theme in so many movies that it has become a cliché. But there is a truth in that to truly master something, you have to somehow transition that knowledge from an act of concentration to an act of just doing.

We recently held an internal training session for our managers to help facilitate some organizational transitions within our groups. Part of the session was a review of an adult learning model. The point of the model was to articulate the difference between how adults learn and how children learn. Adults generally learn differently than children and, as such, any effort to teach adults a new skill, implement a new organizational approach or introduce a major change needs to take this into consideration.

The model depicted four simple stages:

1. Unconsciously unskilled
2. Consciously unskilled
3. Consciously skilled
4. Unconsciously skilled

These stages are perfectly sensible—essentially outlining the path from “not knowing what you don’t know” to “doing what you do without thinking.” I had a colleague that used the folksy phrase “a pig looking at a watch” to describe the unconsciously unskilled. His point was that although the pig could see a watch, it didn’t know what it meant. Anyone watching Michael Jordan sink a fall-away jumper with a defender hanging all over him has seen the unconsciously skilled in action. What I find interesting is that the stages have two pieces—the technical elements of skilled vs. unskilled and the mental elements of the subconscious and conscious.  
 
Another component of the model focuses on how the transition between the stages is prompted. Moving from Stage 1 to Stage 2 involves an epiphany of sorts fueled by increasing awareness and relevant examples. Moving from Stage 2 to Stage 3 requires a shift in motivation and incentive. Finally, moving up to the “enlightened” Stage 4 demands repetition and practice, practice, practice. 

Now it doesn’t take much enlightenment to draw parallels to our world of governance, risk and compliance (GRC). If we apply this model to the objectives within our organization, we can see that GRC is not just the mechanics of audit, security and the controls in business processes but also the cultural and psychological growth of the organization. It seems to me that these stages outline the fundamental transition that all organizations are looking to achieve for GRC. If we want our organization to really implement governance, understand risk and manage compliance, then we need to help the organization “learn” the way adults do.

As GRC leaders in our organizations, we can take a step back and analyze just where our organization is in this continuum:

• Is the organization still in the “don’t know what we don’t know” stage?
• Has it reached the consciously unskilled stage where it really understands what skills it needs but lacks the motivation to progress?
• Does the organization need an epiphany or merely more time to practice?

Thinking in these terms brings to light some of the needs of the GRC efforts outside the mere technicalities of policy, controls and audit. True organizational change is the only thing that will push a GRC program toward enlightenment. This is where the cultural and psychological components of the program have to be pushed as hard as the mechanics. We all would like to see our organization begin to unconsciously incorporate well designed controls into business processes. The trick is to get the organization to move up this scale one step at a time.

Many times, risk and compliance professionals can get caught in the trap of teaching their organizations the way children need to be taught. Telling people over and over the “right way” to do things, making people learn by rote and other methods targeting a green-field mind do not work when you are trying to teach an organization of mature professionals. These simple tenets of adult learning, when applied to the grand scale of an organization, might help identify some of the reasons why GRC is not taking hold as well as one would hope in the organization. 

Take a moment to evaluate how the risk and compliance activities are being presented to the organization. You may find that while the skilled is winning over the unskilled, the long-term strategic win comes when the unconscious wins over the conscious. Think of the pride you would have if your organization would sink a game-winning shot over the outstretched hand of a defender in a pure, fluid motion of unconscious skill.

July 23, 2010

Are you looking for a better way to manage multiple large-scale projects simultaneously?

Struggling to prioritize your projects and assign resources where they are needed most?

If so, we invite you to explore the Project Management solution on the Archer Exchange. More than 100 of your fellow Archer Community members have downloaded this popular offering to date!

Through the Project Management solution, you can:

• Gain visibility into a variety of factors and costs that influence project quality and delivery
• Monitor resources, timelines, project activities and artifacts produced as part of project delivery
• Document project milestones and track their completion
• Identify and manage issues that may impact project success, and quickly react to changes in project scope or resource availability
• Deliver real-time reports on project status to key stakeholders to build their confidence that the project will be completed on time and within budget

Want to learn more? Visit the Archer Exchange to download the solution data sheet, watch a video and access a live demo. You can also download the solution itself and explore it in your own environment.

