RSA Archer Risk Intelligence Harnessing Risk to Exploit Opportunity June 4, 2014 Steve Schlarman GRC Strategist 1
Risk and Compliance Where is it today? 2
Governance, Risk, & Compliance Today 3
4 A New Risk World Global, Technology and Organizational factors have created significant risk landscapes for organizations. We must focus on building sustainable risk programs to address the rate and velocity of risk to navigate the risk landscape.
5 A New Compliance World Compliance can become a barrier to success or a competitive advantage. The path is decided by how well compliance processes are positioned for the future. Since 2009 131 new major regulations enacted $70 billion in costs In 2012 2,605 new rules 69 classified as major >$100 Million annual impact Source: Heritage Foundation In 2013 134 new rules enacted just by the EPA We must focus on priority, the flow of incoming regulatory obligations and automation to turn compliance into a competitive advantage.
Opportunity and Risk 6
Schrödinger s Cat 7
Globalization Risk or Opportunity? Big Data Regulatory Change Cloud Computing Risk AND Opportunity Mobile 8
The Opportunity Landscape What you are good at What your market wants Passion Opportunity What you want to do 9
The Compliance Burden Compliance Activities $216B 87M hours What you have to do Risks 83% 20% Got it Must covered? Haves Risk Maturity -11% +37% What you are What your good at market wants Passion Opportunity What you want to do Fuels growth but no time to execute 10
Risk Intelligence Compliance Activities $216B 87M hours Risks 83% 20% Risk Maturity -11% +37% What you are good at Got it covered? What you have to do Must Haves What your market wants Transform Compliance Passion Opportunity Harness risks Exploit Opportunity What you want to do Fuels growth but no time to execute 11
Change the Game Automate compliance, reallocate resources/budget to manage risk, and proactively exploit opportunity Governance Risk Proactive Compliance Reactive Today s GRC Focus Risk Intelligence 12
Risk Intelligence Harness risk for to exploit opportunities for competitive advantage through better visibility, enhanced analysis, and improved metrics to drive intelligent, stream-lined actions; enabling the business to move quickly and predictably. 13
Intelligence Driven GRC Intelligence driven actions gives you priority, results and progress. Visibility Analysis Visibility + Analysis = Priority Priority + Action = Results Action Metrics Results + Metrics = Progress 14
Harnessing Risks 1 2 3 4 Core to Business; Vital to Success Market Table Stakes; Vital for Growth Reputation Ethics Safety Security Resiliency Everything else Safety Net What you are good at 4 Got it covered What you have to do 3 1 Must Haves 2 What you want to do Opportunity The HIGH RISK Wedge What your market wants 15
Exploiting Opportunity Obligated Differentiators: Build and support the Business Case Elective Differentiators: Freed up resources to build on core competencies Risk Frontier Obligated Differentiators The HIGH RISK Wedge Improvement Wedge: Streamline processes, free up resources, encourage and enable continuous improvement High Risk Wedge Drive through the Risk Frontier ( Must haves adjacent to what you are good at) with Quick Wins and steady progress Opportunity Landscape Protect the Innovation Frontier (Opportunities adjacent to what you are good at) through reduction of risk in new products, services and market initiatives What you are good at Elective Differentiators Improvement Wedge Innovation Frontier 16
The Journey Moving Towards Risk Intelligence 17
Building Risk Intelligence CISO CIO Board LOB Executives Business Operations Managers IT Business Security threats IT disruptions Poor misaligned IT practices Risk Intelligence Risks inherited from outside providers Harmful operational events Operational compliance failures Unknown, unidentified risks Significant business crises RSA Archer Regulatory violations and fines Business disruptions Poor misaligned business practices Poor internal controls and governance 18
Building Risk Intelligence Manage the lifecycle of 3 rd party relationships Independently review & assure management actions Poor internal controls and governance Inherited risks from external parties Security Threats Identify, assess & track emerging & operational risks Unknown, unidentified risks Poor misaligned business & IT practices Establish business policies & standards Operational compliance failures Regulatory violations & failures Business disruptions Establish IT policies & standards Implement and Monitor Controls Identify & meet regulatory obligations Identify & resolve security deficiencies Detect & respond to attacks Significant business crises Manage crisis & communications Harmful incidents & events Catalog & resolve operational incidents IT Disruptions Prepare for & recover from IT outages Identify & prepare business resumption strategies 19
