The DRMTA: Loops and Lines

Oct 29, 2019 | by Steve Schlarman

As we explore Digiville in this blog series, it can’t be forgotten where we started our journey. Digital transformation opens up new routes to market, optimizes operations and creates entirely new ways to do business. As your organization continues it journey, your risk and security program must evolve as well. That means it isn’t a static approach. There are parts of your Digiville expanding every day. For Digiville to stay on the move, the Digital Risk Management Transit Authority (DRMTA) must keep up with the active lifestyle in this dynamic metropolis. To keep Digivillians on the move, the DRMTA has several key loops and lines.

Through the heart of the city, the Risk Loop connects to every line and is a core route for the transit system. There are unique stations for risk management like scenario modeling, decision models and risk quantification that are core to a mature risk management methodology. This loop represents the nucleus of the risk and security program – to identify, assess and treat risk. In the metaphorical sense, the many stations connecting to other lines allows the Risk Loop to aggregate and translate potential issues from across Digiville.


The Digital Product Loop and IoT Line are the newest additions to the DRMTA. Digital Products are disrupting the status quo. Inserting risk management into the software development lifecycle – especially DevOps scenarios - is imperative. The risk management approach to DevOps must keep pace with the agile methodologies implemented in IT and expected by the business.

Furthermore, the sheer size of IoT can be frightening depending on what you are doing with it. Having MILLIONS of consumer devices with your brand name on them or industrial control systems running your business every day – is a significant opportunity – and risk.


The Digital Product Loop is the most recent expansion of the DRMTA because how your development activities for digital products interacts with your security and risk methodologies is critical. DevOps, Consumer IoT and mobile apps are examples of areas where risk management must intersect your digital product management lifecycle. The DRMTA also has the DevOps Express Line. While it was initially built for IT and its ‘agile’ travelers, increasingly, risk and security teams must also ride that line occasionally.

There are a few lines that deserve a call out as well. The Cyber Line ventures onto the dangerous Adversaries neighborhood, traverses the city, branches out across Legacy IT and ultimately ends connecting to the Risk Loop at Cyber Risk Analytics station. Along the way, it crosses many different lines. Cybersecurity is an acknowledged key to managing digital risk. The threat landscape has expanded so much that organizations without key capabilities like Threat Monitoring, a strong Security Stack, SIEM, Incident Response and Breach Management can suffer catastrophic incidents.


Another critical line is the Partner Line with stations specific to processeses related to vendor management such as Vendor Risk Assessment and Contracting. Like the Cyber Line, the Partner Line includes multiple connections to other parts of Digiville simply because today’s business models require the use of partners in a vast ecosystem of collaboration, data sharing and resource sharing.


The intersections of these lines allow travelers to get to other parts of the city – figuratively speaking – the stations represent capabilities that require cooperation. For example, combine Cyber and Partner lines and you see some interesting intersections like UEBA and Cloud/Partner Monitoring. If you add in the Workforce Line, there is another aspect to add to your UEBA strategy – how do you distinguish internal employees from contractors?  Or do you need to?  When you follow the Workforce Line, you also see stations for the Extended Workforce and Awareness and Training.

When you put the big picture together, it is expansive – and it looks complex. But how could it NOT be?  Today’s digital business is expansive and complex. Managing risk across your organization is not a simple challenge and there isn’t a simple solution. There are major crossroads like Data Privacy, Controls Assessments and Data Governance, vital capabilities such as Policy Management, asset catalogs, and Compliance Reporting and emerging topics like IoT Gateways and Sentiment Analysis for social media.

As you explore the DRMTA, you will see many different stations unique to individual processes, but also connections to the other lines. That is what makes a transit system valuable. It is these connections that allow the DRMTA to deliver on its motto of ‘We can get you there’.

# # #

Follow this blog series to learn more about Digiville and the DRMTA. Check out the full graphic of Digiville and the Digital Risk Management Transit Map.

Read the RSA Digital Risk Report to learn about the perceptions and attitudes towards risk in the digital world. Understanding the challenges facing your organization is a great way to get started down the path of ‘good habits. Use the RSA Digital Risk Index as a quick assessment for ideas on how you can adjust your strategies as your organization takes on digital business.

Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity

Author: Steve Schlarman

Category: RSA Fundamentals, Blog Post

Keywords: Cybersecurity, IRM, Risk Management, Digital Risk, Digital Risk Management, Digital Risk Report, CISO

Part 3 of the Digiville blog series based on my RSA Charge 2019 keynote.

Catch up with the series by reading ‘Welcome to Digiville’ and ‘Exploring Digiville with the DRMTA’.

Share