Automating security, risk & compliance for your data center

Time for a quick side bar from our reference model discussion.  Just wanted to make a quick, timely mention for a space that’s is evolving currently called IT Governance, Risk & Compliance Management or “IT GRC” (as defined by Gartner, Forrester, EMA, IDC).  This is an emerging space that helps enterprises automate their data center and beyond for IT related risks and also helps leverage that automation for reducing the overall cost in proving compliance (which to date has been traditionally been done through lots of manual labor, e.g., consultants).

So what exactly do these product do?  They provide a top-down approach to organizing your IT security management program and initiatives.  You establish your goals (hopefully making sure they are aligned with the overall business goals) and then leverage three primary automation engines to status those goals:

1. Automation of the interview process for security controls that can’t be tested with software instrumentation.  Build and distribute with workflow automation web surveys to ask system, application and network owners various process, procedure and administrative IT control status questions.  These are traditionally called non-technical controls in the security world since there isn’t a way to have software automatically gather the information.
2. Automation for previous audit reports or for external auditors through a data entry workflow where they take their physical (face-to-face) interview results and input them into a centralized content management system
3. Automated connectors that gather and normalize controls, resources and scoring data from security monitoring products (e.g., vulnerability scanners, configuration/policy managers,  and any other security software product that automate technical controls).

Now, with all your technical and non-technical controls automated into a normalized, centralized model you can view your Key Performance Indicators (KPI’s) and how they are ranked/mapped against the overall business goals.  Also, it’s a unified location to point your auditors saving you team time and frustration.

Really cool stuff!  This area is still up-and-coming but something to keep and eye on.  Of course I have a bias as a company I’m working for, Securityworks, just launched the company and their latest version of the product.  Securityworks isn’t the only vendor out there with this vision.  Venture capital has recently been pouring into the space with companies like Agiliance, Brabeion, ControlPath, Compliance Spectrum and more coming to market.   For some more independent background on the challenges these solutions automate I would recommend checking out a great power point presentation from Forrester’s Khalid Kark.

Bottom line here, which we will discuss more as we get back into the reference model thread, this is a great solution for larger enterprise’s that have made investments in security monitoring products but still aren’t able to make the auditors happy or answer key business questions like”how secure are we.”