We hope you’ll take the Project Management app for test drive! Be sure to let us know what you think by rating and reviewing the solution out on the Archer Exchange.

by Jason Rohlf – July 21, 2010

I am a firm believer in maintaining strong and lasting friendships, and the maintenance method I choose largely depends on the nature of the friendship. For my closest friends, this typically includes periodic texts and emails and an annual trip to Las Vegas followed by the requisite 11 months of recovery time. When I take my kids to the park, I catch up with their friends’ parents. I play ice hockey once a week, and this affords me the opportunity to catch up with other lovers of the beautiful sport. And LinkedIn and Facebook allow me to reach into my past and catch up with oodles of my old workmates and grade school chums, or at least to play voyeur into their (sometimes) interesting lives.

Certain events of the last few weeks have given me cause to catch up with another one of my dear old friends—the Sarbanes-Oxley Act of 2002 (or as I endearingly refer to him, “SOX”). OK, maybe that’s overstating things a bit; after all, SOX has only been around for 8 years and that’s really only old in dog-years. Nonetheless, SOX and I got together for a cup of coffee and a little bit of reminiscing, and I’d like to take this opportunity to bring you up to speed on what my good pal has been up to:

• Last December, the United States Supreme Court heard the argument filed by the Free Enterprise Fund challenging the constitutionality of the Public Company Accounting Oversight Board (PCOAB) and ultimately SOX. On June 28, 2010, the Court issued a 5-4 decision that gave the Securities and Exchange Commission (SEC) more leeway to relieve PCAOB Board Members; however, aside from this change, the Court chose not to open up the legislation to further scrutiny, so all indications are that my friend SOX won’t have to go changing any time soon…

• ...or will he? On October 2, 2009, the SEC issued a release that put an end to the parade of SOX section 404(b) filing extensions afforded to small public companies (defined as those with a market capitalization below $75 million). The release stated that these non-accelerated filers will see the last extension expire beginning with the annual reports of companies with fiscal years ending on or after June 15, 2010. SEC Chairman Mary L. Schapiro commented that, “Since there will be no further Commission extensions, it is important for all public companies and their auditors to act with deliberate speed to move toward full Section 404 compliance.”

• Fast forward to last Thursday. Congress passed the Restoring American Financial Stability Act of 2010 by a heavily bipartisan 60-39 margin (read more in the New York Times). Among the sweeping reforms and regulations aimed primarily at the Financial Services industry, the bill included a provision to permanently exempt the very same non-accelerated filers from 404(b) filing requirements. President Obama is expected to sign this bill into law later this week.

As I discussed back in December in my article SOX or Not: Strong Internal Controls Hold Their Value, despite the heavy scrutiny that my buddy SOX has come under recently, I still believe that the benefits of maintaining a sound, comprehensive system of internal controls far outweigh the costs. Needless to say, I was pleased to read Protiviti’s 2010 Sarbanes-Oxley Compliance Survey in which their results indicate that 70% of respondents indicated that the benefits of Sarbanes-Oxley outweighed the costs (versus 39% of respondents when asked during Year One of SOX).

Now let’s move beyond the various legislative goings-on for something a little more exciting (at least for me). Last Wednesday, I had the pleasure of facilitating the latest RSA Archer SOX Compliance Working Group session. I really enjoy these sessions because they are primarily driven by the users of our eGRC solutions, and they provide a forum for customers to share thoughts and ideas on any topics of interest or issues they may be facing as a collective.

Last week’s session was focused on the process of scoping controls for SOX purposes. We discussed the various elements that factor into the scoping process (see chart), the approach participants take when encountering “gray” areas (i.e., those elements of the business that fall at or just below financial thresholds), the frequency with which controls are re-scoped and what effect the economic downturn has had on each organization’s SOX processes.

I typically learn a great deal from the practitioners who participate in our Working Groups, and last week’s meeting was no exception. I found that there are varying methods being employed to determine the financial significance of controls (clearly the most important driver of scope) and that all who offered their thoughts during the session are incorporating some level of qualitative analysis in their scoping decisions (the “gut” factor). 

For me, the most interesting thing I picked up from the session was that serious consideration was being given to the effects of the economic downturn, from how to treat “borderline” entities that have fluctuated between in and out of scope (due to a “down” financial cycle) to the impact of staff reductions on the ability to maintain proper segregation of duties at various points of critical processes. All in all, it was a great discussion, using up each and every one of the allotted 60 minutes and hopefully setting the stage for (Shameless Promotion Alert!) another great SOX Working Group session on Wednesday October 6.