Building Risk Intelligence Manage the lifecycle of 3 rd party relationships Independently review & assure management actions Identify & resolve security deficiencies Detect & respond to attacks Audit Third Party IT Security Risk Identify, assess & track emerging & operational risks Manage crisis & communications Operational Risk Business Resiliency Catalog & resolve operational incidents Establish business policies & standards Regulatory & Corporate Compliance Prepare for & recover from IT outages Establish IT policies & standards Implement and Monitor Controls Identify & meet regulatory obligations Identify & prepare business resumption strategies 20
Drivers Market Conduct Foreign Corrupt Practices Act (FCPA) Conflict Minerals Stakeholders Evaluation Audit Third Party Model Risk Legal Matters Operational Risk Privacy Program Code of Federal Regulations Regulatory & Corporate Compliance Regulatory Change Unified Compliance Framework Environmental Health & Safety Anti-Money Laundering ISMS Foundation Access Risk RedSeal Networks IT Security Risk Veracode Security Review Key & Certificate McAfee Vulnerability Manager Skybox Security Risk Control Business Resiliency Advanced Reporting & Governance for Authentication Manager PCI Compliance Qualys Guard WhiteHat Security Sentinel CloudPassage Rapid7 Nexpose 21
Persona-centric Manage the lifecycle of 3 rd party relationships Independently review & assure management actions Inherited risks from external parties Identify & resolve security deficiencies Detect & respond to attacks Audit Poor internal controls and governance Third Party IT Security Risk Threats Identify, assess & track emerging & operational risks Unknown, unidentified risks Significant business crises Manage crisis & communications Operational Risk Chief Risk Officer Harmful incidents & events Poor misaligned business & IT practices Business Resiliency Catalog & resolve operational incidents Establish business policies & standards Regulatory & Operational compliance Corporate failures Compliance Regulatory violations & failures Business disruptions IT Disruptions Prepare for & recover from IT outages Establish IT policies & standards Implement and Monitor Controls Identify & meet regulatory obligations Identify & prepare business resumption strategies 22
Issue-centric Manage the lifecycle of 3 rd party relationships Independently review & assure management actions Poor internal controls and governance Third Party Inherited risks from external parties Identify & resolve security deficiencies Detect & respond to attacks Audit IT Security Risk Threats Identify, assess & track emerging & operational risks Unknown, unidentified risks Significant business crises Manage crisis & communications Operational Risk Supply Chain Resiliency Harmful incidents & events Poor misaligned business & IT practices Business Resiliency Catalog & resolve operational incidents Establish business policies & standards Regulatory & Operational compliance Corporate failures Compliance Regulatory violations & failures Business disruptions IT Disruptions Prepare for & recover from IT outages Establish IT policies & standards Implement and Monitor Controls Identify & meet regulatory obligations Identify & prepare business resumption strategies 23
Benefits of a Risk Intelligence Approach Better, more predictable decision-making Greater business opportunity Comprehensive Business Context Prioritized Decisions Based on Impact Predictable Outcomes Embrace Known Risks to Exploit Opportunity Transition from Defense to Offense Better business performance Improved Allocation of Resources/Budget Align Risk Objectives to Business Grow Opportunities 24
Planning Your Journey Siloed compliance focus, disconnected risk, basic reporting Managed automated compliance, expanded risk focus, improved analysis/metrics Advantaged fully risk aware, exploit opportunity Reduce compliance cost Compliance Manage Gain resource known & & unknown risk visibility risks Risk Identify new business opportunities Opportunity 25
Siloed The CEO & CISO ride the elevator We rolled out the last Microsoft security patches in less than 30 days, we shut down 50 virus infections and we passed our quarterly vulnerability scan for PCI. Soooo.that s all good stuff. So how s security these days? 26
Managed The CEO & CISO ride the elevator We did an end to end review of customer record processing, found a few issues but resolved them. We also rolled out some special controls to support Project Barracuda which I know is one of your key objectives. So how s security these days? 27
Advantaged The CEO & CISO ride the elevator I have a great idea on how to give customers secure access to their information that will blow the socks off our competition. Let s talk about it over lunch. So how s security these days? 28
Enterprise Risk ERM & ORM Trends 29
30 Market Observations & Trends - ERM The level of maturity of ERM programs varies greatly by industry and by company within the same industry Agreement on taxonomy, framework, and approach remains a challenge Getting all silos / stakeholders on-board and working together is never ending process Regulated companies are under increasing pressure to demonstrate risk management capabilities
31 The Perfect World Liquidity Risk Operational Risk Market Risk Credit Risk Strategic Risk ORM Dashboard IT Risk ORM Risk Area #2 ORM Risk Area #3 ORM Risk Area #4 ORM Risk Area #5 ORM Risk Area #6 Third Party Risk Resiliency Service Levels Security IT Operations IT Compliance IT Risk Dashboard Network Security Application Security Physical Threat Intelligence Security Incidents Vulnerability IT Security Risk Dashboard
