Reflections on Risk Management from RSA Charge 2017

Oct 31, 2017 | by Steve Schlarman

It’s been two weeks since RSA Charge 2017, held this year in Dallas, concluded.  After a tremendous week with 2,000 of my closest risk and security professionals, I feel compelled to mimic one of my favorite sportswriters - Sport Illustrated’s Peter King. Peter writes a “10 Things I Think I Think” as part of his Monday Morning Quarterback blog (an example), reflecting on the frontline insights from the event.

Ten Things I Think I Think

1. Marketing and branding of your internal security, risk and compliance program is a key success factor.  Whether you come up with a unique name or a spunky mascot, getting your organization to recognize risk management as an integral part of your organization’s success requires creativity, style and a certain panache.  Risk and security people aren’t the data heads and quant geeks you might think they are – there are some fascinating people out there in charge of risk management.

2. Continuous Monitoring is nirvana for all,  but achievable by many.  If you can get your auditors to quit reviewing individual controls and inspect the process of designing controls, you can save time and money, and raise the audit conversation to a more strategic level.  Getting there takes work, but it is not a mythical ‘city of gold’.

3. The role of self-awareness in risk management – understanding the business, organizational and technical nuances that will impact the direction, velocity and success of your risk management strategy – is often overlooked.  Setting the bar too high can be as detrimental as setting it too low.  Organizations can stay the course, understand their pitfalls and navigate the politics.

4. Dallas has some great steak places.  Everyone knows it – but sometimes it just needs to be reiterated.

5. Executives in charge of risk programs are thinking broader and more strategic than ever.  They think in terms of strategic risks as much as operational risks.  They need to talk dollars and cents to the business – not reds, yellows and greens; they need more information – not data; they need connected stories – not anecdotes.

6. Agility is as important as stability.  Simply put - fail fast, learn faster.  My favorite quote around this – ‘Fail Forward’.

7. There is nothing better than networking and connecting with people who can feel your pain and appreciate your successes.  This was the 14th year of the RSA Archer community coming together and it never fails to feel like a family reunion.  We have customers that have been meeting like this for over a decade.  In one corner of the room you have a spirited discussion on GRC processes; in another corner you have people updating old friends on their children.  Both discussions lead to better sharing of information across our industry.

8. Magic can happen when the business people and technologists work together.  For example, when a risk analyst works well with a technical administrator, some seriously interesting results appear – especially when the tool is as configurable and flexible as RSA Archer.  More importantly, a business problem turns into a business enabler.

9. Success breeds success.  Momentum and taking a proven path are formidable allies. 

10. And this one is not an ‘I Think I Think’ but is an ‘I Know I Know’: I can’t wait for next year for the same experience.

 

If you missed it this year, or just want to relive some of the highlights, check out my keynote!

 

Author: Steve Schlarman

Category: RSA Point of View

Keywords: RSA Charge, RSA Archer, GRC, Risk, Risk Culture, Risk Management, Risk & Compliance (GRC), Security