An effective GRC strategy requires having the right tools in place. To do so, you need to understand the different platforms that are out there.
“Buying the right GRC platform for your organization is all about asking the right questions,” explained Sam Abadir, vice president of Industry Solutions at LockPath, a leading provider of compliance and risk management software. “There are questions to ask about your internal processes, questions to profile vendors, and questions to justify the purchase of a GRC platform. Whether you’re buying a GRC platform or trying to prepare for a mountain climb, asking the right question lowers your risk and increases the favorability of the desired outcome.”
The questions Abadir suggests you ask before buying a platform include:
- What or who is driving the need for a GRC platform? Determining what or who prompted the search for GRC platforms is revealing for fit and other factors like time to implementation. From our experience, there are typically three forces at work: 1. The current solution can no longer meet the demand. 2. An executive or board member requested the search. 3. Or an incident like a data breach has occurred.
- How are you going to support your GRC platform? A GRC platform should integrate with your organization’s processes. As such, you’ll need to consider how you will support the platform: Will you need an infrastructure team comprised of compliance and risk management staff, IT and GRC champions? What about training staff on using the platform? Knowing what is necessary to support each potential GRC platform is critical to success.
- Where are you now and where do you want to be? Knowing where you are helps you strategize where you need to be. Have you purchased a GRC platform before? Are you moving from a point solution like policy management software? Check your current proficiency level against your goals to determine what is a “must have” versus a “nice to have.”
Requirements Your GRC Platform Should Meet
You’ve asked the basic questions about deploying a GRC platform. Next, according to Steve Durbin, managing director of the Information Security Forum, you should ensure that the GRC product is supported, and ideally referenced, to an industry recognized methodology. He recommends considering these basic requirements:
- Ability to be able to conduct assessments at varying levels of detail depending on the criticality of the environment/system being assessed
- The need to host/upload evidence (especially the compliance requirements in the GRC)
- Provide / display outputs in accordance to recognized standards, regulations (ISO, NIST CSF, PCI)
- Predefine a set of attributes to produce a risk analysis in a short space of time, for example, define system criteria (internet facing and processes PII). This is particularly important for agile environments
- Provide deep analysis on business reporting with an emphasis on how this should be communicated. The reporting needs to consider multiple audiences (i.e., technical IT teams who typically want to know what controls to implement, the CISO for the threats and the business for costs and ROI)
- Future proofing of functionality by considering quantitative ways in which to report risk and report the mitigating actions (such as comparing the cost of a possible risk to the cost of implementing controls both OPEX and CAPEX)
Comparing Different GRC Products
Now comes the tough part – making the decision about which platform is right for your company. To get you started on your search, here are some GRC product package comparisons:
Druva inSync: Solves the business challenge of endpoint security and governance, as well as providing data loss protection and file-sharing capabilities. Reviews of the product say it has a high rating for ease of use, including setup and administration. Top industries using this platform are IT, network security, energy and retail.
RSA Archer: Solves the business challenge of compliance management and risk management. Works best in a more mature environment and with users who already have a good understanding of its GRC processes. Can be customized for individual situations. Top industries using this platform are security, finance, computer software, IT and insurance.
PowerDMS: Solves the business challenge of policy management, accreditations, and document control. Works best in organizations tasked with managing a high volume of documents and training situations. Top industries using this platform are law enforcement, health care and fire/EMS.
MetricStream: Solves the business challenge of streamlining IT functions, risk management and monitoring regulatory requirements. Works best in a more mature environment. Top industries using this platform are financial services, retail, manufacturing, life sciences and health care.
IBM OpenPages GRC Platform: Solves the business challenge of offering a scalable solution to manage compliance issues. Works best in an environment with a GRC program in place to improve overall efficiency.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba