Security Strategy, Plan, Budget

Risk and policy management

Industry Innovators 2016: Risk and policy management

Risk and policy management is a necessary evil (common misconception: while it is necessary it does not need to be evil). The problem with risk and policy management that makes it seem evil is that it can be very tedious. We looked at several risk and policy management products and we found that, no matter how well the product processes data and gives users everything needed to manage risk and tweak (or develop) policy, the big gotcha is getting source data into the system.

For example, a tool that does not do auto-discovery (or consume data from a tool that does on an ongoing basis) is pretty useless, especially in a large enterprise where assets are changing constantly. To our amazement, there were several products at which we looked that were deficient in that regard. Our Innovator this year is not one of them.

There are several elements to consider in a product of this type. Let's go back to first principles: Risk is a combination – however you chose to characterize it mathematically – of threat, vulnerability and impact. To lower risk, we need to address one or all of these three elements. To that end we need to know everything we can about them. That means, first and foremost, knowing that they exist on our enterprise and what they are (host, operating system, applications, communications, etc.).

Then we need to track vulnerabilities in these assets. We cannot trust a once-per-year pen test either. We're talking about ongoing vulnerability testing, automated and feeding the risk calculation. Then we need threats. That means threat intelligence services and threat documentation. Finally, we need to wrap all of that up, do whatever risk calculations are in order and package the results for their intended audience. We would like to automate as much of that as we can, but we certainly want to automate the workflow.

Our sole entry in this category this year does all of that and a lot more. And, in order to dispel some of that resident evil, the company has an aspect called the GRC Journey that helps work new GRC (governance, risk, compliance) analysts through the long and necessarily complex process of deploying a useful GRC system in their enterprise. It's really a “kinder and gentler” GRC.


Vendor MetricStream

Flagship product MetricStream GRC Platform and GRC Apps & Solutions

MetricStream App pricing is based on the number of application modules and number of users.

Adding a solid technology to the human aspects of GRC and making the GRC process manageable.
Greatest strength
Involvement with the GRC community, the customer community and the culture that drives them relentlessly toward innovation.

MetricStream is a provider of enterprise-wide governance, risk, compliance (GRC) and quality management applications. The company is innovative because it believes that it needs to be. GRC didn't exist as a regulatory issue when the firm was created. As well, it is not a point problem or a technology problem. GRC requires mindset changes and it requires technology changes to bring GRC to life. That means, according to this Innovator, relentless innovation is required in all forms. The charge is to educate, win hearts and minds, address the issues and meet a host of other challenges. According to MetricStream, unless it is a real problem, it is not worth tackling.

Driving product innovation is owing to about 300 people in cross-disciplines. There is a lot of focus on coming up with products out of left field in addition to traditional approaches. Innovation is part of the DNA of the origination. The culture at this Innovator fosters the attitude of "I can tackle any problem." The team has a scheme that allows funding across all groups for research. That encourages innovation. The big picture for this Innovator includes: help customers drive business from a hybrid cloud availability. The important idea here is “drive business.”

MetricStream never forgets that it is dealing with business risk and so protecting the business is its driving goal. In order to do that this Innovator must make GRC accessible for the customers. It does this in several ways. First is cloud. The MetricStream team see more of their customers moving to their cloud from on-premises deployments. Their cloud offerings have no co-mingled data and that is innovative, as anyone who has used a cloud-based service knows. The philosophy here is: be simple, pervasive and deliver on the hybrid cloud.

This Innovator is addressing five critical aspects of GRC: (1) User experience (redesigned the front end completely with new visualizations – API-driven); (2) Configurability (how to make the operating environment adapt to your needs and be persistent); (3) Mobility (can open on any mobile device); (4) Reporting and analytics (visualization: seeing and understanding your data – how do you understand the data); (5) Architecture (make sure that the technology is relevant and does not use old technology – relevant for customers five years from now).

Click here for Industry Innovators 2016: Perimeter defense

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.