RSA Archer Risk
Intelligence
Harnessing Risk to Exploit Opportunity
June 4, 2014
Steve Schlarman
GRC Strategist
© Copyright 2014 EMC Corporation. All rights reserved.
1
Risk and Compliance
Where is it today?
© Copyright 2014 EMC Corporation. All rights reserved.
2
Governance, Risk, & Compliance Today
© Copyright 2014 EMC Corporation. All rights reserved.
3
A New Risk World
Global, Technology and Organizational factors have created significant risk
landscapes for organizations.
We must focus on building sustainable risk programs to address the rate and velocity of risk
to navigate the risk landscape.
© Copyright 2014 EMC Corporation. All rights reserved.
4
A New Compliance World
Compliance can become a barrier to success or a competitive advantage. The path is
decided by how well compliance processes are positioned for the future.
Since
2009
• 131 new major
regulations
enacted
• $70 billion in
costs
In 2012
In 2013
• 2,605 new
rules
• 69 classified as
major
• >$100 Million
annual impact
• 134 new rules
enacted just by
the EPA
Source: Heritage Foundation
We must focus on priority, the flow of incoming regulatory obligations and automation to
turn compliance into a competitive advantage.
© Copyright 2014 EMC Corporation. All rights reserved.
5
Opportunity and Risk
© Copyright 2014 EMC Corporation. All rights reserved.
6
Schrödinger’s Cat
© Copyright 2014 EMC Corporation. All rights reserved.
7
Globalization
Risk or Opportunity?
Big
Data
Regulatory
Change
Mobile
Cloud
Computing
Risk AND Opportunity
© Copyright 2014 EMC Corporation. All rights reserved.
8
The Opportunity Landscape
What you are
good at
What your
market wants
Passion
Opportunity
What you want
to do
© Copyright 2014 EMC Corporation. All rights reserved.
9
The Compliance Burden
What you
have to do
Compliance Activities
$216B 87M hours
Risks
83%
20%
Risk Management Maturity
-11%
+37%
What you are
good at
Got it
covered?
“Must
Haves”
What your
market wants
Passion
Opportunity
What you want
to do
© Copyright 2014 EMC Corporation. All rights reserved.
Fuels growth
but no time to
execute
10
Risk Intelligence
What you
have to do
Compliance Activities
$216B 87M hours
Risks
83%
20%
Risk Management Maturity
-11%
+37%
Transform Compliance
Harness risks
Exploit Opportunity
© Copyright 2014 EMC Corporation. All rights reserved.
What you are
good at
Got it
covered?
“Must
Haves”
What your
market wants
Passion
Opportunity
What you want
to do
Fuels growth
but no time to
execute
11
Change the Game…
Automate compliance, reallocate resources/budget to manage risk, and proactively
exploit opportunity
Governance
Risk
Proactive
Compliance
Today’s GRC Focus
© Copyright 2014 EMC Corporation. All rights reserved.
Reactive
Risk Intelligence
12
Risk Intelligence
Harness risk for to exploit opportunities for
competitive advantage
• through better visibility,
• enhanced analysis, and
• improved metrics
to drive intelligent, stream-lined actions;
enabling the business to move quickly and
predictably.
© Copyright 2014 EMC Corporation. All rights reserved.
13
Intelligence Driven GRC
Intelligence driven actions gives you priority, results and
progress.
Visibility
Visibility + Analysis =
Priority
Priority + Action =
Results
Results + Metrics =
Progress
Analysis
Action
Metrics
© Copyright 2014 EMC Corporation. All rights reserved.
14
Harnessing Risks…
1
2
What you
have to do
Core to Business;
Vital to Success
Market Table Stakes;
Vital for Growth
• Reputation
• Ethics
• Safety
• Security
• Resiliency
3
Everything else…
4
Safety Net
© Copyright 2014 EMC Corporation. All rights reserved.
