by David Walter – May 10, 2010

If you attended any of our GRC Roadshows last fall or the Archer GRC Summit in April, you’re familiar with a predominant topic of discussion within the Archer Community: the need for a strategic roadmap to guide the implementation of an effective, sustainable enterprise governance, risk and compliance program. Our customers understand that GRC is not just about technology. It’s about bringing together people, processes and technology and defining a common vision for how these three elements work together. After all, the concept of GRC is all about collaboration to ensure that the business achieves its objectives and stays within the boundaries of the rules that govern it.

For many of our customers—both new and long-term—the need for a GRC roadmap stems from the desire to advance their program maturity from tactical to strategic and from isolated to collaborative. John Hagerty of AMR Research does a great job of describing how organizations move from “reacting” to “anticipating” to “collaborating” and finally “orchestrating” in the GRC Maturity Model. (For more on this, view a recent webcast with John.)

But how do you get from one phase of GRC maturity to the next? That’s the question many members of the Archer Community are focused on answering. Consider this survey data from last month’s Archer GRC Summit:

Participants indicated that their biggest business challenges include:

• Managing tactical implementations that need to align to a strategic roadmap for GRC
• Getting buy-in and maturing GRC processes
• Providing an end-to-end view of business processes, risks and compliance objectives

They also reported that current challenges impeding collaboration include:

• Dealing with organizational silos (91% of survey respondents)
• Overcoming a lack of communication (51% of survey respondents)

Even organizations with the most sophisticated technology platform at the heart of their GRC initiatives can struggle to advance their program maturity if they haven’t aligned their people and processes. This is where a strategy roadmap plays a huge role.

For those of you who are unfamiliar with a GRC strategy roadmap, it begins with identifying all of the business processes that fall under an organization’s GRC umbrella, determining the process owners and subject-matter experts, and getting those individuals together to discuss pain pints, workflow, dependencies, complexity, desired future state and supporting technologies (or lack thereof). After the interview phase comes an analysis of each business process to identify opportunities for automation and to flush out redundancies. The results of these analyses are delivered to a cross-functional leadership team to facilitate a big-picture discussion of the organization’s GRC program—its vision, goals, components, stakeholders and underlying technologies.

Through these discussions, the organization defines a tactical, phased approach to GRC program implementation and frames a common strategy that will allow it to progress to a desired state of GRC maturity. This common strategy also enables collaboration across the organization. After all, no company has a Chief GRC Officer. There are many, many stakeholders involved, and the success of a GRC program depends on how well those stakeholders engage with one another to share information and integrate their efforts for a holistic view of risk and compliance across the enterprise. 

The Archer Community is pretty passionate about the GRC strategy roadmap, and many members are going through the roadmap process as we speak. A large number of our customers are also looking to the Archer team for guidance in this effort, based on our experience in helping some of the world’s largest and most influential companies build and mature their GRC programs over time. Our GRC Strategy Roadmap service takes customers through a six-phase project in a matter of weeks, not months, and the final deliverables include a formal strategy document and an Archer application through which the organization can manage its GRC program implementation over time.

I invite you to submit your feedback on the GRC strategy roadmap here on the Archer Blog. Specifically, I’d like to hear your thoughts on the questions below. Please note that your responses will be posted anonymously.

What are your biggest challenges in getting stakeholders across your organization aligned on a common GRC vision and strategy?

Have you developed a strategy roadmap for your GRC program? If so, what value have you seen from this initiative?

by Steve Schlarman – May 7, 2010

A few weeks ago, I wrote about the convergence of business data and risk management techniques to improve understanding of the “likelihood” part of risk assessments. Those thoughts were fueled by discussions at the Archer GRC Summit that highlighted the improved decision making capabilities of companies that are organizing and gathering data on a more consistent basis and integrating it into the risk management process. I recently read an interesting essay via Bruce Schneier’s blog, exploring the root cause of the airline shutdowns in Europe in response to the volcanic activity in Iceland. The essay explored the impact of “worse case” thinking to managing risks, and I realized there was an interesting connection between the essay and my recent blog post.

