JOIN THE MEETING (log in details below)

by David Walter - December 1, 2011

With great pleasure (and a lot of pride) we want to announce that Forrester Research Inc., an independent research firm, has ranked RSA Archer as a leader in both the IT-GRC and eGRC platforms!  Not only is RSA Archer a platform leader in both categories but RSA Archer is the ONLY vendor ever to be named a leader in both IT and eGRC categories.   Here are some highlights from the research reports:

The Forrester Research Wave: eGRC Platforms, Q4 2011 Click here for report by Chris McClean, senior Forrester Research  analyst:
“With solid technical functionality and a satisfied customer base, RSA  Archer made the leap into the Leaders category in this year’s evaluation.  The company’s platform is highly configurable with an intuitive and easy-to-navigate interface, and its ability to facilitate customer-led development sets it apart from competitors.”  RSA Archer scored at the top of the evaluation for GRC domain support and technical functionality. 

The Forrester  Research Wave: IT-GRC Platforms, Q4 2011  Click here for report  by Chris McClean:
“The strong technical capabilities of the RSA Archer platform and the company’s market success set it above the competition.  With Archer now under the wings of the RSA brand, the larger set of development resources along with the extended sales and marketing force will enable RSA Archer to remain a leader in the IT GRC market for the foreseeable future.”  RSA Archer scored at the top of the evaluation for content management, risk and control management, and workflow management.

Congratulations to the entire RSA Archer ecosystem of customers and partners as this accomplishment is a testament to the efforts made by each and every one of you that are continuously solving complex business problems leveraging the RSA Archer eGRC Suite while demonstrating quick time to value.  Many companies are looking for tools to manage inter-related risks across the business not only in IT but also finance, operations, and legal domains.  Being a leader in both IT and eGRC justifies RSA Archer’s continued investment and dedication to creating a best of breed platform that automates the measurement and visualization of risks across the enterprise to enable an apples-to-apples prioritization and more effective utilization of limited risk mitigation resources.   This research ranking truly validates the notion that RSA Archer is the most comprehensive, market-leading GRC platform available. 

However, those of you that know us well know that we won’t rest on our laurels very long.  We have a great 2012 planned with significant additions across the RSA Archer ecosystem including numerous Archer Community driven enhancements to the RSA Archer GRC Platform, new value-add solutions in several specific risk domains; new exciting partnerships to provide out-of-the-box integrations with the tools our customers leverage the most; and expansions to our best-in-class global GRC content library. 

Mark your calendar for Tuesday, January 24, 2012 at 2:00 EST, please attend our webinar to discuss the increased need for a converged GRC platform enabling holistic management of risk and compliance across the organization.  Joining me in the discussion will be guest Chris McClean, Forrester Research senior analyst and author of the GRC Wave research, and a panel of Fortune 500 organizations. 

by Jason Rohlf - November 21, 2011

Ah, Southern California.  I don’t often have a chance to visit this section of the Golden State, so when I do I’m always quite taken by what this little nook of our great nation has to offer.  Beautiful weather, fancy cars, beaches, good food, palm trees, Disneyland, the Real Housewives of Orange County – the wonders of this region abound!  As I am apt to do when I travel, I try to assimilate myself with the locals to understand their perspective on the land they inhabit.  When in Rome, I always say!  So when I inquired of the fine members of the Archer Community’s Southern California contingent what they saw as the special hallmark of their region, they all seemed to point to one thing – the traffic.

Having grown up around Chicago, I understand what bad traffic is.  That said, having visited SoCal I now have a greater appreciation for what bad traffic really is.  I heard horror stories of one-way commutes of one hour, two hours, even three hours and the lengths to which the folks residing in the area would go to cope.  Much of the morning small talk included lines of conversation such as “where did you come from?”, “what road did you take?”, “how long did it take you?”, “did you get busted driving in the carpool lane” and the like.  As this particular event was held in Costa Mesa in Orange County, there were folks who had come down from Los Angeles and up from San Diego, and everyone was interested in everyone else’s commuting horror story.