3
4
What you are
good at
The HIGH RISK
Wedge
“Must
Haves”
Got it
covered
2
1
What your
market wants
Opportunity
What you want
to do
15
Exploiting Opportunity
• Obligated Differentiators: Build and support the
Business Case
• Elective Differentiators: Freed up resources
to build on core competencies
• Improvement Wedge: Streamline processes,
free up resources, encourage and enable
continuous improvement
• High Risk Wedge
• Drive through the Risk Frontier
(“Must haves” adjacent to what
you are good at) with Quick Wins
and steady progress
• Opportunity Landscape
• Protect the Innovation Frontier
(Opportunities adjacent to what you
are good at) through reduction of risk
in new products, services and market
initiatives
© Copyright 2014 EMC Corporation. All rights reserved.
Risk
Frontier
The HIGH RISK
Wedge
Obligated
Differentiators
What you are
good at
Elective
Differentiators
Improvement
Wedge
Innovation
Frontier
16
The Journey
Moving Towards Risk Intelligence
© Copyright 2014 EMC Corporation. All rights reserved.
17
Building Risk Intelligence
Board
CIO
LOB Executives
CISO
Business Operations
Managers
Business
IT
Risk Intelligence



Security threats
IT disruptions
Poor misaligned IT practices





Risks inherited from outside providers
Harmful operational events
Operational compliance failures
Unknown, unidentified risks
Significant business crises




Regulatory violations and fines
Business disruptions
Poor misaligned business
practices
Poor internal controls and
governance
RSA Archer
© Copyright 2014 EMC Corporation. All rights reserved.
18
Building Risk Intelligence
Identify, assess & track
emerging & operational risks
Independently
review & assure
management
actions
Poor internal controls
and governance
Manage the
lifecycle of 3rd
party
relationships
Unknown, unidentified
risks
Establish business
policies &
standards
Poor misaligned business &
IT practices
Establish IT policies &
standards
Operational compliance
failures
Inherited risks from external
parties
Regulatory violations &
failures
Security Threats
Identify & resolve
security
deficiencies
Detect & respond
to attacks
Identify & meet
regulatory
obligations
Business disruptions
Significant
business crises
Manage crisis &
communications
© Copyright 2014 EMC Corporation. All rights reserved.
Implement and
Monitor
Controls
Harmful incidents &
events
IT Disruptions
Catalog & resolve
operational incidents
Identify & prepare
business resumption
strategies
Prepare for &
recover from IT
outages
19
Building Risk Intelligence
Identify, assess & track
emerging & operational risks
Independently
review & assure
management
actions
Manage the
lifecycle of 3rd
party
relationships
Audit
Management
Operational Risk
Management
IT Security Risk
Management
Identify & resolve
security
deficiencies
Detect & respond
to attacks
Manage crisis &
communications
Establish IT policies &
standards
Regulatory &
Corporate
Compliance
Management
Third Party
Management
© Copyright 2014 EMC Corporation. All rights reserved.
Establish business
policies &
standards
Business Resiliency
Management
Catalog & resolve
operational incidents
Implement and
Monitor
Controls
Identify & meet
regulatory
obligations
Identify & prepare
business resumption
strategies
Prepare for &
recover from IT
outages
20
Drivers…
Model Risk Management
Privacy Program Management
Code of Federal Regulations
Legal Matters Management
Stakeholders Evaluation
Regulatory Change Management
Market Conduct Management
Audit
Management
Foreign Corrupt
Practices Act (FCPA)
Conflict Minerals
ISMS Foundation
Regulatory &
Corporate
Compliance
Management
Third Party
Management
IT Security Risk
Management
Access Risk Management
RedSeal Networks
Veracode Security Review
Key & Certificate Management McAfee Vulnerability Manager
Skybox Security Risk Control
© Copyright 2014 EMC Corporation. All rights reserved.
