When I started out in security, only very large organizations with a mature set of business processes dared to talk about implementing some form of governance, risk, and compliance (GRC) or enterprise program (e-GRC). They generally did it in an attempt to get ISO or similar certification, or to “move their programs to the next level,” and some, I think, attempted it just to prove they did it. Many of those efforts were monumental, costing millions of dollars and taking years to complete. However, a significant number seemed to end in compromise, yielding a smaller end result or totally failing after thousands of man hours and millions of dollars for software, systems, and consulting had been spent.
The failing of e-GRC seemed to be contributed to the maturity and complexity of the tools as much as, or more so, than the maturity of the organization. The original systems were monolithic solutions requiring many hours and dollars to be spent to get them off of the ground. They were very dependent upon manual processes as they had limited/poor integrations into the source data repositories and systems. They required constant care and feeding and new, additional processes to maintain relevance, or they became out of date quickly.
Another key issue was scope. While those solutions could be very comprehensive in the types of information they could utilize to provide data to their owners, to perform e-GRC, project managers and system owners could be dependent on business groups across the entire enterprise for gathering and inputting and maintaining the data. Most of the input had to be done in a rigid, linear fashion which caused input process bottlenecks and breakdowns. If project managers and system owners did not have the data for a particular stage, they could be stopped altogether until they could coerce that data owner to get in gear, and if (s)he backed out of the project, they faced an entirely different level of possible failure.
Fast forward to the present day, and we see the lessons learned from those days coming to fruition. We now have a class of tools called IT-GRC that allow IT, security, and risk practitioners to create their own models for GRC around IT environments and assets without having to wade through the rest of the enterprise to get it done. The new breed of IT-GRC tools have many advantages over their historical and contemporary e-GRC counterparts in data management and workflows. These tools are no longer monolithic or linear in nature. They are very modular in their approaches, allowing IT to address its problems around GRC and provide value to not only the CIO, but also the entire C-suite in short periods of time.
In many ways, IT-GRC tools seem to have evolved to an agile model of deployment, providing the capability to deliver value in short sprints similar to the software development model of the same name.
I recently briefed with one of the contenders in this space, Allgress. While discussing its Insight Risk Management Suite (IRMS), I saw it address a number of improvements to problems that traditionally plagued older systems.
The first improvement is its integration into authoritative/source data repositories. Old systems required either manual work or custom middle-ware to induct information, so Allgress attacked this issue head-on by providing plentiful out-of-the-box integrations with the data sources that IT relies on for systems intelligence. These data sources integrate with network and application vulnerability management solutions as well as data leak prevention (DLP) solutions and configuration management products, creating a continuous flow of updated data from the authoritative systems.
The second significant improvement from past solutions is the workflow engine, which is very flexible. For data that cannot be ingested from another source, it allows data managers to input the data for any part of the system in virtually any order. This further reduces project spin-up time.
The third improvement is the flexibility to deploy e-GRC as either a SaaS application or an on-premises solution, which is very useful. The SaaS option provides the opportunity to deploy the system in less than an hour. When combined with its data integrations, Allgress tells me that a customer can get real value by identifying and prioritizing risks in a matter of hours.
The following modules represent the core areas of IT-GRC.
- Policy and Procedure Governance This provides the ability to manage internal security and regulatory compliance policies and procedures.
- Risk Analysis This provides an immediate, intuitive, and comprehensive view of an organization’s security and risk posture.
- Vulnerability Management This collects, analyzes, and visualizes data so security personnel can make key decisions that align security and regulatory compliance programs with top business priorities.
- Incident Management This allows security and risk professionals to manage security incidents and investigations using a centralized document collection site with built-in information gathering templates. Customers can unify, prioritize, and access incident information from a single repository.
- Security & Compliance Assessment This manages compliance programs with operational efficiency, demonstrating an organization’s progress toward achieving regulatory compliance.
Each of the modules has significant power, but this is a case of the sum being greater than the whole. The combination of data provides security and compliance, system administration, and risk and management with useful data to improve their programs and provide better customer coverage.
Given the improvements over the earlier products, I can see why adoption is much higher in the IT-GRC solutions than previous attempts at the e-GRC genre of software. I can’t wait to see more as I dig in further.