Since this was the Southern California edition of the RSA Archer eGRC Roadshow, my mind began to draw parallels between the everyday and the world of governance, risk and compliance.  To me, the traffic, or the looming specter of it, was the great unknown to these folks, much like the risks they sought to manage as part of their day-to-day responsibilities.  And much like these risks, the traffic wasn’t merely a one-dimensional concept that could be easily assessed – there were multiple variables (time of day, route, construction, distance) that added layers of complexity, and things could change from minute to minute – leave at 6:20 and you’re in the clear, leave at 6:35 and you’re taking that 9:00 call from the 405.  This got me thinking about how these folks could go about responding to the traffic, and naturally my thoughts drifted to the four standard responses to risk:

• Accept – chance it, leave when you’re ready, be prepared to pay the price
• Avoid – telecommute; call in sick
• Transfer – have your neighbor drive you to work so you can drive in the coveted carpool lane without threat of the dreaded $341 minimum fine
• Reduce – alter departure time and/or route

Not surprisingly, out of all the GRC professionals who joined us in Costa Mesa, not one of them arrived late (OK, one person walked in during introductions but I’m not one to split hairs).  Couple this with the fact that we had a very good turnout for the event and one thing becomes very clear – GRC professionals have become keenly aware of risk and, more importantly, how to best address it.  They understood the risks (traffic), evaluated the situation, chose the correct response and were rewarded with great insight from our hosts at Deloitte and our friends at DirecTV and UST Global Systems, all of whom were good enough to share their experiences for the benefit of the broader audience.  Given that the exchange of business cards was as feverish as sixth-graders swapping baseball cards on the playground, one could easily conclude that the folks who took the time and effort to calculate the risks they faced were not disappointed. 

There’s one other risk I haven’t mentioned yet – pileup risk.  Thankfully I’m not referring to the freeway variety of pileup – rather, I’m talking about the pileup that occurs when people take a day to participate in our roadshow – work, emails, tasks, life – they all pileup when not tended to, which is why we have such a great appreciation for those who take the time, the effort, the risk of joining us for what we hope is a valuable, educational and rewarding experience.

Now if they could just stay off the 405 on Friday afternoon…

Diana Alt - Product Manager

Last week, I had the privilege of visiting the San Francisco Bay Area for the first time, and the added privilege of presenting at the Roadshow in Mountain View.  As a Product Manager for RSA Archer, my focus is the RSA Archer eGRC Platform that all of our core and value-add solutions are built upon.  Unlike some of my counterparts on the eGRC Solutions team, who have deep expertise in various GRC domains, I grew up in the software delivery world. During my time at RSA Archer, I have occasionally struggled to understand why GRC matters to anyone outside a legal department or information security group.  On Friday, as I looked that the roster of clients in attendance I realized why GRC matters to regular people like me.

I've gassed up at Chevron many times.  I've had my personal e-mail account with Yahoo! for almost 15 years.  A couple of months ago, I sold some Lord of the Rings memorabilia via eBay and the payment transaction went through PayPal.  The computer I'm typing on right now has Intel inside.  My laptop at home has an NVIDIA video card.  My credit card and debit card bear the Visa logo.  Virtually every electronic device I touch has components from Applied Materials. And like millions, I have passed my fair share of time playing Words with Friends from Zynga.

Every time I use one of these products, I am saying to the company - I trust you.  I trust you to protect my personal information. I trust that your product will be available when I need it.  I trust that my financial information will not be compromised.  I trust that you will help me conduct my life in a manner that is safe, efficient, convenient, and hopefully fun. I don't necessarily want to think about how you assess operational risks, or respond to vulnerabilities within your IT infrastructure, or ensure compliance to your security policies, but I sure want you to do those things.  At the end of the day, whether I realize it or not, I am relying on those processes to allow me to live my life more richly, and so are millions of other consumers worldwide. Regular people, just like me.

The RSA Archer eGRC Roadshow will be in full swing throughout the autumn months, with stops in 15 cities across the U.S. and Canada. Join us for one of these free, value-packed user group meetings. Don't miss your opportunity to connect with fellow RSA Archer customers to discuss solution implementation strategies, along with trends and challenges in governance, risk and compliance.