It sure was good to catch up with my buddy SOX, and I’ll be sure to keep you posted on any further developments in his life. At the very least, I’ll let you know when someone posts unflattering pictures of him on Facebook…

by Steve Schlarman – July 20, 2010

As RSA continues our development of the most robust library of enterprise governance, risk and compliance (eGRC) content in the market, I’m pleased to announce the latest additions to the RSA Archer eGRC Content Library. For Q2 2010, we focused on many areas that are critical to eGRC. The additions to our Content Library for this quarter move us into several new areas—deepening our ability to provide business-relevant content to our customers. As you’ll see, we were very busy this quarter.

One of the more exciting aspects of this quarter’s work was the addition of an Authoritative Source for the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Audit.  This internationally recognized standard allowed us to focus on a key part of an eGRC program—Internal Audit—as well as one of our core solutions, RSA Archer Audit Management. We added a new Policy (Audit Management) along with Control Standards focused on internal audit practices. Following through with our methodology, we also created new Question Library content including three specialized Questionnaires:

• IIA Project Quality Assurance
• IA Customer Survey
• IA Annual Quality Assurance

In July, RSA joined the Information Security Forum (ISF), and as part of this membership, we have completed the development of Authoritative Sources for the ISF’s Standard of Good Practice (SoGP).  Individual Authoritative Sources have been created for each component of the ISF SoGP:

• Computer Installations
• Critical Business Applications
• End User Environment
• Networks
• Security Management
• Systems Development

We mapped these Authoritative Sources to our Control Standards, adding or modifying our Library to be aligned with the ISF SoGP.

Based on customer requests, we also expanded our Library of international data protection legislation with the addition of the German Federal Data Protection Act, the UK Data Protection Act of 1998 (Chapter 29) and the France Data Protection Act (Act N°78-17 OF 6 January 1978 on data processing, data files and individual liberties). We used the English publications of these laws so all content is in English.

Our current Control Procedures cover more than 80 technologies with over 4,000 individual controls. We have grown this Library through the addition of technical Control Procedures from the Center for Internet Security (CIS) Benchmarks. We translated several of the CIS Benchmarks into Control Procedures along with mappings to Control Standards. The following CIS Benchmarks are now available as Control Procedures:

• Apple iPhone 3.1.2
• IBM DB2 8, 9 and 9.5 (Linux, Unix and Windows)
• Microsoft Windows Server 2008
• Microsoft Access 2007
• Microsoft Excel 2007
• Microsoft InfoPath 2007
• Microsoft Office 2007 System
• Microsoft Outlook 2007
• Microsoft PowerPoint 2007
• Microsoft Word 2007
• Microsoft Windows 7
• Mozilla Firefox 3.5
• Opera Browser 10.51
• Sybase ASE 15.10

Along with the Control Procedures, we also created a corresponding Question Library set based on the assessment procedures outlined in the CIS Benchmarks. This allows our customers to quickly build questionnaires for manual technical assessments.

Finally, we completed our effort to provide the entire Shared Assessments Program SIG v5 with the completion of the Level 3 questionnaire. Now, the SIG v5 import pack includes all Level 1, 2 and 3 questions along with the Agreed Upon Procedures (AUP) questions.

By the Numbers:

• New Authoritative Sources: 11
• New or Modified Control Standards: 67
• New Technologies:14
• New Technical Controls: 959
• New Questions: 2,975 including
          - CIS Questions: 959
          - RSA Archer Questions: 64
          - SIG v5: 1,952

To access the Q2 RSA Archer eGRC Content Library updates, please email Support at support@archer.com.

To learn more about the updates, take advantage of these resources:

• I will be presenting a webcast on RSA’s content management processes and the entire eGRC Content Library, including comments on the latest content release.
• For existing customers, there will also be a Friday User Group Training session on July 23, 2010.
• For more information on the content updates, see the Release Notes posted on the Archer eGRC Community.

I look forward to any feedback you have on this new content, so please feel free to share your thoughts.

by Steve Suther – July 8, 2010

How's your disaster recovery planning these days?

If you’re reading this, it’s pretty safe to assume that either you or someone in your organization is “tuned in” enough to have well documented DR plans that enable your company's business operations to continue in the face of a significant loss of technologies, facilities or human life. And they’re testing these plans at some regular interval (once each quarter, once a year, etc.) based on internal business impact analyses, or external regulatory requirements. Right?