The essay focuses on how authorities reacted based on the worst possible scenario when analyzing the impact of the ash cloud over the European continent and the resulting decision to ground all airline traffic. If taken into the world of IT, this would be akin to dropping all Internet connectivity based on the “worst case” scenario of a major breach and resulting costs in reputation or actual losses. In fact, if we would focus on ALL of the worst case scenarios, most companies would go back to pen and paper records and forgo computers altogether. However, the reality is completely opposite; companies are embracing technology faster than ever. So we, as GRC professionals, are challenged to understand “worse cases” and to determine the most effective and efficient methods to protect against these scenarios.

This leads me to continue my exploration of integrating actual data from business operations into GRC processes. Most often, there are two inputs into risk management decisions: 

• Anecdotal, qualitative information
• Tangible, quantitative information

Anecdotal, qualitative information flows in via questions, manual assessments and other similar activities.  Performing risk assessments via stakeholder interviews is one example of this type of input. These risk assessments can highlight tactical issues that can be tracked and remediated individually. If the risk assessments can be conducted over a solid sampling of targets, such as performing an application risk assessment against a set of applications, consistent failures may indicate a systemic issue with specific controls. For example, if within the application risk assessment, applications consistently fail questions related to change control, then there may be an issue with the change management processes. This may indicate a risk related to managing changes to applications or infrastructure within IT operations.

Tangible, quantitative information is harder to come by but can really improve the picture. In my previous blog entry, I cite system utilization events or data access attempts as examples of actual numbers associated with potential risks. This is the type of data resident in operational systems that can be mined to give insight into potential risks. However, this data also must be planned for—meaning, for instance, systems that generate the data must be configured to log events and the organization must have the capability to gather that data together into a single place for mining. Security and information event management (SIEM) systems such as RSA enVision can be a fantastic source of this type of tangible data.

Combining qualitative and quantitative information can be a challenge, but the value of multi-dimensional inputs into the risk analysis process is significant. I’m sure European authorities would have liked to have more data before grounding flights and dealing with the economic and social impact of their decisions. For GRC professionals, we should look to define anecdotal indicators of risks as well as tangible metrics as inputs into our decision processes. This approach must be paired with studying the capabilities of the organization to generate both types of data. In other words, how well can the organization sample qualitative evidence of potential risks as well as gather empirical event data into one picture? 

Tactically speaking, this translates into an organization’s capability to build consistent risk assessment content, such as common questionnaires, and sample a broad set of targets to get enough data to identity systematic issues. Secondly, metrics and associated data (measurable, trackable, identifiable events) must be defined and gathered. Both highlight the need for technologies to support risk management processes and a continued evolution of the risk analysis processes. The end result—having qualitative and quantitative inputs into the risk decision process—is a substantial enhancement to the risk management capability of the organization.

If you’re interested in hearing more on this subject, I invite you to join me for an upcoming webcast that I’ll be co-presenting with Sam Curry and Paul Stamp of RSA. We’ll show the integration of RSA enVision and Archer, and we’ll discuss how this integration provides an organization with a broader view of their risk landscape and a more efficient, cost-effective way to handle compliance challenges.

Here are the details of this event:

When: Tuesday, May 18 at 2 p.m. US Eastern
Registration: http://info.rsasecurity.com/2010Am/webcast/100518_Archer_Compliance/online.html

I hope you’ll plan to join us.

May 7, 2010

The Archer team is excited to participate in our first EMC World next week in Boston. This event is the ultimate educational forum for EMC customers and partners, where you can:

• Participate in 500+ breakout sessions, technology updates, keynotes, lectures, live demos, workshops and birds-of-a-feather discussions
• Network with thousands of your peers from around the world

If you’re attending, we invite you to stop by the RSA booth (#321) to meet with Archer GRC experts and tour our solution offerings. You can also connect with David Walter, director of eGRC solutions, in his session on Leveraging an Automated Approach to GRC to Reduce Risks and Costs.

We hope to see you there!

Evaluate your GRC maturity, identify core processes and implement a phased
approach to achieve your desired GRC strategy.

Whether you’re just starting your governance, risk and compliance (GRC) program or you already have one in
place, it can be difficult to know where to begin or how effective your current approach is. To build a successful
enterprise GRC program, you need a solid roadmap for aligning people, business processes and information
across the organization.

