Speaking of Security – The RSA Blog and Podcast

Under the leadership of CyLab Adjunct Distinguished Fellow, Jody Westby, the CyLab team gathered information from CEOs, CFOs, CROs and board members of the Forbes Global 2000 regarding security governance practices in their companies. The results showed significant gaps in security governance in more than half the respondents. Even for someone like me who tends to see the glass as half-full, this is a major concern in a world of increasing threats to information security.

The Security for Business Innovation Council report published last month lays out a roadmap for responding “When Advanced Persistent Threats Go Mainstream” (as the report title puts it). One of the most important recommendations in that report is captured by Roland Cloutier, VP and CSO of ADP Inc, when he says: “you have to have the resources and a process for risk decision-making that enable rapid changes to your protection platform.” That is, the roadmap in the report doesn’t lead to a static, unchanging security monolith. It’s a model for a process that builds dynamism into security, not unlike the architectural model of the Dynamic Tower that David Fisher has designed for Dubai.

With great pleasure (and a lot of pride) we want to announce that Forrester Research Inc., an independent research firm, has ranked RSA Archer as a leader in both the IT-GRC and eGRC platforms! Not only is RSA Archer a platform leader in both categories but RSA Archer is the ONLY vendor ever to be named a leader in both IT and eGRC categories.

Welcome to one of Speaking of Security’s newest blogs completely focused on security management, something we’re calling Security Management Insights or SMInsights for short. I am honored to author the initial post in which should be a highly active and thought provoking forum for dialogue related to the challenges facing today’s information security professionals. This is a team blog so you will benefit from hearing from a multitude of product managers from the products and solutions which comprise RSA’s emerging Security Management Suite. We continuously receive the opportunity to interact with customers and analysts and will use this blog to share insights about organizations’ security challenges and strategies.

To my amazement, I still get asked “if I do everything I am asked to do for compliance, am I secure?” To be fair, this question often comes from non-security people.

Earlier this month was one of the highlights of the “Archer calendar year” – the RSA Archer GRC Summit. As always, this event brought our customers together to engage in deep discussions on security, governance, risk management, compliance and a whole host of interesting topics. This is exactly why my blog on this year’s event is about…Harry Potter.

The question of “why” EMC has acquired NetWitness will no doubt come up (beyond the fact that they are the obvious market leader with awesome technology) and how do they fit? Over the next few months that will become increasingly clear and in fact obvious if it isn’t already, but I thought I’d start with a simple analogy that I will connect first with RSA enVision (i.e. with Security Information and Event Management or “SIEM”) and then with RSA Archer (i.e. with Governance Risk and Compliance or “GRC”).

On the first day of 2010 my big boss gave to me: a project called G-R-C.
On the second day of 2010 my big boss gave to me: two BCPs and a project called G-R-C.
On the third day of 2010 my big boss gave to me: Three new laws, Two BCPs and a project called G-R-C.
On the fourth day of 2010 my big boss gave to me: Four calling auditors, Three new laws, Two BCPs and a project called G-R-C.
On the fifth day of 2010 my big boss gave to me: FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two BCPs and a project called G-R-C.

To date we’ve held 18 of our scheduled 20 eGRC Roadshows, and we couldn’t be happier with how things have played out. This is my second round of eGRC Roadshows with RSA Archer, and the thing that always strikes me about these events isn’t so much the level of customer participation as it is the willingness of all of these folks to take time out of their busy schedules to share their Archer experiences with each other, all in the interest of making those around them better at what they do. My wife likes to tease me because I like to throw out very well-worn clichés, but I can’t help but think that, in this case, the whole of the Archer Community is truly greater than the sum of its parts.

RSA GUEST BLOG POST by RSA’s Ian Farquhar: Many years ago, I came across a comment in a support call log which concluded “Fault isolated in Layer 8.” I asked for clarification. “User error,” I was told smugly, by the call log’s author. I also remembered an old acronym from more than a decade before: PICNIC. “Problem In Chair, Not In Computer.”