Now, has your disaster recovery planning been adjusted to take into account the virtualization and cloud computing initiatives that are more than likely either currently being talked about, or actually implemented, by your IT architects, or the vendors that manage your IT environments? Probably not.

How many of you did I lose with "How's your disaster recovery planning these days?" Hopefully not many. But how many of you did I lose at the first mention of virtual, or cloud recovery planning? From what I’ve been seeing and hearing from our customers, I’d be willing to bet more than a few of you.

A traditional physical-to-physical disaster recovery strategy is wrought with challenges like being able to move to another data center in a reasonable time frame, always having contracts in place with that alternate data center, reliance on a single managed service provider with geographic and organizational redundancy that won’t go out of business without warning…just to name a few. Good governance and risk management practices within your infrastructure, asset and vendor management processes are always a best-practice approach to help mitigate and control these risks to the business.

Now imagine the physical-to-virtual challenges in the development of data backup routines that move data out of the primary data center (and out of the control of the entity running that data center) and into a virtual IT environment. Cloud computing can definitely help address these challenges by serving as an important foundation for rapid recovery with a low amount of data loss. Imagine, for example, regularly synchronizing your production environments with a virtual environment that packages the data regularly for DR deployment in the event of a disaster. Assuming you’ve set up machine images that mirror your production environments, you should be able to rapidly recover into the cloud without paying to run an entirely redundant data center 24x7.

Security is quickly becoming a major concern when setting up these environment and their related DR processes, and RSA is actively participating as part of the Cloud Security Alliance to ensure that through EMC, RSA and other products, safe cloud computing can address newly emerging threats to the cloud, as well as incident response within the cloud. Be sure to check out the RSA web site for more information.

Security aside, here are a few more key components to ensure that you too can achieve effective DR in your cloud computing environment:

• Set up procedures for synchronizing data with tools that package the data regularly for DR deployment (and don’t forget about data encryption!)
• Create machine images that have the same operating system, tools, core applications, and libraries as your production systems
• Use the appropriate set of tools to configure your DR environment to automate your required DR processes
• Regularly test restoring your infrastructure based on the current data in your cloud environment and validate the success of the event

The main benefit of this approach is that you simply know your DR system will work for you in the same manner that it did for you in your physical environment, while reducing computing and resource costs to your organization. 

Where is your organization these days with regards to ensuring DR capabilities within your cloud? Let me know, and I promise to keep everyone updated on the great work being done within the industry!

See the latest additions to the industry's most comprehensive library of policies, standards,
procedures and regulations.
      
      It’s easy to get lost in the complexity of mounting laws, regulations and industry
      requirements, and translating this information into policies and procedures is a
      daunting task. But what if you had a library of pre-mapped policy and regulatory
      content, updated on a regular basis? 

        Join this webcast to see how the RSA Archer eGRC Content Library can help you
        minimize the time spent on regulatory research and reduce the overall cost of compliance.

        Thursday, July 22   |   1-2 p.m. US Central   |   2-3 p.m. US Eastern
                                  
        Register today!

by Sam Curry – July 6, 2010

That government is best which governs least
–Thomas Jefferson or Thomas Paine, uncertain attribution

If people behaved like governments, you'd call the cops.
– Kelvin Throop

Unbiddable, ungovernable – like a riot in the heart, and nothing to be done, come ruin or rapture
– Viola de Lesseps in Shakespeare in Love

I alluded to this a few weeks ago in Xanadu, but I got to thinking about the subject and realized it deserves a little more exploration and discussion. I mentioned an almost mythical "hunter-gatherer" society and the potential to build a more modern civilization (for good or ill) when social constructs emerged to let us live in groups of more than 100 to 200 people. This bears some more thinking and some comment because it highlights for me what is so hard about modern Governance: making a large number of people work together is hard and it's not an extension of what a small number of people do!

As I mentioned earlier, we as people tend to organize ourselves even today in groups of between 100 and 200 people. This was first highlighted for me by Malcolm Gladwell in the Tipping Point when he wrote about the Gore corporation and how they self-organize. In a weird coincidence, it was driven home to me by presentations I saw from Guy Kawasaki and Gary Hamel in the same week. We organize ourselves in groups that have a social dynamic and ability to understand one another at somewhere around 150 people: this is true for optimizing a business unit, for military companies and even for some religious congregrations. There's something special about the way our brains work and that size of community.

