If you were a bank robber, you would target the largest bank around in order to secure the biggest prize possible in exchange for the risk associated with committing the crime, right? The same is true for cybercriminals. They specifically target organizations within industries that provide the most return for their crime. These unseen criminals, though they are not stealing physical cash, are stealing your personal information that can grant them access to more than just what is in your bank account. The prime targeted industries are those that house customer information in some form or another, examples would be banks, healthcare providers, and retailers, among others. Thankfully, our everyday institutions are fortifying their security against these cyber thieves by employing software solutions such as RSA Archer to aid in the prevention of theft of customer data and fraud from ever occurring in the first place by tracking threat behavior and analyzing patterns of risk.
The banking industry maintains millions of dollars of assets and huge databases of customer data and therefore, are prime targets for fraud. Big banks, along with other major organizations, have traditionally held a nonintegrated approach to GRC, negatively impacting business performance and resulting in inefficient manual processes, poor visibility across the enterprise, and a mixing bowl of risk and compliance frameworks.
In a case study conducted by GRC 20/20, they researched how large commercial banks achieved value through an enterprise GRC platform, RSA Archer. “Siloed GRC processes are ineffective at an aggregate level, as the organization does not have a complete view of GRC in the context of the business. Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of GRC. Without an integrated view of risk and compliance, the scattered and nonintegrated approaches of the past fail and expose the business to unanticipated risk” (EMC). The bank developed a strategic plan that rolled out 35 GRC programs designed to assess and evaluate risk across all lines of business. A few of those programs included control self-assessments, third-party risk, and contract management, SOX control assessments and management, marking material compliance and content review, quality assurance compliance management, internal audit management, and incident response management. RSA Archer permitted the bank to utilize a common organizational hierarchy, asset repository, list of facilities, contact (employee) information, risk register, corporate policies, and control library to establish relationships between all 35 programs, which resulted in greater efficiency, agility, and effectiveness across the business. Here are just a few examples of real results achieved from the implementation of Archer within the first year:
- Time to complete assessments and approvals reduced by 60%
- Saved the bank approximately $1.65 million
- Reduced the time and expense involved in managing previously disconnected solutions
- An overall reduction in third-party risk
- Increased participation and effectiveness by 320% in product/service/control assessments
- Increased ability for reporting and visibility of risk for end-users and executive management alike
At CyberSheath, we know cybersecurity processes first, and we use that knowledge and experience to help our partners get real value from Archer. To learn more about our Governance, Risk and Compliance service click the link below to download a datasheet detailing our unique GRC approach for both government and commercial clients.
Wouldn’t it be great if there were an “easy” button for developing your organization’s governance, risk, and compliance departments? There are several aspects to consider when building out each sector, such as, what kind of control assessments should we have and how often? What kind of approval chain should our policy documents be following? How should we conduct our business impact analyses? Where should we house our asset inventory? How do we tie all of these aspects together? Why is GRC even important?
As the result of several notable cyber-attacks throughout the years, governance, risk, and compliance are factors in the corporate environment that no organization, either big or small, can escape from. The concept of focusing on growth without considering risks is not only impractical but also unsustainable. Too often we see common themes among the victims of cyber-attacks: failures to link development strategy with risk, the lack of oversight for risk management, and the lackadaisical viewpoint on a day-to-day risk. A major problem with most corporations is that their processes involving GRC are spread out amongst several different groups. These groups often fail to share information and wind up having a multiplicity of frameworks and processes. This results in inefficiency and greater exposure to risk across the entire organization. For all these reasons, it is imperative organizations of all sizes recognize the importance of GRC convergence and collaborate across all lines of business to reduce risk and enforce compliance. One of the best ways to achieve this mentality and efficiency is by employing a comprehensive risk management tool such as RSA Archer.
The RSA Archer GRC platform offers users a simple yet comprehensive way to design, build, and manage solutions that can grow right along with your business. Customers can configure enterprise-class, security-assured applications and deploy them in a way that enables and prepares their organization to maintain compliance and prevent risk. In addition to providing customers with a foundation for compliance through content bundles for the Policies, Control Standards, Control Procedures, Authoritative Sources, and other applications; Archer also comes complete with pre-configured reports and dashboards to utilize as building blocks for your reporting metrics. Furthermore, Archer provides users with assessment content such as built-in business impact analysis, quarterly risk, control self-assessment, device, and facility questionnaires. These pre-configured questionnaires allow users to automatically score questionnaires and generate findings for incorrect answers, they can even be issued automatically via campaigns. When it comes to governance, risk and compliance functionality, the possibilities are endless with Archer.
