Tools are never a solution

All good information security programs are founded on people and process before they're founded on tools, says Walt Williams, director of security and compliance at Lattice Engines.

When many of my peers hear the term GRC (governance, risk and compliance), they immediately think of an implementation of a particular tool by a particular vendor. It is as if the tool has become synonymous with the solution to the problem. While this is brilliant for some, it does nothing to help organizations which are too small for an implementation of that tool to be either effective or affordable.

Besides, the tool is not the solution. Tools are never a solution. At best they are one-third of the solution. All good information security programs are founded on people and process before they're founded on tools. Tools, good ones at least, only make the people more effective as they implement the process. The same goes for governance, risk and compliance.

As even the name GRC implies, three independent processes are involved: namely organizational governance, risk management, and compliance management. It is useful to take a step back and look at this from a different point of view. All governance, risk and compliance is an information security management system. Organizations which have implemented ISO 27001, NIST or O-ISM3 are familiar with the concept. A management system is the sum total of all the policies, procedures, standards, technologies and reviews put into place to govern information security, manage risk and ensure compliance. 

It is not necessary to implement ISO 27001, NIST or O-ISM3 to have an information security management system. Those standards provide models for building a complete and comprehensive program. Other standards, such as CIS top 20, PCI DSS, and the Cloud Security Alliance's Cloud Controls Matrix, are more focused on technology and less on building out a comprehensive security management system so that you can effectively govern your organization, manage your risks and demonstrate compliance with all applicable laws and standards. Both the Cloud Security Alliance and the AICPA recommend implementing an information security management system before seeking either an attestation of compliance against the cloud controls matrix or the SOC 2 type 2 respectively, as both organizations recognize the desirability of having a comprehensive system for governance, risk management and compliance management.

Any organization of any size can implement an information security management system and, if the organization so chooses, it can be audited for compliance against that management system so that there is an independent third-party evaluation of both the completeness and effectiveness of your ISMS. Such audits are voluntary

Any organization of any size can implement an information security management system.

NIST, ISO 27001 and O-ISM3 all have in common the requirement to improve your management system through setting goals and measuring performance against those goals. They mandate the commitment of the organization's leadership to support the management system – putting in place controls that remediate those risks that are unacceptable to the organization's tolerance for risk. As well, they mandate a security awareness program to demonstrate that all processes and procedure standards and guidelines are not only documented, but revisions are tracked. They mandate both internal audits and management reviews of the controls and management system. This is all governance. These management systems mandate that not only do you assess and manage risk, but you track what controls are managing what risks, you track those risks you're transferring, avoiding, or accepting, and that you periodically reassess risk comprehensively. These management systems mandate that you comply with all applicable laws, regulations and standards, and that you both protect the data and the privacy of the use of that data, and the privacy of the people who use your systems.

The most important thing about using NIST, ISO 27001 or O-ISM3 as the foundation of your GRC program is that you are not bound to any tool. You can use any tools in support of your management system. There are many such tools freely available, and others that come with no cost involved. In support of organizations I've led, I've used spreadsheets, document management systems and a bug tracking system to comprehensively manage an ISMS. The ISMS of my current company was certified as compliant with ISO 27001, using documents based on freely available templates found here


Walt Williams, the director of security and compliance at Lattice Engines, will be speaking on information security management systems at RiskSec Toronto. The two-day event, June 12 and 13, to be held at St. Andrew´s Club & Conference Centre in Toronto, is SC Media's new threat intelligence and risk management gathering for cybersecurity industry leaders. 

Williams will be discussing the fact that there is a lot more to managing an information security program than risk management. 

Evolving from the SC Congress series, the leading cybersecurity conference and expo known throughout the globe, RiskSec Toronto is comprised of interactive learning sessions, keynotes and panel discussions, and features an area designated for technology companies to demo and share their latest products and services. This event was created to immerse attendees in highly personalized and focused interactive exercises with discussions from senior thought-leaders in the cybersecurity industry.

Attendees will share perspectives with peers and discuss steps to tackle the cybersecurity issues proving most challenging to us all. RiskSec Toronto will enhance your knowledge set to bolster your organization's security controls and build up your threat intelligence, risk management plans and best practices.

More than 30 industry leaders will be keynoting and presenting. As well, attendees can earn up to 15 CPEs at RiskSec Toronto.

Walt Williams has served in leadership roles of organizations that have provided secure and scalable services in the cloud for over 10 years. He currently serves as director of security and compliance at Lattice Engines. He is an outspoken proponent of design before build, and an advocate of frameworks and standards. He has spoken at Security B-Sides, Boston App Sec, Rochester Security Summit, DefCon's Wall of Sheep, and the 2016 27K summit.

Mr. Williams' articles on security and service-oriented architecture have appeared in the Information Security Management Handbook, and he has a book on the same subject with CRC Press. He has sat on the board of directors for the New England ISSA chapter and served as a member of the program committee for Metricon. 

Come hear Walt Williams and more at RiskSec Toronto. Please visit our site to register. A full conference pass is $1,295, but for a limited time we invite you to sign up with a special Discount Code of $495. Type "FEATURE" into the DISCOUNT CODE field for a savings of nearly $800.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.