Speaking of Security – The RSA Blog and Podcast

Under the leadership of CyLab Adjunct Distinguished Fellow, Jody Westby, the CyLab team gathered information from CEOs, CFOs, CROs and board members of the Forbes Global 2000 regarding security governance practices in their companies. The results showed significant gaps in security governance in more than half the respondents. Even for someone like me who tends to see the glass as half-full, this is a major concern in a world of increasing threats to information security.

In Dr. Larry Ponemon’s recent eGRC and Data Privacy study, the Ponemon Institute, LLC independently surveyed 190 Archer eGRC Community members to examine the challenges they face in meeting eGRC and data protection objectives. One of the challenges that Dr. Ponemon notes is the need for collaboration between the Legal and IT teams to handle incidents as well as validate compliance to ever-changing regulations.

I recently returned from Berlin after attending the EMEA RSA Channel Partner Council with the purpose of discussing RSA’s Security Management and GRC strategies within Europe. For many of the RSA channel partners, this was their first exposure to these concepts. Channel partners have a unique perspective because they are on the front lines selling products and providing implementation services Their success is directly influenced by RSA’s ability to provide the right training, messaging and tools to make them effective.

I’ll start with the bottom line: for eGRC to work it has to be true at all Human and system levels of abstraction in an organization and it must have common elements across all function in a company. With the release of the most recent study by the Ponemon Institute (with EMC) , there are some clear pointers to the need for more strategic and, frankly, systemic mechanisms for managing enterprise governance, risk and compliance. Let’s cover a few ideas before coming back to those.

The question of “why” EMC has acquired NetWitness will no doubt come up (beyond the fact that they are the obvious market leader with awesome technology) and how do they fit? Over the next few months that will become increasingly clear and in fact obvious if it isn’t already, but I thought I’d start with a simple analogy that I will connect first with RSA enVision (i.e. with Security Information and Event Management or “SIEM”) and then with RSA Archer (i.e. with Governance Risk and Compliance or “GRC”).

It’s been a year now, or a little more, since To The Heart of the Matter, and this year we’re stepping up the governance, risk and compliance (GRC) stakes in a big way with a new EMC/RSA initiative around enterprise GRC. At the same time, the race to the cloud continues; so it’s time to look at enterprise GRC in the context of Trust and in context of the Cloud anew for 2011. Before we dive into that subject, let’s start with a little more on tools and tasks though by looking at innovation in historical Japan.

On the first day of 2010 my big boss gave to me: a project called G-R-C.
On the second day of 2010 my big boss gave to me: two BCPs and a project called G-R-C.
On the third day of 2010 my big boss gave to me: Three new laws, Two BCPs and a project called G-R-C.
On the fourth day of 2010 my big boss gave to me: Four calling auditors, Three new laws, Two BCPs and a project called G-R-C.
On the fifth day of 2010 my big boss gave to me: FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two BCPs and a project called G-R-C.

To date we’ve held 18 of our scheduled 20 eGRC Roadshows, and we couldn’t be happier with how things have played out. This is my second round of eGRC Roadshows with RSA Archer, and the thing that always strikes me about these events isn’t so much the level of customer participation as it is the willingness of all of these folks to take time out of their busy schedules to share their Archer experiences with each other, all in the interest of making those around them better at what they do. My wife likes to tease me because I like to throw out very well-worn clichés, but I can’t help but think that, in this case, the whole of the Archer Community is truly greater than the sum of its parts.

I just participated in the first ever RSA Conference China, so while I am taking a moment for my Peking duck to digest, I wanted to tell you about the experience and relate some of my thoughts coming out of the event. Presenters from all over the world, including some from China’s government ministries, covered topics including cloud computing, core information security, fraud and virtualization. The well-attended event was another indicator of the global nature of business and created much buzz in the local industry. I had the honor and privilege to present on enterprise governance, risk and compliance as a core business philosophy and its importance in achieving strategic business objectives.