Advising from the Edge: Why we Need Application Relationship Management Now

2020 has certainly been the “Black Swan” year where “once in a thousand-year events” seem to occur every month and are compounding risk to new levels. Many companies are facing enterprise risk on a massive scale from geopolitical, health and safety (including COVID-19 and civil unrest), cyber risk, credit risk and business disruptions (fires, hurricanes, flooding, etc.).

I recently joined vArmour’s Advisory Board because I was impressed by their solution’s (Application Controller) risk management capabilities. vArmour is an Application Relationship Management solution that dynamically maps out internal and cloud-based applications and dynamically illustrates their interrelationships. It achieves this by “listening” and visualizing application communications, and performing application dependency mapping in real-time. 

 My background includes leading several global risk organizations for major financial institutions such as JP Morgan, Citi, RBS & First Data; and have consulted with firms and institutions around the globe. Currently, I am the Risk Intelligence leader for CNM LLP, a technical Advisory Firm located in Los Angeles. As someone who has been immersed in Information Technology (IT) and Enterprise Risk Management (ERM), I was struck by all the ways vArmour Application Controller can dynamically manage and improve your risk management capabilities for application environments. It would have certainly been advantageous to have vArmour available years ago. 

I see five (5) critical business event use cases that vArmour can improve operating cost efficiencies and mitigate risks. Specifically, Mergers & Acquisitions, Business Continuity & Disaster Recovery, Cyber Security, Cloud Migration and Regulatory Compliance. 

A way to get ahead in Mergers & Acquisition 

I’ve been through several Mergers & Acquisitions (M&A) and know that CEOs and senior management teams are rewarded for hitting merger targets and goals; thus, it is imperative to be ahead of schedule to justify the merger’s costs savings to the board, equity analysis and shareholders.  

However, delays can occur because of application discovery challenges. We always struggled to get an accurate application list and understand all the upstream and downstream interdependencies of merged companies. This information is critical to quickly decide system consolidations, resource usage, budgets, and being in compliance with the application risk assessment process. If you don’t know applications exist, how can you protect them? 

vArmour Application Controller’s Security Graph will quickly map out every application and its communication paths to assist you to identify the interdependencies, duplicate assets and begin to achieve the merger’s cost savings goals and improve the combined organizations risk management capabilities. 

 Improve your Risk Management Capabilities

Shifting to Business Continuity and Disaster Recovery (BCP/DR), the tenuous process of figuring out “critical path” for recovery was always a “hit” and “miss “process. This was a major impediment to recovery during a crisis. 

 I experienced several major BCP/DR events such as the World Trade Center bombing (9/11), Hurricanes Irene and Sandy, blackouts and several major technology related events. We always managed to get it right at the end, but usually ran into problems that could have been avoided if we had the accurate and complete information that vArmour could have provided. 

 Specifically, application upstream and downstream interdependencies were usually discovered when the BCP/DR test failed, and errors occurred because a critical application’s interdependencies were unknown. Application “A” had a Recovery Time Objective (RTO) of thirty (30) minutes but it relied on a customer list from application “E” which had an eight (8) hour RTO. Therefore, it didn’t recover based on the business criticality as planned. 

 In addition, the change environment generally created new configuration and interdependencies at a pace that was challenging to keep up from a BCP/DR perspective. vArmour Application Controller continuously and dynamically defines those relationships and will highlight RTO mismatches. This will allow the organization to quickly repair and make the necessary changes to keep the critical path current and accurate. 

Increase your Application Resiliency

Cyber security has been elevated to the Board and CEO’s office; and CEOs have been replaced because of cyber security breaches. I’ve been in situations where the application’s footprints and interactions were unknown leaving clients susceptible to hackers. 

In one case, the client didn’t know the number of database copies that existed because of turnover and poor documentation. It turned out there were multiple database copies which contained 40 million client accounts. We had to rely on various people to get that information and couldn’t be sure it was complete or accurate. The inherent risk was by our agreed estimates to be over $4 billion. That was outside of the businesses’ risk appetite.

 vArmour would have been able to immediately identify those connections from the application to the databases and determine if the right security policies were implemented. In addition, it would have alerted us to any “new” connections which could result from a hacker or internal application using this critical data without permission. 

 Secure Hybrid Cloud Migration

Today, cloud migrations are becoming a standard practice and improve performance and costs. However, clients that put their applications on the cloud are still responsible for them, per the Shared Responsibility Model. Cloud providers have come a long way in protecting applications and providing analytics to demonstrate performance. However, there are still “blind spots.” 

vArmour reaches into the cloud and can continue to give you dynamic illustrations and analytics on the applications health and connections.  vArmour provides a unified set of capabilities that can be applied consistently across all cloud platforms for maximum flexibility and assurance of consistent behavior across the environments.

Invaluable Discovery Solution

Regulators have increased their focus on application risk management and are now encouraging organizations to move towards a continuous process. Most recently, one major Fortune 500 bank had an error that has led to major regulatory scrutiny of their application environment due to an outdated application. This increased regulatory scrutiny could impact their cost goals for years. 

In the past, I worked with a major financial institution who determined that major upgrades to applications and infrastructure were required to bring their risk within appetite. The risk exposure created several problems. One was that outdated operating systems can’t be patched with the latest security patches which left them exposed and additionally, performance issues were occurring with key applications that the vendor wouldn’t be diagnosed. 

We took a risk-based approach to upgrade the technology environment, but this was a long process to identify the most critical applications and tie them to the infrastructure and Operating Systems. In addition, due to merger activities, we didn’t have insight into the acquired company’s application environment. 

Regulators expect a firm to know all their technology assets and have a risk assessment against them. vArmour would have shortened our efforts by dynamically listing all the applications and their infrastructure.  Instead, it took countless man hours to get the information and verify its accuracy. 

In conclusion, if we had vArmour when we faced so many critical business events from M&A, BCP/DR, Cyber security, Cloud migration and Regulatory scrutiny, we would have saved countless hours of manual work. I look at vArmour as not solely a technical solution, but a business solution that runs on technology. Its future is bright as more institutions are implementing vArmour. I am sure they will continue to find new use cases and recommend enhancements, particularly with their robust partner ecosystem, to drive vArmour’s efficiency and effectiveness as a great business solution.


Read More
May 20, 2021
Relationships Matter on the Road to Cyber Resiliency
Read More
May 13, 2021
United States Government Executive Order for National Cybersecurity
Read More
May 10, 2021
Insights from a FinServ CISO Veteran: Achieving Operational Resilience Through Transparency

Timothy Eades

Chief Executive Officer