Unified Compliance
Framework
Operational Risk
Management
Environmental Health &
Safety
Anti-Money
Laundering
PCI Compliance
Business Resiliency
Management
Qualys Guard
WhiteHat Security Sentinel
Advanced Reporting & Governance for
Authentication Manager
CloudPassage
Rapid7 Nexpose
21
Persona-centric
Identify, assess & track
emerging & operational risks
Establish business
policies &
standards
Independently
review & assure
management
actions
Manage the
lifecycle of 3rd
party
relationships
Establish IT
Operational RiskPoor misaligned
Unknown,
standards
Audit unidentified
risks
business & IT
Management
Poor internal
practices
Management
controls
and
Regulatory &
Operational
governance
Corporate
compliance
failures
Chief
Risk
Third Party
Compliance
Inherited risks from
Officer
Management
Regulatory violations
external
parties
Management
& failures
ITSecurity
Security Risk
Threats
Management
Identify & resolve
security
deficiencies
Detect & respond
to attacks
Significant
business
crises
Manage crisis &
communications
© Copyright 2014 EMC Corporation. All rights reserved.
Business disruptions
Business Resiliency
IT Disruptions
Harmful
Management
incidents &
events
Catalog & resolve
operational incidents
policies &
Implement and
Monitor
Controls
Identify & meet
regulatory
obligations
Identify & prepare
business resumption
strategies
Prepare for &
recover from IT
outages
22
Issue-centric
Identify, assess & track
emerging & operational risks
Independently
review & assure
management
actions
Establish business
policies &
standards
Establish IT policies &
Operational RiskPoor misaligned
Unknown,
Audit unidentified risks
standards
Management business & IT
Poor internal
Management
practices
controls and
Implement and
Regulatory &
Operational
Monitor
governance
Corporate
Manage the
Controls
compliance
failures
Third
Party
Supply
lifecycle of 3rd
Compliance
Inherited risks from
Management
party
Chain
Regulatory violations
Identify & meet
external parties
Management
relationships
regulatory
& failures
Resiliency
obligations
ITSecurity
Security Risk
Business disruptions
Threats
Management
Business Resiliency
Significant
IT Disruptions
Identify & resolve
Identify & prepare
Harmful
Management
business
security
business resumption
incidents &
deficiencies
Detect & respond
to attacks
crises
Manage crisis &
communications
© Copyright 2014 EMC Corporation. All rights reserved.
strategies
events
Catalog & resolve
operational incidents
Prepare for &
recover from IT
outages
23
Benefits of a Risk Intelligence Approach
Better, more predictable
decision-making
Greater business
opportunity
Better business
performance
© Copyright 2014 EMC Corporation. All rights reserved.
•
•
•
•
•
•
•
•
Comprehensive Business Context
Prioritized Decisions Based on
Impact
Predictable Outcomes
Embrace Known Risks to Exploit
Opportunity
Transition from Defense to
Offense
Improved Allocation of
Resources/Budget
Align Risk Objectives to Business
Grow Opportunities
24
Planning Your Journey
Siloed
Managed
Advantaged
compliance focus,
disconnected risk, basic
reporting
automated compliance,
expanded risk focus,
improved analysis/metrics
fully risk aware, exploit
opportunity
Reduce
Manage
Gain
Identify
compliance cost
resource
known
&&
unknown
risk visibility
risks
new business opportunities
Compliance
Risk
Opportunity
© Copyright 2014 EMC Corporation. All rights reserved.
25
Siloed
The CEO & CISO ride the elevator…
We rolled out the last
Microsoft security patches
in less than 30 days,
we shut down 50 virus
infections and we passed
our quarterly vulnerability
scan for PCI.
Soooo….that’s all good
stuff.
© Copyright 2014 EMC Corporation. All rights reserved.
So how’s
security these
days?
26
Managed
The CEO & CISO ride the elevator…
We did an end to end
review of customer
record processing,
found a few issues but
resolved them. We
also rolled out some
special controls to
support “Project
Barracuda” – which I
know is one of your
key objectives.
© Copyright 2014 EMC Corporation. All rights reserved.
So how’s
security these
days?
27
Advantaged
The CEO & CISO ride the elevator…
I have a great idea
on how to give
customers secure
access to their
information that will
blow the socks off
our competition.
Let’s talk about it
over lunch.