Register for one of the following Roadshow stops:

Indianapolis - October 13      
Denver - October 18                      
Dallas - October 20    
Cambridge, MA - November 3   
Chicago - November 8       
New York - November 10                
Mountain View, CA - November 11    
Costa Mesa, CA - November 15      
Minneapolis - November 29    
Philadelphia - December 1     
Washington, DC - December 2       
Atlanta - December 6                     
Houston - December 6                   NEW DATE
Toronto - December 8                    
Seattle - December 15                  

Don't miss the opportunity to network with fellow RSA Archer clients in your area and learn how others are solving common challenges in governance, risk management and compliance. Remember, these events are FREE! Register today for the city near you.

One of the most refreshing moments one can experience is the reminder that things long ago learned and forgotten are still valuable and relevant.  It is the realization that "I learned everything I needed to know in kindergarten".   The added experiences from the time you first learned something and the time that you can apply it is the real value and can take your understanding to a new level.

Last week I attended the North American chapter meeting of the Information Security Forum.  As usual, the discussion was excellent and we had top notch presentations.  I came away with some thoughts around our current challenges in information security.  Our threat landscape is impacted by the proliferation of mobile devices, the rise of hactivism, the ‘consumerization' of data, the continued barrage of malware, spear phishing, the list goes on and on.  All of these things make security professionals cringe.   We as information security professionals can feel compelled to keep challenging ourselves to find new answers to these new problems.  However, in some cases, we can fall into a trap that may lead us down the wrong path.   Obviously new challenges require new solutions, right? Not necessarily.

Proactive controls - getting out in front of the issues and preventing as much as possible - represented a shift from reactionary and fire fighting security and remain an absolutely necessary effort.  However, with the increasingly complex threat environments facing organizations, we cannot forget the basics.   Managing threats to the organization takes a combination of proactive and reactive controls.  Understanding your general threat vectors and possible scenarios is important to identify ways to prevent bad things.  Acknowledging that something will always get through and you must be able to detect and respond quickly and effectively is invaluable to maintaining a balance. 

The basic security tenets of awareness, detection and response are more important than ever these days.  With the continued stories of attackers "getting through the walls" via social engineering, phishing, backdoors, Trojans, etc., the need for an effective response process is paramount to proper threat management.  These are things that drove security many years ago and can sometimes get lost in the shuffle as we try to build higher, thicker walls around our data fortresses.  This goes back to my "knowledge learned long ago" message.  While you continue to build walls to keep the attackers at bay, don't forget the fundamentals that made us all good paranoid security people.  Plan for the worst, hope for the best, and expect something in the middle.

So here I am in Dallas at my second Roadshow of the week .   The city is a bustling, modern metropolis but somehow I always envision steers being herded onto ranches, cowpokes sauntering into saloons and gunfighters eyeing each other across a dusty street waiting for the final chime of the clock at high noon.  For some reason, Dallas always brings to my mind visions of the old West, cowboys and rodeos.  Now I am not the rodeo type but I hear 8 seconds can be the longest duration of your life if you are strapped on the back of a bucking bull.  In the blink of an eye, you can either be the victorious champion or be picking yourself out of the dirt bruised and battered.  I guess lasting those 8 seconds is a true example of a ‘quick win’.

At the Dallas Roadshow, we had stellar presentations from our partner KPMG and our customer CVS Caremark.  KPMG outlined a multitude of case studies that they have worked on for their clients.  Each case study summarized a singular case where a GRC business problem was solved with a unique and innovative approach.  CVS Caremark led a wonderful discussion on their vendor management approach as an illustration of the power of the RSA Archer platform.  Both presentations gave the distinct perspective of approaching a business problem with a concerted effort and solving it completely with a strategically sound solution.  To me, these were more excellent examples of the definition of a ‘quick win’.

'Quick' is definitely a relative term.  You have the bronco busting ‘8 seconds’ quick, you have the gunfighter ‘quick draw’ quick, and then you have the ’GRC-identify-a-business-problem-and-solve’ quick.   There is certainly a big difference in the actual time duration of the ‘quick wins’ but there is no difference in the final outcome.  A quick win is one where the solution has been (relatively) swift and the result is effective and decisive.  These victories cannot be underestimated.   Is addressing the barrage of requests to the security team so they can focus on more strategic issues a quick win?  Is building a small, yet relevant, risk register to track risks and thereby building a foundation to take on more sophisticated processes a quick win?  Is just getting your arms around a business process catalog that truly depicts your operations a quick win?  Absolutely – on all accounts.

