« Consumer Computers: The Weakest Link? | Main | Stuxnet: The Future of Malware (is now) »

Not Your Mama's GRC

Ok, to be fair, GRC has only been around for about a decade, so it's a bit disingenuous to suggest your mother would know anything about it, but nonetheless, you might have missed the exciting 10/10/10 release of LockPath Keylight. LockPath was founded by two former Archer officers with the sole intention being to reinvent the GRC product space. Thus far, I think they're off to a great start.

To be clear up front, I'm a bit biased in favor of these guys as we've been chatting about their product for the better part of the past 2 years. It's been very interesting getting to watch the product evolve and grow. It incorporates a lot of key characteristics that have been missing from other products, or were simply not done well. What differentiates LockPath Keylight from the competition is that they started fresh with nearly a decade of experience in the product space.

What Should GRC Be?

Perhaps the first question worth considering is what GRC should be or mean. In its infancy, GRC platforms tended to be really awful policy repositories that eventually added dozens of bolt-ons, such as around training/CBT, policy awareness, policy sign-offs, auditing, etc. The organic development of the product space meant that there wasn't any one good definition of what it should be. Instead, vendors got into feature-based races to apparently see who create the most ridiculous product ever. And, unfortunately, they were largely successful. I've yet to meet someone, for example, who actually likes their Archer deployment.

There are a few key features that I think should be core to a GRC platform. It should be the center of your security management universe. It should bring together policy, audit, compliance, asset management, training & awareness program management, risk management, and assessment management all through one single dashboard. It should allow you to track your assets, including current vulnerabilities and patching status, as well as provide central reporting and dashboards that allow you to actively manage information risk within the organization. Audits should flow in and out naturally, and the platform should generally make auditing a much cheaper endeavor by helping quickly answer policy questions, providing ready examples of compliance toward generating artifacts, and for providing full traceability between policies, systems, and applicable compliance topics.

This perhaps sounds like a laundry list of ideals, but it really is what is important and needed. We don't need SIEM here, just SIEM reporting. We don't need vulnerability scanning, just vulnerability scan reports. It should pull together all of the information important to an active security management program and easily and readily cross-link all of this information in order to provide a complete picture. LockPath Keylight seems to be on the right path here, and they've done it in a completely new from-the-ground-up build.

Integrated IT UCF v2

One of the very cool features of LockPath Keylight is that it is built around version 2 of the IT UCF. From their website:

The Unified Compliance Framework (UCF) is the first and largest independent initiative to map IT controls across international regulations, standards, and best practices. The UCF accomplishes its goal by harmonizing terms and controls against the backdrop of a master hierarchical list. In simple terms this means that we can present the complex rules, standards, and policies you must follow in a simple spreadsheet format with in-depth links for you to drill down for as much information as you need.

In a nutshell, UCF takes all of the regulations, standards, and requirements that your organization may be managing and cross-maps them. Integrated into LockPath Keylight, this means that you can then take all of these cross-mapped requirements and link them to policies, systems, vulnerability management, assets, audits, and - ultimately - your risk management strategy.

Another great advantage to using the latest version of IT UCF is their approach to audit and audit questions. They've developed and approach that is far better and more effective than standard yes/no checklists. Instead, they go for informative questions that provide more complete and useful answers. For an overview, check out their highly-amusing (and informative!) presentation that makes use of clips from My Cousin Vinny to demonstrate their audit question approach.

Scalable

Back on the topic of LockPath Keylight, one of the biggest pros of their solution is scalability. Scaling has historically been an achilles heel in the GRC space. Typically you get stuck with a single dedicated box and the darn thing just doesn't scale. At the same time, the platform has grown over time into this monstrosity that simply becomes untenable to manage. Want to run parallel instances with inheritance, such as for subsidiaries within a company? Forget it, it's just not there... until now.

Comprehensive Risk Management

Perhaps the coolest part of LockPath Keylight is that it finally provides a full-fledged risk management platform. It still has a little way to go in terms of getting quantitative risk analysis capabilities integrated, but they have fully embraced the notion of evidence-based risk management. As such, this platform will not only help you manage your audit and compliance load, but it will provide you with the tools necessary for truly analyzing and managing information risk. It's exciting to finally see a product come to market that combines this capability with all the other key management attributes (asset management, vulnerability management, training management, audit management, and compliance management).

Conclusion

With the release of Keylight, LockPath is well on their way to redefining the GRC product space. There are several big competitors in this space already, but none of them provide overly compelling business cases. At a vastly lower price point, LockPath is providing a better product and delivering a higher value to the enterprise. The time is ripe to rip out those old non-functional shelf-ware GRC platforms and put something useful in place. Or, if you've never had a GRC platform before and have been wondering how to most effectively manage risk and your security and compliance programs, then now is a great time to take a serious look.

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/1067

Post a comment

About

This page contains a single entry from the blog posted on October 26, 2010 11:23 AM.

The previous post in this blog was Consumer Computers: The Weakest Link? .

The next post in this blog is Stuxnet: The Future of Malware (is now).

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.