© Copyright 2014 EMC Corporation. All rights reserved.
So how’s
security these
days?
28
Enterprise Risk
ERM & ORM Trends
© Copyright 2014 EMC Corporation. All rights reserved.
29
Market Observations & Trends - ERM
• The level of maturity of ERM programs
varies greatly by industry and by
company within the same industry
• Agreement on taxonomy, framework,
and approach remains a challenge
• Getting all silos / stakeholders on-board
and working together is never ending
process
• Regulated companies are under
increasing pressure to demonstrate risk
management capabilities
© Copyright 2014 EMC Corporation. All rights reserved.
30
The Perfect World
ORM Dashboard
Third Party Risk
Network
Security
IT Risk
Resiliency
Service Levels
Application
Security
© Copyright 2014 EMC Corporation. All rights reserved.
Physical
Liquidity Risk
ORM Risk Area
#2
Security
ORM Risk Area
#3
IT Operations
Threat
Intelligence
Operational
Risk
ORM Risk Area
#4
IT
Compliance
Security
Incidents
Market
Risk
ORM Risk Area
#5
Credit
Risk
Strategic
Risk
ORM Risk
Area #6
IT Risk Dashboard
Vulnerability
Management
IT Security Risk Dashboard
31
The Drive for Sophistication
• Desire to better anticipate and predict risk
– Historical event analysis alone not adequate future
predictor
– What-if scenario analysis and “black swan”
identification
– Growing use of metrics (breadth, collection speed, &
governance)
– Identification of leading causal indicators
– Data trending (metrics, meta-data, unstructured data)
– Capturing changes in risk profile on on-going basis
• More sophisticated risk assessment
– Use of quantitative and qualitative risk assessment
– Advanced analytics
© Copyright 2014 EMC Corporation. All rights reserved.
32
Key Archer Capabilities
• Questionnaires
– Target asset types and identify
common risks across assets
• Risk Register
– Catalog risks and track
inherent/residual risks
– KRIs and Metrics
– Issues and Control
Compliance
– “Calculated Residual Risk”
© Copyright 2014 EMC Corporation. All rights reserved.
• Loss Events and Incidents
• Rollups and Reporting
• Risk Specific Monitoring
–
–
–
–
–
Security Operations
Vulnerability Risk
Resiliency Risk
Compliance Risk
Third Party Risk
33
RSA Archer and ISO:31000
Dashboards
and Reports
Enterprise Management
Workflow and Notifications
KRIs/Metrics
Loss Events
Questionnaires
Risk Register
Controls and Issues
Management
© Copyright 2014 EMC Corporation. All rights reserved.
34
Introduction to RSA
Archer
© Copyright 2014 EMC Corporation. All rights reserved.
35
RSA GRC Reference
Architecture
© Copyright 2014 EMC Corporation. All rights reserved.
36
RSA Archer Ecosystem
Partners
50+ Partners
Solutions
100+ Use Cases
Content & Reports
Workflows
Expert Services
Community
Online
Technology
Summit
Advisory
Executive Forums
Service
© Copyright 2014 EMC Corporation. All rights reserved.
RSA Archer GRC Foundation
Platform
Business Fundamentals
Data Exchange
Business Logic
Solution Exchange
37
RSA Archer Foundation
All key components required to lay a strong foundation for your
enterprise wide GRC program
Core Modules
Business Process
Business Objectives
Products & Services
Facilities & Locations
IT Infrastructure
Applications
Information Assets
Organizational
Hierarchy
 Organizational Units
& Departments








Business Context
 Visualization
 Consolidated Data
GRC Foundation
 Branding
 Workflow
 Roles/Responsibilities
 Central Repository
 System Auditing
 Calculations
 Data Management
 Search & Reporting
 Role Based Access
 Questionnaires
 Mobile Access
Solution Configuration
© Copyright 2014 EMC Corporation. All rights reserved.