Register today for this free webcast to see how the Archer GRC Strategy Roadmap service enables you to:

• Evaluate your existing GRC processes to identify areas for optimization and collaboration
• Document the vision and scope of your desired GRC program across business units
• Identify opportunities for integration among enterprise systems and points solutions
• Prioritize the implementation of business processes within the Archer GRC platform
• Monitor the ongoing progress of your GRC program with the Archer Strategy Roadmap application

Tuesday, May 11
1-2 p.m. US Central
2-3 p.m. US Eastern

Let the Archer GRC Strategy Roadmap service help you realize short-term value while building a solid foundation
to support your long-term goals. Register today.

May 6, 2010

We're pleased to announce that Qualys®, Inc., a leading provider of on demand IT security risk and compliance management solutions, and RSA, The Security Division of EMC, have expanded their technology collaboration to make QualysGuard® vulnerability management and IT policy compliance data available on the Archer Exchange.

The integration of QualysGuard Policy Compliance (PC) with RSA’s Archer GRC Framework is designed to allow organizations to automatically import comprehensive PC scan information and report on misconfigurations identified on their global assets in a single view. They can then assign ownership to individual issues, track remediation efforts or accept the associated business risk.

The Qualys and RSA integration helps enable joint customers to:

• Quickly report on misconfigurations affecting business-critical assets
• Measure technical control effectiveness to corporate security policies
• Map security issues to business applications and roll-up risks across their enterprise
• Access centralized compliance reporting in one central location

This pre-built integration is available on the Archer Exchange, an online marketplace supporting enterprise governance, risk and compliance (GRC) initiatives. Companies can download the QualysGuard Policy Compliance (PC) integration package and import it into RSA’s Archer GRC Framework with no services or development resources needed.

“IT organizations are constantly challenged with expanding regulatory requirements, changing threats, and shrinking or static security budgets,” said Philippe Courtot, chairman and CEO of Qualys. “We are pleased to expand our integration with RSA’s Archer GRC Framework to offer customers a scalable and cost effective solution to assess risk and collect IT compliance data for all systems within their networks at a cost they can afford. The joint solution helps our customers make informed decisions based on IT risk management.”

According to recent Gartner research*, “By facilitating the mapping of controls to specific IT resources, and by automating the collection and reporting of information on the degree to which those controls are being performed, IT GRCM can be used to improve an organization's external audit posture, reduce compliance reporting costs and improve an organization's capability to address IT risks.”

QualysGuard Policy Compliance allows security managers to collect compliance information from hosts and systems on a global scale. It extends the global scanning capabilities of QualysGuard Vulnerability Management to collect operating system configuration and application access controls from hosts and other assets within the enterprise, and maps this information to user-defined policies in order to accurately document compliance with security regulations and business mandates.

“Through the integration of Qualys with the RSA’s Archer GRC Framework, our customers will be able to expand their view of vulnerability and compliance issues, making it possible to proactively address potential and existing organizational compromises and expedite compliance reporting,” said Jon Darbyshire, Archer General Manager for RSA, The Security Division of EMC.

For more information on the QualysGuard integration package on RSA’s Archer Exchange, visit https://exchange.archer-tech.com/offering/5451.aspx.

* Source: Gartner Research “Critical Capabilities for IT Governance, Risk and Compliance Management”, April 16, 2009 by Mark Nicolett and Paul Proctor.

May 5, 2010

We’re pleased to announce that a slideshow of the 2010 Archer GRC Summit is now available. This event brought together 350 governance, risk and compliance experts from around the globe to share how their organizations are solving key GRC challenges through Archer solutions. With more than 30 educational sessions led by clients, partners and product experts, the Summit featured an extraordinary level of interaction and knowledge sharing among many of the world’s most influential companies. Thanks to everyone who helped make this event a resounding success!  