As I've moved around and changed jobs over the years, I've seen my personal network of active colleagues and associates stay constant at around this number, although the passive number is much, much larger. This magic number rang true for me – it’s been very hard to keep deep contacts with a large number of people, and the “inner circle” of friends we all have changes if we move or change careers, locations or just mature over time. Basically, the number made it personal for me.

Then I read the God Delusion by Richard Dawkins, and regardless of your personal feelings with respect to Dr. Dawkins or his work, bear with me a moment. He postulated that it's entirely possible that we evolved a brain capable of subjecting itself to larger social structures and to what is basically religion, and that this might mean that we evolved a capacity for religion so that we can exist in larger groups than 100 to 200 people. Many scientists, incidentally, loathe the notion of social evolution (and for good reason incidentally), many are leery of the chasm that yawns between science and religion as a no-person's land and many on the religious side despise the reversal this implies; but there are some great points I'd like to summarize from Gladwell and from Dawkin's points:

1. We as Human beings seem to self-organize and work well in groups of about 150 people ― this is our "sweet spot"
2. What is potentially one of the most significant advances in our species was overcoming the ability to work in groups greater than 150 outside the "sweet spot"

And now…we need to combine this with "Governance." Governance is really the ability to direct, manage and determine how a large group of people (and their technology, applications, services and so on) behave. We do this to manage risk and pursue reward, but the magnitude of the task becomes evident very quickly: the heart of the problem around Governance is not a tech problem…it's a Human problem. Solving this one is solving the big one in many ways.

What we want to do is take the personal management techniques that we have evolved for within the "sweet spot" and create a structure for managing companies and countries to the same degree that are measured in the thousands and millions of people. That's hard!

The good news is that we don't have to do it all. We don't have to boil the ocean, we just have to do it well enough to have an impact on risk and on reward. That's good enough and that should be our goal.

In to the Heart of the Matter (and in Will the Real GRC Please Stand Up), I spoke to RSA buying Archer and came to the following conclusions that we need to…

1. Create policy and have IT carry it out
2. Know what is happening, especially with respect to the policies we've created

Perhaps the most significant thing that we can do is minimize the difficulty of managing large groups of people and technology and creating cultures that form in organizations the size of a "sweet spot" to follow corporate principles. If we can't manage a company of 50,000 people as we would one of 50 people, then work on making the tools easier to use, easier to find, faster to respond and empowering to the natural, smaller groupings to follow the policy determined at the top. This is about empowering business to better self-govern and become more powerful.

Fundamentally, GRC and Governance are Human problems and while not completely solvable, they are imminently addressable!

PS ― Next week is the 6 month anniversary of RSA (the Security Division of EMC) acquiring Archer, and I am incredibly proud of how we have and are integrating the two companies to be greater than the sum of the parts!

PPS ― I will be presenting a “Compliance in the Clouds” webinar next week for any who are interested; details are here.

  Centralize and automate management of incidents and ethics violations that occur
  anywhere you do business.

   Register today for this webcast to learn how RSA Archer Incident Management can help you
   report, analyze and respond to the incidents and ethics violations that impact your business.
   Join us, and discover how you can:

• Implement a centralized solution to manage incidents regardles of type including theft,
  violence, phishing, denial-of-service attacks and more.
• Protect the integrity of confidential data through the use of access controls.
• Manage the complete investigation lifecycle and prioritize activities based on business impact.
• Monitor incident status, and analyze trends and incident relationships to ensure appropriate
  mitigation and remediation.
• Demonstrate compliance for incident management outlined in many regulatory requirements
  such as FISMA, NERC, PCI, whistleblower requirements and others.

    Thursday, July 8 | 1-2 p.m. Central | 2-3 p.m. Eastern

by Steve Schlarman – June 30, 2010

We all have our own little secret hobbies that we use to escape from the craziness of our everyday life. Spend any time with someone, and most likely you will learn about their pets, their thimble collection, their penchant for photographing railroads or their clandestine weekend job as a rodeo clown. Frankly, I haven’t met any rodeo clowns yet, but I am still holding on to some hope that somewhere, I will meet someone whose passion outside of work is to jump in a barrel a split second before a furious bull comes charging near.

