Is GRC just another industry acronym or is this the one we've been waiting for?
Over the past decade, we have all been bombarded with the latest and greatest buzzwords, all designed to usher in a variety of tools and differentiate them from creaky old technologies. Given that Lucy has yanked the proverbial football away from us so many times, have we finally found a tool set that actually works as advertised? I wouldn't stick my neck out and be the first to bet on it.
First, it helps to define GRC.
GRC stands for governance (policy), risk management and compliance. All of us are rolling out security controls that address compliance. On top of this, we have several other outliers that create an environment that even expert risk assessors will have a hard time measuring.
These complexities and those that have spawned from compliance initiatives are the perfect incubator for marketers and solution providers. So the GRC buzzword was spun and tied to business needs related to compliance. Purportedly, it will assist us in everything from our security programs all the way to our technical solutions.
GRC solutions are designed to assist in mapping, authoring and distributing policy and controls to the appropriate regulation, as well as manage the exceptions to the given policy and regulation. In addition, the tools assess technical controls that are appropriate to the regulation and identify deficiencies and gaps in the controls. Finally, GRC tools are supposed to assist in quantified analysis and mitigation of risk.
So let's sum up all the promises here.
GRC products promise to map multiple regulations to a single set of controls along with exceptions to policy. They promise to map policy to controls and to track compliance activity. They promise to monitor your technical controls, where they sit in the business process and what regulations they satisfy. They promise work flow efficiency and the ability to assign risk based on components of a system. And finally, they promise to correlate changes in the enterprise to overall risk.
Sounds great, right? Not so fast.
Selecting the appropriate GRC tool for your environment is a daunting task. It's not something you can hand off to your IT department and hope for the best.
In order to properly select a tool, someone has to not only have a complete understanding of the muddy compliance waters but also must know what a system does, how it's used, what other systems/processes depend on it and what existing compensating controls are in place. Now multiply this by the number of regulations and different systems you have within your enterprise and you quickly realize that the legwork required before you purchase is a project of its own.
Does this sound like enough complication? Not to worry, we have more.
When you drag in the usual suspects, be sure that you understand that each vendor interprets compliance, governance and risk in very different ways, so naturally their products will reflect this in their feature sets. Now, if your organization has a heavy focus on risk, rest assured that there is a vendor out there with an offering that leans heavy on the risk side of GRC. This goes for governance and compliance as well. The trick here is to be sure that you have all your homework done before you begin shopping for GRC solutions.
At the end of the day, some would argue that given all the work that needs to be done before you even look at a GRC solution actually nullifies the usefulness of GRC products. After all, when you come to a complete understanding of all things GRC, how much good can an expensive product do you?
It's early in the GRC game and while there are many vendors spinning these products, it has the familiar feel of the old SIM market (Security Information Management). For those that don't recall, this old buzzword addressed all of the data generated by various point solutions in a given environment and was supposed to make meaningful sense of it all.
It was learned that a lot of work was needed, was more expensive than anticipated and ultimately, not much utility was derived. Time will tell if history repeats.
This article was first published on EnterpriseITPlanet.com.