grc tooling: governance, risk and compliance software

hello my name is adrian borowski
and i’m the director of marketing for nspek.
i’m here today to talk to you about grc
tools but before we go into that a
little bit about
us. neosynergix is a custom software developer for heavy industries, banking institutions, agricultural associations and we can go on. We regularly deal with information security as
company that’s been around for about 30
years.
we deal with information security
compliance
assessments testing and a certain number of products as well
from the the security industry
uh we were in gartner in 2018
for being one of the best pci dss qsa
companies
in europe um and we deal with a whole
raft of different compliances from iso
27001
pci dss hippa you name it we’ve probably
dealt with it at some point in the past
so grc so grc
stands for governance risk management
and compliance
sometimes they call it governance risk
and compliance but quite often
you’ll hear it referred to as grc and
i’ll refer to it as that
for the rest of this particular
session so what is the grc tool
right so a grc tool basically
is there to provide a quality of life
improvement for information security
professionals in their day-to-day lives
as many of you probably already know
being information security professionals
are interested in this particular space
the amount of data and things that we
have to kind of deal with on a regular
basis when it comes to information
security can get quite
large and without some form
of ability to manage the quantity of
work
we have the quantity of data that we’re
receiving from
all kinds of sources it would make it
extremely difficult for us to operate
in any other way other than with some
form of tool to assist us
especially when it comes to things like
reporting to boards
reporting to the i.t departments on on
you know risks issues problems that we
are potentially facing within the
organization
um it would make it very difficult you
can do it via
documentation and excel spreadsheets and
and all that kind of stuff but really
what you should be looking to do at some
point is procure yourself some form of
grc tool
to make your life a hell of a lot easier
if you’re buying the right grc tool
quite often
you’ll be getting component aspects of
risk management you may if you’ve got a
compliance requirement say for pci dss
quite often any modules associated with
that particular
compliance model within your grc tool
will allow you to track
where you currently stand against
full compliance you’ll be able to use it
for project management
to understand a little bit more about
where you currently are versus what you
need to do
and you’ll be able to report back to
either the auditor
or the c-suite or members of your board
on
currently where you are and maybe some
of the issues that you have as well
this is what makes glc tools
particularly powerful
the ability to just pull all of that
data into one
place where you can have a single
dashboard
that offers you all kinds of
useful graphs indicators of what you
need to do next
sometimes there’s ticketing systems
attached to it as well so you can take
it directly from your grc tool
or use your grc tool as a ticketing
system
to kind of remind maybe your information
security professionals or other people
around the business
what they need to do in order to
maintain at least a
standard baseline level of security
it doesn’t require a lot of experience
to use one
i mean it’s always recommended to
actually take the
kind of course at the beginning when you
first procure a grc tool because
at the end of the day there’s going to
be all kinds of things that these grc
tools can do
that you need to know about you need to
know where they are within the actual
tool itself so
do undertake some form of training kind
of before
you embark on it and make sure also you
get good support so if you do get a bit
lost
you can always call up their support
lines and find
out you know how to do something or how
to get a particular
report exported or how maybe how to
change reports
you know quite often grc tools are
particularly
configurable that allow you to do all
kinds of things and produce all kinds of
cool graphs and charts and what have you
uh
for you to do the reporting that you
need to do
it also allows you to track things like
risks
activities that you’re doing at the
moment to reduce risks
how you’re treating risks you can create
your risk logs
in grc you can get
input to those grc risk logs from other
sources
you know you can have multiple logins to
the same tool with multiple access
levels
so you may as the information security
professional have access to all of those
but if you want to give one of the
members of your team you know limited
access to something
such as just the risk components
or the instant response side of things
then you can do that as well
and that’s usually a simple interface
glc tools kind of
protect you in many respects from
losing important data
in a raft of documentation you know
easy to find what you need to find
when you want to find it without having
to hunt for it
especially if it’s something that that
happened maybe
two three years ago and you just kind of
want to go back and review that
that’s where grc tools are great it’s a
lot easier than going back through old
risk logs
old sort of reports you’ve generated
trying to find that item that you’re
looking for