If you have photos of the Summit experience that you’d like to share with the Archer Community, please email them to events@archer.com, and we’ll add them to the slideshow.

by Steve Suther – May 4, 2010

At our recent Archer GRC Summit in sunny Orlando, Florida, I had a great conversation over drinks and dinner with some of our partners at Ernst & Young. It was a great validation to hear from them that what I’ve seen across our mutual customers is the same as with theirs: a marked shift toward what some are calling “convergence” of their governance, risk and compliance (GRC) activities within and across their organizations. It shouldn’t be all that surprising when you take a deeper look at the marketplace.

The number and frequency of risky events that create negative headlines and public relations nightmares for companies have magnified the critical importance of GRC to their ongoing financial viability. The instability of financial markets has further amplified the interdependence of various risks across an enterprise that, in the end, must be managed holistically rather than in the traditional silo-ed manner. Add to this the fact that historically, organizations have spent time and money developing or purchasing “point solutions” to address newly emerging laws, regulations or risk frameworks, and it’s easy to understand how far away from GRC convergence many of us are these days. 

So what’s the issue? Well, managing risk and compliance in silos is both expensive and cumbersome for a start. This fragmented approach limits an organization’s ability to streamline governance, risk and compliance processes and reduce the time and effort spent managing them, as well as obscures the opportunity to integrate this ecosystem of data to gain a holistic view of the company’s risk posture at any point in time. What are some examples of the risk I’m writing about needing to understand holistically?  How about strategic risk, operational risk, credit risk, market risk, IT risk, regulatory risk, and since it’s so topical this week, environmental risk…just to name a few.

Whatever risk factors, and frameworks used to manage them, are significant across your organization, the goal must be to integrate them within a single discipline that produces a holistic picture of your risk landscape. As an example, you wouldn’t necessarily want one system for managing risk assessments for operational risk and a different system for regulatory compliance. Similarly, what’s the ultimate value of different systems for handling loss events separately from privacy impact assessments?

Reducing the complexity of GRC initiatives through this type of convergence is certainly a goal for organizations facing the challenges outlined above. It can enable them to:

• Reduce the fatigue of “assessment overload” by allowing them to assess once and satisfy many requirements simultaneously
• Eliminate the political turf wars that historically required too much cultural change to be successful by making risk management a part of everyday business
• Quickly adapt their GRC framework to meet ever-changing requirements while minimizing impacts to their business operations
• Provide risk information that’s actionable by the right people at the right time—up, down, and across the organization
• Utilize one solution to easily adapt an organization’s unique GRC methodologies gracefully over time with lower costs and deployment efforts

Simplifying and synthesizing GRC processes for organizations presents a fantastic opportunity to embed GRC into the DNA of an organization, thereby making it an enabler of effective and profitable business rather than a challenge to be overcome. Where do you think your organization is along the GRC convergence learning curve?

Upcoming Webcast
This topic of reducing GRC complexity—and ultimately the cost of GRC initiatives—will be the subject of an upcoming webcast the Archer team is co-presenting with our RSA colleagues. Join us on Tuesday, May 18 at 2 p.m. Eastern to learn how the integration of RSA® enVision with Archer GRC solutions is helping organizations to eliminate disjointed, manual and inefficient processes to reduce the cost of compliance. You can also learn more about this integration out on the Archer Exchange.

Automate and streamline the ongoing oversight of your vendor relationships.

Register today for this webcast to learn how you can establish a lower-cost, higher-quality vendor management process through a centralized repository of vendor data, clear reporting of activities related to vendor risk, and a consistent and repeatable assessment process.

Tuesday, May 4
1-2 p.m. US Central
2-3 p.m. US Eastern

Don't miss this webcast! Register today.

by Jon Darbyshire – April 29, 2010

Since joining the EMC family in January, we’ve had many exciting opportunities to introduce international companies to the Archer governance, risk and compliance (GRC) solution suite. As I write this, I’m currently traveling through China, Japan, India, Singapore and Australia, meeting with customers, partners and colleagues from RSA and EMC to share our vision for best-in-class GRC programs. Our entire team has also traveled extensively across Europe, Asia, Australia and South America in recent months, leading discussions and delivering training to organizations that are seeking ways to reduce the cost and complexity of their risk management and compliance initiatives.

