Announcing RSA Archer GRC 6.1

RSA Archer GRC 6 (6.0) was launched in November 2015 under the theme “Inspire Everyone to Own Risk.”  GRC 6 focused on providing organizations with an industry leading GRC platform to transform risk management by engaging everyone within an organization in the risk process. Today, organizations must implement the “three lines of defense,” making risk…

Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise

In April, I wrote two blogs (How Hungry… and Appetite and Exercise) on the concept of risk appetite. I highlighted the fact that organizations must take on risk to drive growth within the business. That risk must be balanced with activities to manage the risk within a tolerance that is acceptable to the organization. Some…

Appetite and Exercise

In my last blog post, I posed the concept of Cyber Risk Appetite as something that all organizations need to consider today.  I used the analogy of a balanced diet of risk – taking some risks to keep the business growing while avoiding so much risk that the business becomes bloated.   The objective is to…

How Hungry is your Organization?

As someone that tries to watch my diet, I know how hard it is to deal with your own appetite. Several things that are my weakness – fresh bread, cold beer, pizza, the list goes on – are definitely not the best elements for a balanced diet.  Most of the time I am able to deal…

Know your Gaps; Take Action

Issues – we all have them.   I should clarify that statement.   I am not talking about you personally or referring to the ‘lie on the couch, tell me about your relationship with your mother’ types of issues.  I mean – all organizations have issues.   Some are big and some are little but all organizations find…

Introducing RSA Archer GRC 6 – Inspiring Risk Management

There is no question organizations today are in a rapidly changing risk environment and the pressure to improve risk management practices is being driven top down from boards and executives. Managing a cultural shift from the reactive checking the box of compliance to a more proactive risk management model requires change and participation across the…

Marty, the Maestro and the Crown Jewels

Security.  Vulnerability.  Threats. Defense.  For those of you in ‘the risk industry,’ these words roll off your tongue with the practiced agility and grace of a seasoned ballet principle.   We use these words as a carpenter operates a saw and hammer, like a musician manipulates an instrument, like a writer brandishes a pen and paper. …

A Pivotal Year

For the past several years, the information security industry has been saddled with labels annually. 2013: year of the breach; 2014: year of the BREACH (we really mean it); 2015 year of the MEGA breach (its gotten worse!). And with those labels every year I hear the phrase ‘this is a pivotal year in the…

Plan Your Journey to Wally World

Earlier this month, I wrote a blog about Information Security Metrics and their place in driving program maturity.  Every organization today is striving to be more mature in its information security program.  Given the constant deluge of media reports on hacks and attacks, security maturity has become a business imperative.  Metrics is one tool in the…

Mind Your Metrics

Last week I participated in a joint event with KPMG hosted by the New York Stock Exchange Governance Services.  The roundtable topic was Information Security Metrics programs – every security manager’s favorite.  Why?  Because security is so squishy.  What metrics could effectively capture the state of something that changes on a regular basis, has no…