GRC, Page 2

Looking Back, Looking Ahead: Why I Came to RSA

As I complete six months at RSA, I wanted to reflect upon a critical decision I made a number of years ago that eventually led me here. I had been at a large tech company and over the years fostered great relationships within the company allowing me to establish myself. As a whole, the company…

IT Compliance: All About That Base (Standard)

When it comes to IT risk management approaches, few things spark more debate than the use of standards. To explore this is to ponder another alphabetic quagmire of acronyms, categories, and random numeric designations. So which is the best? Is there even such a thing as “best”? If not, how do you choose otherwise? Or…

The Results are In…RSA Archer Won a Stevie Award

We’re very excited to share some great news – RSA Archer won a 2015 People’s Choice Stevie Award for Favorite New Product in the Software – Governance/Risk category. As you may know, the Stevies are premier awards as part of the American Business Awards – essentially the equivalent of the film industry’s Academy Awards.  This…

A Pivotal Year

For the past several years, the information security industry has been saddled with labels annually. 2013: year of the breach; 2014: year of the BREACH (we really mean it); 2015 year of the MEGA breach (its gotten worse!). And with those labels every year I hear the phrase ‘this is a pivotal year in the…

Blog Series: Building the First Line of Defense – Part 2

In the first post of this blog series, I used the analogy of a rocket lifting into space with the countdown, 3…2…1… equating to the Three Lines of Defense (LOD) model, and how an organization truly achieves “lift off” or success really comes down to the 1st LOD.  In this blog, I’d like to focus on…

LoD Blog Series: 3…2…1…Liftoff!

Prior to the launch of every spaceship that lifts high above the earth is a countdown that ends with 3…2…1…lift off! This signals the final moments before the spaceship takes off to fulfill its mission.  My blog is a play on the 3, 2, 1, liftoff analogy and how it relates to the “Three Lines…

Can businesses be resilient on their own?

Can businesses and organizations be resilient on their own? By this I mean is it enough for a business organization to build resilient internal processes, IT infrastructure, facilities, and even third party relationships and rest assured they’re prepared for the next big event that comes along. To answer this question, I think we have to…

Plan Your Journey to Wally World

Earlier this month, I wrote a blog about Information Security Metrics and their place in driving program maturity.  Every organization today is striving to be more mature in its information security program.  Given the constant deluge of media reports on hacks and attacks, security maturity has become a business imperative.  Metrics is one tool in the…

Mind Your Metrics

Last week I participated in a joint event with KPMG hosted by the New York Stock Exchange Governance Services.  The roundtable topic was Information Security Metrics programs – every security manager’s favorite.  Why?  Because security is so squishy.  What metrics could effectively capture the state of something that changes on a regular basis, has no…

CVSS Scoring: Why your Smart Refrigerator does not need to be Patched (Yesterday)

Is a CVSS score of 10, really a 10 in your environment? Vulnerability Risk Management is a work in progress for most organizations. Having dealt with many customers in this space, we have seen it all – the mature folks who utilize asset management to define ownership to multiple remediation teams – all the way…