Now, I have a few covert interests as well—I play bass guitar (check out iTunes, and I have one song as part of a compilation CD), I enjoy video games (who doesn’t enjoy blasting away at bad guys to burn stress off) and I enjoy working out (I will hit the big FOUR-O this year and have to do something to stay young.) However, one my favorite underground loves is military history, specifically World War II. A visit to my home office would reveal collages of D-Day maps and pictures on the wall, some metal soldiers in a display case and a bookcase full of tomes written on the conflict. I know: geek city…

So when I saw a “World War II Sabotage Field Manual” post on Bruce Schneier’s blog, I literally fell out of my seat—which in our row is not an out-of-the-ordinary event. In fact, Jason Rohlf (my product management compadre and “cubemate”) didn’t even blink. But he did ask me what I had found. I proudly displayed my monitor and showed him the declassified Operations of Strategic Services’ Simple Sabotage Field Manual. For those of you who aren’t familiar with the history, the OSS was the intelligence agency within the United States established during World War II that led many of the covert operations. The organization was the precursor to the Central Intelligence Agency and was based on Britain’s Special Operations Executive. The tattered document on my screen—now 56 years old—was published to help locals behind enemy lines disrupt operations and cause damage in many simple ways.

Part 5 “Specific Suggestions for Simple Sabotage,” section (11) outlines some rather amusing suggestions to cause general interference with organizations and production facilities:

• “Insist on doing everything through ‘channels.’ Never permit short-cuts to be taken in order to expedite decisions.”
• “Bring up irrelevant issues as frequently as possible.”
• “Haggle over precise wordings of communications, minutes, resolutions.”
• “Be worried about the propriety of any decision.”

The document goes on and on with numerous suggestions on how to essentially cause general mayhem in any organizational situation. While it is laughable now, I have no doubt that these are very effective strategies given that we see many of these things every day in our corporate world.

This brings me to my point—and how this relates to our beloved GRC world. Many times, as risk and compliance professionals, we pride ourselves on the intricacies and technical details of our world. I mean, who doesn’t love throwing the difference between a threat and a vulnerability into the discussion? However, we always must be grounded in the fact that most of the people we interface with—and those who are truly the ones we must impact the most—are business people who couldn’t care less about the difference between a buffer overflow and an overflowing buffoon. They want to conduct business and keep our companies moving forward. Our job is to help them do that while maintaining some level of control.

Therefore, think about how you explain risk and compliance needs within your organization. Use straightforward, relevant examples and make the needs real for your business counterparts. Establish some common understanding of risk language within your organization. Speak in terms that mean something to the business and don’t get wrapped up in the technical nuances of governance, risk and compliance. While the cloak-and-dagger world of spies may seem glamorous, the last thing you want to have happen at a meeting is to be introduced as the “saboteur” sent from the risk group.

by Jeff Glasco – June 28, 2010

We stopped and took notice last week as the membership count on the Archer Community crossed the 4,000 member threshold. While slightly shy of Facebook’s leading 400,000,000 user base, we’re very excited at the 81% growth rate in Community membership over the past year. How excited, you ask? We danced. We sang. We rang bells typically reserved for big sales announcements. We even got some kid named Andy and his dad to stack up exactly 4,000 dominoes and knock them down in a glorious display as captured on this YouTube video. OK, maybe that’s a small lie, but would we have enlisted them if we’d been struck with the creative epiphany to do so? You bet.

We interpret this growth as an ongoing testimonial to the importance our clients place on the Community and the need for more collaboration in the governance, risk and compliance (GRC) landscape. Let’s face it, business problems in the GRC arena aren’t getting any easier to tackle. Dealing with the complex issues our Community of practitioners face on a daily basis takes creativity, rigor and guidance in the form of thought leadership. And sometimes, we suspect, it simply helps to know and interact with peers who are facing the same challenges, understand your perspective and can offer a little empathy when needed.

It’s important to mark the occasions when milestones are crossed, but we must continue to think of the future. Now more than ever, our focus is set on connecting our Community of practitioners while keeping relevant GRC topics and discussions flowing into their connected work life. We are currently looking at opportunities to expand the Community platform to enhance the member experience. Our objective is simple: We want to evolve the way the Community collaborates to advance thought leadership and help solve common problems. In truth, we aim to build the most connected and relevant GRC Community in the industry along the way.

So thanks from the RSA Archer eGRC team! We look forward to welcoming the next 4,000 Community members. Facebook here we come (which, by the way, you can follow us on).