you know glc tools are really really
good
at just protecting you from having to to
rush around
definitely consider purchasing one
they are a big return on investment
they’re not a return on investment
in you know that they will do your job
for you
but they will
reduce the amount of time required for
you to do
what you’re there to do which is run
your information security and it does
allow you to really concentrate on that
and not on how you’re you’re recording
it or how
you know that information is being used
um it benefits everybody really
you know so seriously if you are
wondering how you’re going to manage
your information security going forward
look at any kind of grc tool you can
run a proof of concept test it out give
it a go
you may be surprised you know the amount
that it costs to get one
in pays dividends
compared to how feasibly you you you
were going to manage it in
in the first place so when you’re
procuring a grc
grc tool or a system there are a couple
of things that you need to consider
first and foremost do you want it on
premise or do you want it in the cloud
everything at the moment seems to be
going in the cloud a lot of grc tools
are
cloud-based as well there are benefits
to that
it allows a lot more space
for data sets you don’t have to worry so
much about the servers they’re on
because they’re actually running within
a cloud infrastructure that’s normally
procured either from
the actual vendor themselves or maybe
they’ve got a
cloud solution they use quite a lot
quite a few people use
amazon aws for instance or azure
something like that
um when procuring a glc
tool make sure that it comes either
inbuilt with the modules that you want
um or that it’s got access to the
modules you require
some grc tools kind of deliver
everything to you as one big
lump you know you’ll have the risk
components the incident response
components
everything that you need to do your job
others
maybe are a little bit more modular
quite often obviously you’ll get a
baseline
level of of service from a grc tool but
seriously look at what you need to do
so certain compliance requirements for
instance might be that might be an
additional module that you might
need to to procure so make sure you
check your pricing
communicate with an information security
professional who knows what your
business is who knows a bit about you um
who can help you sort of go down the
right route to pick up the right tool
with the right modules
to that means you’re not going to be
disappointed down the line
another thing to obviously consider is
ease of use
there are a lot of older
grc tools that are very clunky
they’re very old they don’t they do work
but they’re very very complex what
you’re really looking for is a grc
tool that you are comfortable with hence
why i say
always do at least two maybe three
proof of concepts spend a bit of time
looking at that grc tool to make sure
that you’re
you’re happy that it does what you need
it to do
and that it’s easy for you to use
there’s no point in going out and paying
large amounts of money for a tool that
you’re finding it difficult and using
there’s no point in it
eventually you’re not going to be
getting anywhere near as much
as you need out of it and you may be
missing quite a bit that
that you could be using it for there’s
no real alter you know alternative to a
gs grc system beyond as i mentioned
before
running it on a manual basis with
spreadsheets excel spreadsheets word
documents that kind of thing
um some ticketing systems and
and similar kind of systems will say
that they also do grc
they usually don’t or if they do it’s
probably not what you’re looking for
so always look at some of the the best
players in this particular business
um it’s definitely something that you
you need to be very careful about when
you start
looking at your grc solution
so how can we help you well at
razorthought i mean i’ve i’ve been a cso
for a number of different companies i
see so for quite a few at this moment in
time and
understanding where each of those
companies are on a
on a risk perspective incident
perspective
you know it’s very hard to kind of keep
track when you’ve got a number of
different customers
so we’ve gone out and we’ve procured
some fantastic
grc tooling which allows us to really
kind of
manage those customers efficiently and
effectively
and produce them all the reports that
they need give them all the guidance
that we can you know that we can backed
up with the real
facts that we we manage and gather and
plug into those grc
tools for customers who are
you know not looking for us to kind of
manage their information security
we’ve also helped a number of
organizations select the right grc
tool for them it’s a very
big thing very close to my heart to make
sure that information security people
have the best possible way of doing the
job
that they can so we will always be
working to get the right grc tool for
you and it won’t be based on price
it’s going to be based on efficiency and
effectiveness
we are here to help you we have a
website www.nspek.com
you can also contact us via email
the emails are on the website
or you can contact us via linkedin
various other different mediums as well
thank you ever so much for
being a part of this vlog
if you’ve got any questions pick up the
phone
send us an email we’ll be more than
happy to assist you going forward
thank you very much and i hope to speak
to you some of you soon