We saw a lot of variation in the products we looked at this month. There is more than one way to look at the problem of GRC. For simplicity, we will think of the products this month as some variant of GRC. Governance, risk and compliance are the cornerstones of policy enforcement. The problem is that in order to do GRC correctly one needs to have tentacles into all of the areas of the organization. Without that, the data that the GRC system needs to give an accurate picture are incomplete.
Broadly, the products we saw were either focused on the IT aspects of GRC or were broader in scope. This is not to say that these tools do not focus on IT risk, they all do. Rather, they place emphasis on it more or less. Those that place heavy emphasis are those that focus on what we refer to as "closed loop" GRC. That means they focus on detecting vulnerabilities in network devices in, more or less, real time and in automating the remediation of those vulnerabilities. They usually can perform the remediation automatically or can offer the organization the option of remediating manually. After remediation, these tools retest and then report their final analysis, closing the loop.
In the other type of GRC system, the emphasis is on providing a lot of data to humans with everything they need to manage risks manually, often with some automated help from the system. In these systems, visualization is critical.
So, which one is for you? That depends on several factors. First, what type of business are you? If you are heavily dependent on technology for your security, management and other risk-related tasks, you might want to lean toward the more technological solutions to the GRC challenge. This also may be true if your organization is large with a large distributed network. Managing proper configuration of such a large enterprise can be a daunting task, not to mention the task of maintaining good GRC.
That said, all of the products which we looked at had the ability to pull data directly from devices on the network. The difference mainly is in the amount of data manipulation the tool expects you to do. While the more automated systems may seem to be the silver bullet of GRC, in your situation they may not be. For example, if you are a very large organization, multinational, perhaps, you have a far more complicated problem, especially in maintaining compliance with a myriad of different regulatory requirements.
In either case, deployment can be challenging. It is critical that you pre-plan because these are large, complicated implementations with lots of moving parts and lots of stakeholders. All of those stakeholders must be involved directly because if they are not your multi-hundred thousand dollar investment is destined to become shelfware.
First, decide who is going to own the deployment. That will depend on your organization. That person or team will be different in a financial services organization than it will be in a manufacturing company. Next, learn everything you can about the tool you've selected. Figure out how you are going to deploy it and what roles the particular stakeholders will play. There will be a lot of legacy data to get into the new system. How are you going to do that? How does the system consume data? What connectors does it need to interface directly with the IT infrastructure? All of this needs to be understood before the first package is loaded onto a server.
Remember two things about GRC if you don't remember anything else: First, compliance does not equal security, but good security usually equals compliance. Go for security and risk management and compliance will take care of itself - if you have the right reporting. Second, remember that the C-suite could not care less about how you get your numbers, graphs and charts. What they want to know is can they depend on their accuracy and do they give an adequate answer to the most important question of all: What is our risk level?
Because there were multiple types of tools, this month we have two distinctly different Recommended products: one that is largely technology-based and one that is more management-based. Also, because every one of the products we tested really was close to best of breed, we have been quite picky in how we rated them. Differentiations were small, with many products doing one thing better than all other products, but with other functionality that was pretty close across the board. Also - fair warning - we could not possibly cover every function in these products in the space we have. Their functionality is prodigious.