CyberSheath’s team of experienced Archer security consultants have years of experience in both private and public environments implementing and deploying both custom and prepackaged solutions. Having worked with and successfully deployed all use cases provided by RSA, we are your “easy” button to developing your GRC sector of your organization.
I just returned from two of the first RSA Archer Roadshows. On Tuesday I was in the great city of Minneapolis and quickly flew to DC for the event on Wednesday. Both sessions had a great turnout and served to educate existing and potential customers on the capabilities of Archer. With plenty of time scheduled for networking, customer use cases, and product news, the events were definitely worth attending and I was able to catch up with friends I hadn’t seen since the Summit.
Throughout all of the interesting presentations from users I heard one recurring theme: Make it easier! Every amazing success story of Archer implementations in organizations of all types and sizes came with a lesson learned or feedback that was common among all six sessions. “Our users want a more intuitive experience with less clicks.” “We implemented Archer to make our business processes simpler, yet we get pushback on the user experience daily.” “Why is there still an Apply Button?” It was a message that many of us Archer practitioners had experienced ourselves over the years, yet had come to accept as an unavoidable cost of using a very powerful GRC tool.
“One ‘simplify’ would have sufficed”
Ralph Waldo Merson, In response
These concerns were addressed, however, when RSA made the biggest revelation of the Roadshow with details on Version 6.0. All of the improvements we got an early glimpse of focus on an enhanced user experience and an improved interface. The screenshots alone prompted smiles and whispers of “Finally”, and we left really excited about the future.
It’s hard to get large organization to go with you on a GRC journey and everything we can do to limit the impact on our stakeholders and improve their experience with the tool helps. Through the awesome Community idea submission site and events like the Roadshows, Archer has always listened to customers and has sought to implement the features the users want. I’m excited to be attending the other roadshows in Boston and New York in the next few weeks to see what others think of the future ahead for eGRC.
Due diligence and fiduciary responsibility for corporate executives is now widely acknowledged to include exercising sound judgment and effective controls in the domain of cybersecurity. There’s no escaping the responsibility to protect corporate information and infrastructure and eventually the law will catch up with this reality. Until it does here’s what you should be doing to right now to exercise due care in managing cybersecurity risk.
1 – Be pragmatic, there are more risks than you can possibly address. If you try to do everything you will end up doing nothing.
2 – Get a baseline of the controls you currently have in place, how effective they are and compare yourself with NIST 800-53 or the Consensus Audit Guidelines. (HINT: Remember step 1 and don’t overthink this, your assessment shouldn’t be a six month exercise.)
3 – Do something! Prioritize your risks and address ONLY the things that can show measurable improvement, i.e. reduced risk. If you’re stuck in analysis paralysis just start with Consensus Audit Guidelines and address the ones that you’ve found to be vulnerabilities in your baseline.
4 – Document and tell your story using words and numbers that matter. Telling the board that SQL injection vulnerabilities have been reduced because you implemented a Web Application Firewall is why security often doesn’t get “a seat at the table”. Talk in term of compliance and risk, they get that.
5 – Stop buying tools and adding complexity until you’ve mastered the ones you already own and have laid in the process (documented) to use them effectively and in an integrated fashion.
As Einstein said, “Everything should be made as simple as possible, but not simpler.” Apply this approach in exercising due care with respect to cybersecurity.
I’ve spent the week here at RSA talking with current and future customers and a great question I get from customers looking for a trusted security partner is “So what exactly is it you do?” It seems like a simple question but what it usually implies is some level of “consultant fatigue”, CISO’s have had enough assessments, reports and outsiders telling them what their problems are. They want solutions and partners who do real work. Here’s what CyberSheath does to add value …guaranteed.
What We Do
We integrate your compliance activities with security activities and measureably reduce your risk.
How We Do It
Set a security strategy, select standards, implement controls, measure effectiveness.