One of the themes we hear from customers is “do I start small?” or “do I think big?” when it comes to GRC.  I say both.  Quick wins demonstrate progress and gain momentum; strategically designing your GRC program brings long term value and sustainability.  Both are necessary to succeed at implementing clear risk and compliance programs.  In Dallas, we saw examples of solutions that did both – built momentum and brought long term value.  I recommend thinking about how these elements can be brought to your GRC efforts.  You may think it is difficult but I would rather do that than be strapped to the back of an angry bovine.

It seems like it was just yesterday when we wrapped up the 2010 eGRC Roadshows but here we are again.  On Tuesday, I had the pleasure of participating in our Denver Roadshow, the second roadshow of 2011.  Our industry has had some interesting twists and turns this year.  Security threats continue to evolve; laws and regulations continue to pass; and industries continue to publish new and more detailed guidance.  All of these impact our GRC programs regardless of our company size or industry.  I am, as usual, happy to say the GRC world is in good hands.   At the Denver Roadshow, we had excellent discussions and an informative update on the current state of the GRC  from our partner Accuvant.  We also got an extremely interesting walkthrough of Western Union’s implementation of RSA Archer – affectionately named SIMON.

Western Union’s presentation gave me much food for thought.  Their innovative and imaginative usage of RSA Archer to support their security program was inspirational.  It makes me jealous that they can pull the “SIMON says” out of their bag of tricks when it comes to talking about internal security practices.  Referencing a child's game sure makes things uncomplicated.  Techniques like this sound so simple yet are so powerful in delivering the GRC message to an enterprise.  Such is the challenge of security, compliance and risk management.  We must make the message understandable and actionable in a very complex business environment.   While we as GRC professionals may have to pull out “the regulators say so” or “the auditors make us”, the messages that resonate the most to the business are the simple, straightforward communications that strike the right chord.  It might not be as easy as saying “Simon says put up your hands” but this simplicity can make a world of difference when communicating risk or compliance requirements.

While we all may not have the luxury (or creative inspiration) to call our internal controls system SIMON, we can take away this basic concept and apply it to our programs.  Creating a brand within your company to use when communicating to your employees can go a long way.  Simon says, “This is a great idea.”  Ok…now everyone can put their hands down.  Gotcha!  I didn't say "Simon says".

While it was a gray day in Indianapolis, not a bit of that atmosphere crept into the auditorium at Sallie Mae yesterday as RSA Archer kicked off the first of 16 regional roadshows. We had great attendance, lively discussion, and customer presentations that drove home a message that GRC is coming into a new level of maturity - and resulting corporate priority - spurred by a need for proactive risk management and greater transparency.

Transparency. There was a term repeated by several of the practitioners in the room, as well as speakers like Andy Weeks from Humana. He talked about moving away from point solutions and toward more mature, globally-adopted practices that allow business leaders to understand their organizations' needs, subsequently drive change, and evolve to processes that benefit from this increased transparency and availability of contextual data. The need for transparency is forcing changes in the way people work - and that is good if it is making the "front line" business leaders more successful.

Sallie Mae told a story about their journey that reinforces this message. Their pre-GRC platform process involved complexity, manual processes, and reams of paper. The best laugh of the day was a picture of their storage closet that held more than 50,000 pages of audit materials, documenting 1500+ controls that overlapped and required constant re-work. Ultimately this process was consolidated, resulting in 400 integrated controls that supported a true "ask once, answer many" approach to compliance audits. The flexibility of their RSA Archer eGRC-based system now allows them visibility to cross-departmental compliance data, flexibility to address new regulations, and point-and-click reporting instead of manual spreadsheet collation. You've never seen a bunch of auditors more excited (well, outside of the group at an Archer National Summit, but those are stories for another day...)

Humana summed up their mission this way: succeed with a GRC program not by implementing specific compliance measure after compliance measure, but rather through the creation of great business processes that happen to be efficient and effective risk and compliance management processes as well. It was repeated half in jest several times across the audience that the automation of a bad process just gets bad results faster. Definitely something to think about as we look at ways to evolve our GRC practices.