Governance, Risk and Compliance (GRC) is an all-encompassing term that can cover an array of areas from business continuity through vendor management. Given the range of meaning, it’s important to understand what it means to you and your organization before selecting a platform like RSA’s Archer, which has many modules and even more use cases.
To help narrow down your selection of Archer modules and use cases as well as increase your likelihood of success in deployment and utilization, here are 3 things to consider before making your purchase:
3 Things to Consider When Choosing RSA Archer for GRC
1: Requirements First, Technology Second
Many late and over budget technology projects can be traced to a project that started with a “bake-off” of technologies or worse statements like “we need (fill in the blank with your favorite security tool)”. My experience is when requirements drive the technology selection process outcomes are far more likely to be aligned with expectations.
Decide what you are trying to accomplish and turn high-level statements of need into fact-based requirements that will drive the technology selection. Forget looking at Forrester or Gartner first to see what vendor product is the “best”. Best is relative and your requirements could very well lead you to a solution that didn’t make the Magic Quadrant (MQ). Defining your requirements relative to GRC will help you avoid overbuying a solution leaving you with modules or use cases you can never extract value from.
2: Don’t Forget Operations and Maintenance
Someone, an actual human being, is going to have to support the solution that you purchase and you should factor that into your operational expense budget as part of the total cost of ownership. If it won’t be an internal employee then budget for consulting to maintain the solution that you have deployed. Avoid falling into the trap of sending one employee to a 5-day vendor class that covers the entire GRC landscape and range of modules so you can check the box and say you have trained someone to support your implementation. If you didn’t buy Incident Response, Vulnerability Management or some of the other modules covered in the high-level training class why spend time and money training to use them?
Your plan for supporting RSA Archer operations and maintenance should tie back to your requirements. Ask what it will take to satisfy your requirements on a continuous basis, whether in FTE’s or consulting hours and budget accordingly.
3: Integration with Existing Technologies
One of the great benefits of the RSA Archer platform is its ability to take data feeds from existing tools and create dashboards that convey information into a single pane of glass. If configured properly the information displayed can be fact-based metrics that tell you in real-time, or as close to, how effective your existing tools are. Archer gives you the ability to leverage a standard like the 20 Critical Security Controls and actually display the metrics provided for each control within the platform. It’s just one example of how you can integrate existing technologies into the platform and show a return on your security investment.
How Can CyberSheath Help Your Organization?
At CyberSheath, we know cybersecurity processes first, and we use that knowledge and experience to help our partners get real value from Archer. Effective GRC doesn’t begin with a GRC technology solution – a concept we discuss more in-depth here – but rather understanding your requirements first, ensuring your valuable time and resources won’t be wasted.