32 The Drive for Sophistication Desire to better anticipate and predict risk Historical event analysis alone not adequate future predictor What-if scenario analysis and black swan identification Growing use of metrics (breadth, collection speed, & governance) Identification of leading causal indicators Data trending (metrics, meta-data, unstructured data) Capturing changes in risk profile on on-going basis More sophisticated risk assessment Use of quantitative and qualitative risk assessment Advanced analytics
33 Key Archer Capabilities Questionnaires Target asset types and identify common risks across assets Risk Register Catalog risks and track inherent/residual risks KRIs and Metrics Issues and Control Compliance Calculated Residual Risk Loss Events and Incidents Rollups and Reporting Risk Specific Monitoring Security Operations Vulnerability Risk Resiliency Risk Compliance Risk Third Party Risk
34 RSA Archer and ISO:31000 Enterprise Dashboards and Reports Workflow and Notifications KRIs/Metrics Loss Events Questionnaires Risk Register Controls and Issues
Introduction to RSA Archer 35
36 RSA GRC Reference Architecture
RSA Archer Ecosystem Partners 50+ Partners Technology Advisory Service Solutions 100+ Use Cases Content & Reports Workflows Expert Services RSA Archer GRC Foundation Community Online Summit Executive Forums Solution Exchange Platform Data Exchange Business Fundamentals Business Logic 37
RSA Archer Foundation All key components required to lay a strong foundation for your enterprise wide GRC program Business Process Business Objectives Products & Services Facilities & Locations IT Infrastructure Applications Information Assets Organizational Hierarchy Organizational Units & Departments Visualization Branding Workflow GRC Foundation Central Repository Roles/Responsibilities Calculations Search & Reporting Questionnaires Mobile Access Core Modules Consolidated Data System Auditing Data Role Based Access Common Taxonomies Data Import Integration APIs Data Mapping Pre-built Data Connectors Multiple Transport Modes Scheduled Data Feeds Data Publication Business Context Solution Configuration Common Data Model Data Integration 38
RSA Archer Solutions Use Case Specific Solutions Environmental Health & Safety PCI Code of Federal Regulations Stakeholder Evaluations ISMS Anti-Money Laundering Regulatory Change Mgmt UCF Key & Certificate Mgmt Policy Incident Security Operations Core Modules Risk Vendor Vulnerability Risk Compliance Audit Business Continuity RSA Archer GRC Foundation 39
RSA Archer Solutions Manage the lifecycle of 3 rd party relationships Independently review & assure management actions Identify & resolve security deficiencies Detect & respond to attacks Audit Third Party IT Security Risk Identify, assess & track emerging & operational risks Manage crisis & communications Operational Risk Business Resiliency Catalog & resolve operational incidents Establish business policies & standards Regulatory & Corporate Compliance Prepare for & recover from IT outages Establish IT policies & standards Implement and Monitor Controls Identify & meet regulatory obligations Identify & prepare business resumption strategies 40
Extending Solutions Market Conduct Foreign Corrupt Practices Act (FCPA) Conflict Minerals Stakeholders Evaluation Audit Third Party Model Risk Legal Matters Operational Risk Privacy Program Code of Federal Regulations Regulatory & Corporate Compliance Regulatory Change Unified Compliance Framework Environmental Health & Safety Anti-Money Laundering ISMS Foundation Access Risk RedSeal Networks IT Security Risk Veracode Security Review Key & Certificate McAfee Vulnerability Manager Skybox Security Risk Control Business Resiliency Advanced Reporting & Governance for Authentication Manager PCI Compliance Qualys Guard WhiteHat Security Sentinel CloudPassage Rapid7 Nexpose 41
RSA Archer Partner Ecosystem 50 + Partners for data transfer, content and services 42
RSA Archer Community GRC Summit Online Community Exchange 120+ sessions Annual event since 2003 10,000+ Archer members Interactive online community Access to GRC content Certified new apps 800+ GRC practitioners F2F access to product experts Access to expert content Ideas, requests and more Plug-ins and integrations Services, ideas and more Roadshows Peer best practice sessions Peer to peer networking Available at a city near you Annual event since 2007 Customer Advocacy Working Groups Executive Forum Key Finding Reports Birds-of-a-feather groups Periodic meet ups Customer Advisory Council Influence product roadmap Facilitated by Archer and / or interested customers 43
Critical Criteria TCO Time to Value Ecosystem Automation of tasks Code-free configuration Flexible deployment Out-of-the-box functionality Start small grow fast Mature service offering Technology partners Solution libraries Customer advocacy Communities 44
Industry Leadership Leader in egrc MQ for 2013 Leader in BCM MQ for 2013 Leader in IT GRC MS for 2013 Leader in Forrester GRC Wave Quoted as the most mature offering in many occasions 850 + customers 43 + countries 50 Fortune 100 companies 25 + industries 45