 Common Taxonomies
Common Data Model
Data Import
Integration APIs
Data Mapping
Pre-built Data
Connectors
 Multiple Transport
Modes
 Scheduled Data Feeds
 Data Publication




Data Integration
38
RSA Archer Solutions
Use Case Specific Solutions
Environmental Health & Safety
Stakeholder Evaluations
Regulatory Change Mgmt
PCI
ISMS
UCF
Code of Federal Regulations
Anti-Money Laundering
Key & Certificate Mgmt
Core Modules
Policy
Incident
Security Operations
Risk
Vendor
Vulnerability Risk
Compliance
Audit
Business Continuity
RSA Archer GRC Foundation
© Copyright 2014 EMC Corporation. All rights reserved.
39
RSA Archer Solutions
Identify, assess & track
emerging & operational risks
Independently
review & assure
management
actions
Manage the
lifecycle of 3rd
party
relationships
Audit
Management
Operational Risk
Management
IT Security Risk
Management
Identify & resolve
security
deficiencies
Detect & respond
to attacks
Manage crisis &
communications
Establish IT policies &
standards
Regulatory &
Corporate
Compliance
Management
Third Party
Management
© Copyright 2014 EMC Corporation. All rights reserved.
Establish business
policies &
standards
Business Resiliency
Management
Catalog & resolve
operational incidents
Implement and
Monitor
Controls
Identify & meet
regulatory
obligations
Identify & prepare
business resumption
strategies
Prepare for &
recover from IT
outages
40
Extending Solutions
Model Risk Management
Privacy Program Management
Code of Federal Regulations
Legal Matters Management
Stakeholders Evaluation
Regulatory Change Management
Market Conduct Management
Audit
Management
Foreign Corrupt
Practices Act (FCPA)
Conflict Minerals
ISMS Foundation
Regulatory &
Corporate
Compliance
Management
Third Party
Management
IT Security Risk
Management
Access Risk Management
RedSeal Networks
Veracode Security Review
Key & Certificate Management McAfee Vulnerability Manager
Skybox Security Risk Control
© Copyright 2014 EMC Corporation. All rights reserved.
Unified Compliance
Framework
Operational Risk
Management
Environmental Health &
Safety
Anti-Money
Laundering
PCI Compliance
Business Resiliency
Management
Qualys Guard
WhiteHat Security Sentinel
Advanced Reporting & Governance for
Authentication Manager
CloudPassage
Rapid7 Nexpose
41
RSA Archer Partner Ecosystem
+
50
© Copyright 2014 EMC Corporation. All rights reserved.
Partners for data transfer,
content and services
42
RSA Archer Community
GRC
Summit
Online
Community
Exchange
Roadshows
Customer
Advocacy
Working
Groups
© Copyright 2014 EMC Corporation. All rights reserved.
• 120+ sessions
• Annual event since 2003
• 800+ GRC practitioners
• F2F access to product experts
• 10,000+ Archer members
• Interactive online community
• Access to expert content
• Ideas, requests and more
• Access to GRC content
• Certified new apps
• Plug-ins and integrations
• Services, ideas and more
• Peer best practice sessions
• Peer to peer networking
• Available at a city near you
• Annual event since 2007
• Executive Forum
• Key Finding Reports
• Customer Advisory Council
• Birds-of-a-feather groups
• Periodic meet ups
• Influence product roadmap
• Facilitated by Archer and / or
interested customers
43
Critical Criteria
TCO
Time to Value
Ecosystem
 Automation of
tasks
 Code-free
configuration
 Flexible
deployment
 Out-of-the-box
functionality
 Start small grow
fast
 Mature service
offering
 Technology
partners
 Solution libraries
 Customer
advocacy
 Communities
© Copyright 2014 EMC Corporation. All rights reserved.
44
Industry Leadership
 Leader in eGRC MQ for 2013
 Leader in Forrester GRC Wave
 Leader in BCM MQ for 2013
 Quoted as “the most mature
 Leader in IT GRC MS for 2013
43+ countries
© Copyright 2014 EMC Corporation. All rights reserved.
offering in many occasions”
850+ customers
50 Fortune 100 companies
25+
industries
45