Here are some of the locations we’ve visited:

• Tokyo
• Hong Kong
• Bangalore
• Mumbai
• Singapore
• Melbourne
• Sydney
• London 
• Paris
• Rome
• Stockholm
• Edinburgh
• Amsterdam
• Toronto
• Montreal

So what does this international expansion mean to our customers? More service, support and value from their investment in Archer GRC solutions. As we educate our partners and RSA/EMC colleagues on the capabilities of the Archer SmartSuite Framework, our customers will have increasing access to technical support and consulting services around the globe. This is particularly important for organizations that have rolled out their Archer implementation on a global basis and to those who are considering this option.

As part of our international expansion, we’re also working to deliver localized content, including regulations for specific markets, such as the Comisión Nacional Bancaria y de Valores de Mexico requirements. Additionally, we are responding to customer requests for globalization of the Archer SmartSuite Framework. If you’re a member of the Archer Community, you can learn more out on the Archer Idea Exchange.

This is an exciting time for the Archer team as we expand our global reach and engage with the EMC family around the world in support of our customers’ GRC initiatives. If you have specific needs for international content and product capabilities, please post your requests on the Idea Exchange and vote for ideas submitted by your peers. I also invite you to give us your feedback here on the Archer GRC Blog.

by Jon Darbyshire – April 23, 2010

Last week in Orlando, the Archer Community gathered for the 7th annual Archer GRC Summit, and I’m excited to report that this record-breaking event was a resounding success. With 350 attendees this year, we saw a 46% increase in participation over 2009 and an unprecedented level of interaction among our customers, partners and product experts. For everyone who attended, thank you for spending three days of your valuable time to network with your peers in the Archer Community, share your knowledge and work collaboratively to advance GRC programs and practices. 

Here are a few impressive Summit stats:

• 32 educational breakout sessions led by our customers, partners and Archer/RSA product experts
• 214 participants in our Working Group sessions on Risk, Incident, Audit, Policy, Business Continuity and Vendor Management
• 17 total hours of GRC education, which attendees can apply as CPE credits

Throughout the keynotes, panel discussions and breakout sessions, a number of themes emerged from this year’s Summit:

• The Future of GRC – The convergence of IT-GRC and Business GRC by taking inputs from diverse data sources, applying best-in-class content to the data, and leveraging workflow, notifications and dashboards found in a platform approach to enable business processes and informed decision making

• GRC Strategy Roadmap – The benefits of defining a strategic GRC roadmap that provides a tactical phased implementation plan, gets all stakeholders involved in the process and buying into the idea of GRC, and flushes out dependencies and redundancies—leading to more automation and cost savings

• Power of the Community – The value of bringing together business and technical leaders from across the Archer Community for working groups, panel discussions, breakout sessions and one-on-one conversations to solve common challenges and influence GRC programs today and into the future

Summit attendees have offered a great deal of positive feedback on the value of the event, and I’d like to share a few quotes with you here:

“The conference was the best I have ever been to—saying a lot—been to a lot of conferences.” 

“The Summit was a very valuable experience for all of us.”

“Just want to say thanks, I enjoyed every bit of the Summit and appreciate Archer for allowing me to be part of it.”

It’s incredibly rewarding to hear from our customers how the Archer team is taking care of their needs and delivering value through innovative GRC solutions, world-class events and exceptional customer care.

So what’s next? In the days and weeks to come, you’ll see a number of communications about the availability of Summit presentations, CPE credits, photos and videos. Here’s a timeline for these materials:

• Presentations – All Summit presentations are currently available in PDF form out of the Archer Community.
• CPE Credit Confirmation – Summit attendees will receive an email today with the number of Continuing Professional Education (CPE) credits they earned at the Summit.
• Photos – A slideshow of Summit photos will be available early next week.
• Videos – In mid-May, Community members will have access to video footage of the Summit keynotes and breakout sessions on the Video tab of the Archer Community.

To close, I’d like to thank all of our Summit participants—customers, partners and the Archer/RSA team—for sharing their expertise and providing their input on our GRC product roadmap. The depth of knowledge and willingness to collaborate within the Archer Community never ceases to amaze me, and I am truly privileged to work alongside GRC visionaries from some of the world’s most influential organizations. Thanks to everyone who helped make the 2010 Archer GRC Summit our largest and most valuable user group event to date.