This month we take a dive into GRC (governance, risk and compliance), risk and policy management toolsets.
The SC team has looked at this category on an annual basis for many years. Over the years focus in the space has come in waves, especially as regulatory and industry-specific compliance measures evolve.
With the broad reach of GDPR, we’ll likely see some additional regulations emerge that will drive more attention to how companies secure personal data and other personally identifiable information (PII). Complying with these standards will push organizations to emphasize operating with integrity. Having the tools to make mapping controls between standards will become even more important. To best help these organizations keep on track with the ever-changing compliance landscape, security teams will need tools to track their progress.
Two years ago, we defined two distinct subcategories – traditional and next-generation. Traditional tools focus on the mapping of controls and tracking compliance status. Some tools have evolved over the years to add workflow functionality to have greater visibility to the status of each individual control and understand where the bottlenecks truly reside. Next-generation tools combine some of the upcoming technological advancements in the information security space to provide better insight and analytics of the organizational risk. These tools understand assets on network and can understand network traffic flow.
With traditional GRC solutions touching many different departments and various technologies, the importance of choosing the proper solution becomes the center point of the conversation. While some of the tools in the space talk implementation times from hours to days, from personal experience these typically take months for most organizations to deploy and operationalize. If the deployment times sound too good to be true – they probably are. If you have any doubts, inquire about professional services. With this type of time commitment, understanding your goals prior to purchasing solutions is of the utmost importance. Looking at items such as compliance mapping, evidence repositories, workflow management and custom reporting are some basic features that these tools offer, understanding how they apply to your organization and what type of output your situation requires will be key to the decision-making process.
The key areas we observed in next-generation risk and policy management tools last year are still prevalent this year. Auto-discovery and auto-consumption continue to set these products apart from the early tools. The latest iterations also take steps to manage firewalls and edge routers. To understand policy management, the firewall is an obvious starting point. Most executives want to know if their organizations are compliant, so having a tool that can run compliance tests help answer that question.
Looking at the providers this month we see a lot of familiar faces and, happily, improvements from last year. It’s gratifying to see solutions grow and evolve and the group this month had some significant changes from the years prior. With even more focus on automation, these tools are continuing to reduce the efforts required to operationalize the toolset and maintain the relevance of the information contained inside.
To read all the November reviews see below:
STREAM Integrated Risk Manager
SAI Global – SAI360 Digital Risk
Skybox Security Platform
Tufin Orchestration Suite
AlgoSec Security Management Suite 2018.1
Cavirin CyberPosture Intelligence for the Hybrid Cloud
FireMon Security Manager
Allgress Insight Risk Manager