What Results Look Like
A recent engagement for a customer led us to design and deploy an incident response and management plan. This particular security control happens to be Critical Control 18: Incident Response and Management from the CSIS: 20 Critical Security Controls list. Implementing all 20 controls would have been ideal but we are realists not idealists. The customer had suffered a significant attack where the APT had been embedded for over two years and the lack of process to contain and expel attackers directly contributed to massive amounts of data loss.
What We Did
Documented written incident response procedures that included specific roles and responsibilities for both management and technical personnel during each phase on an incident.
Documented and implemented organization wide service level objectives (SLO’s) related to mitigation of an incident.
Customer has a documented, repeatable and measureable incident response and management plan for cyber-attacks and mitigates attacks on average in less than 2 hours once discovered.
Our focus is on implementing real results that make you more secure, we guarantee it.
The Keynote sessions here at RSA 2013 kicked off yesterday and Art Coviello, RSA Executive Chairman, focused on the importance of big data and the opportunities that it presents security teams from an intelligence perspective. He’s right, the opportunities are tremendous and customers are anxious to better leverage “big data” but documented and repeatable process along with baseline implementation of critical controls are prerequisites for taking advantage of “big data”.
The actionable intelligence that can be gained from big data is only useful if it causes an organization to take the RIGHT actions in the correct sequence with measurable outcomes. Conceptually leveraging big data makes perfect sense but the implementation will yield more of the same firefighting that bogs down security organizations today if it’s not part of a documented strategy with measurable outcomes enabled by rigorous process and a thorough understanding of the controls you currently have in place.
The actionable intelligence that big data can provide could very well enable an organization to quickly and efficiently mitigate an attack by correlating unstructured data in a context that directs an SoC analyst to take appropriate action. Attack mitigated, the good guys win right? Maybe not…are we really still just addressing the symptoms and not the root cause? The attack is a result of a vulnerability that was exploited and resources are being expended on the incident response because resources were not expended on preventative maintenance. Perhaps if the control to prevent the attack in the first place had been documented, implemented and measured the attack would never have happened.
I realize that implementing critical controls won’t stop every attack but there is such a great opportunity to do some fundamental and meaningful work around implementing critical controls to stop attacks that get overlooked.
It’s just good hygiene. Would rather brush your teeth, floss and get regular dental examinations or be really good at getting fillings?
Day 1 at RSA wrapped up yesterday evening when the vendor expo opened and conference attendees had an opportunity to visit vendors and check out the latest and greatest products. The vendors are primarily products vendors which reminded me how important it is for a CISO to have a services partner to help cut through the FUD and deliver value.
CISO’s are inundated with point solutions, some of them excellent, but many of them duplicative of existing investments. I’ve found that in selecting products the process/project often ends with “100% deployment” leaving security organizations unable to measure the return on their investment. A simplified view of the process goes something like this:
- Identify a need
- Hold a “bake-off” and select a product
- Set deployment objectives (entire enterprise, all Windows desktops, etc…)
- Achieve deployment objectives
- Declare victory with reports showing deployment saturation metrics
It’s a missed opportunity for security to instead align with the business and demonstrate quantifiable value by defining the project in the context of the business problem that is being solved. Security organizations can get myopic in viewing risk and laser-focused on point solutions that address specific security requirements missing the opportunity to tell the story of the business issue they are addressing as a part of the bigger picture.
100% deployment isn’t the goal, that’s just your day job. Enabling the business to engage customers, capture sales and recognize revenue is the goal. When you are in the trenches every day it’s difficult, sometimes impossible, to address the bigger picture but in my experience, the organizations that do are the most effective.
All checked in @RSA 2013 here in San Francisco!
It’s interesting to me the difference in perspective in attending one of these industry conferences as the CEO of a security services company rather than a CISO. When you are a CISO for a Fortune 500 company EVERY vendor wants your time and you can be sure you will meet for as long as you want with whomever you want. As the CEO of a services company you’re competing for time with all of the big vendors and had better have something important to say as you vie for precious the precious time of oversubscribed CISO’s.
It’s a great reminder for me of how important the work we do is. C level executives are inundated with competing demands on their time and what they need most is someone to solve real-world problems for them. They need a vendor, individual, product or service that literally takes something off of their plate so that they can move on to other priorities. Adding value in the security space is about delivering real-world pragmatic solutions that improve security posture.
Do you need that kind of a partner for your company? Let’s talk; I’ll be here all week, firstname.lastname@example.org.