As the security landscape continues to devolve, businesses will continue to adopt and implement security controls. The earlier that a Governance, Risk and Compliance (GRC) Management tool is adopted by the business, the sooner overall compliance and security will improve, and the more likely security awareness will permeate the business culture. GRC Management tools are designed to support and unify existing and new processes, such as:
- Asset management
- Configuration management
- Policy management
- Risk management
- Alert/Event monitoring
- Incident management
- Vendor management
- Business continuity & disaster management
- ID provisioning
- Access control management
- Privileged ID & password management
- Log management
- Regulatory compliance monitoring
- Records management
- Email management
- Security Awareness programs
Although these individual processes may exist within an organization, they are generally developed independent of one another as a need arises, lack the necessary links and feedback loops to support one-another, and remain operating in silos, disconnected and unaware of one-another. The use of an over-arching GRC Management tool is what will link information from all of these activities together, providing the business with a clear, high level picture of their security, compliance and technical operations, while allowing drill down into the weeds when problems are identified. By eliminating redundant activities, GRC management tools can reduce total compliance costs and enable business leaders to get high-quality, accurate and timely information to support better business decisions.
GRC done right presents a powerful foundation for security efforts, allowing for clear definitions of metrics, success parameters, vision into the risk items that the business needs and should be managing, as well as operational effectiveness, all in a homogenous and consumable format. The key to success of the GRC management platform is its ability to extract, import and correlate data from multiple diverse sources. It has been a while, so I believe that it is time once again for me to examine the vendors and offerings within this important niche.
According to Security ScoreBoard (who I nicked the above graphic from) these are the top vendors (by number of views) in the market. Number of views to a database such as this may not be the best metric, but this is the starting point that I have available, and therefore is the one that I use. If someone would like to do a survey of all of the IT folks out there, I’d certainly encourage you to do so, and I would post that metric here. Didn’t think so…
Compliance is NOT security, they do not equate. A compliance strategy is a component of a solid security program, but compliance alone is not a solid protective strategy. A business must be compliant with regulations such as PCI, PIPEDA, HIPPA, SOX/C-198, etc, should be compliant with best practices like ITIL, GAPP or COBIT, and may be compliant with industry standards, such as BS-7799, ISO-27002 or Common Criteria. Businesses large and small need to understand and comply with the regulations that they are subject to, understand the security risks that they face daily, know about all of their assets and their assets’ vulnerabilities, and understand the threats that could act on them. A business should also have a governance strategy that aligns these items with policy, process and procedures in order to achieve and demonstrate their achievement of compliance and security goals. There is no doubt that a business should also be compliant with its own internal policies and standards, but in most SMBs, and even some larger organizations, there is no way to accurately measure or even enforce that level of compliance. Regulatory compliance is a starting point, the minimum required to demonstrate that a business is doing what it must to legally remain in business. Ask your customers if doing the minimum to protect their data is good enough for them. If they are satisfied, why do more?
In order to secure an organization against modern vulnerabilities and attacks, it is necessary to understand your business, your internal culture and processes, your valuable information and its locations, the weaknesses present within your environment, and to build safeguards around your business using this knowledge to your advantage. I can almost guarantee that your enemies, your competition and your attackers will be doing the same.
A GRC solution should allow you to map your processes, information and process flows, relationships, dependencies, technical, operational and security risks, and provide information to summarize your risk landscape. As an example, there are different risks present at the various levels of your technical infrastructure. The table below is not meant to be an exhaustive analysis, but shows the commonality and diversity present at several layers.
Each of these risks should be handled by policy, driving the development of documented processes, and ending in standards and procedures that should be followed closely. Information and metrics from one may be useful in many, and if not connected, will result in duplication of effort and information. By unifying the oversight and management of these areas that should all by tied together by policy anyway, significant cost and resource savings should be realized, and information and views into that information (intelligence) can be centralized.
Interested in seeing more about this or some other topic? Tell me about what your needs or interests are…