The Basic Frustration – Why Can’t We Reuse Controls Tests for Risk Analysis?
I’ve spent most of the last 6 years focusing on Governance, Risk management and Compliance issues – as a practitioner, analyst and marketing gal. From the outset I have been bothered by a fundamental limitation in the assessment process that hamstrings us all: we have a very hard time leveraging controls evidence we collect for risk analysis, because, well, it’s trapped in an spreadsheet, or log file, or worse, a screen shot. We work so hard to test controls, but the value those tests could bring us gets lost, unable to be reused.
The Typical Scenario
Here’s the typical scenario. You are responsible for risk and compliance for your unit. You have to test a number of internal controls (usually A LOT) for the upcoming audit on Regulation X. The compliance procedure is pretty clear –check the control state and give it a pass or fail. You take a peek and document the evidence in a spreadsheet or some other artifact. You are vaguely aware that the control we just tested actually applies to over 5 other regulations that our organization is also required to meet. But alas, it is a different Risk and Control group that will coming by to test that control again, next quarter. And another group the quarter after that. And, no surprise, they use a different spreadsheet.
So even if we wanted to take that test result and use it in a risk equation: Risk = Likelihood x Impact, where likelihood is the probability that some threat-vulnerability pair will come crashing through the control (or absence of a control) to impact a critical asset - we’d have to dig around in spreadsheet or screen shots or do back flips to get at it.
And in this time of people and dollar constraints, we just want to get the test result in the sheet, and be done with it. So the risk analysis suffers, or is never really done.
The Dream: Test Once, Report Many, Analyze Across
But it nags at us, because we really do know better. At 2 am after 2 hrs of thrashing over the assessment deadlines we dream of systems that automatically harvest control states and stream them neatly into a common system of record, allowing to us to produce risk and compliance analysis at the push of a button. We roll over for a final few hours of deep relaxed sleep as stress drains out of us… until we wake up to the clear light of day. Yes, we’ve all seen the GRC Management system demos and know that the technology is there tho’ not widely adopted. But, building the integrations to the mess of applications and infrastructure systems that house control states seems overwhelming. And throw virtualization and cloud computing in there, and suddenly it seems more than overwhelming – almost impossible.
But Wait! – Don’t We Already Have This?
But something quite wonderful has been happening in the background, in our Information and IT and Security Management systems. Near real-time measurement information on control states exist, embedded in performance and resource management systems across the IT infrastructure and in security management systems.
Simple. Controls are becoming more and more embedded, up, down and across the physical and virtual stack.
As I meet with more and more EMC customers, I hear this question so consistently being voiced that I am becoming convinced we are on the verge of Really Significant Change – what market strategists like to call a Game Changer. The basic question being asked is: Why build a parallel universe for controls testing when we can harvest what we have from our resource management systems that are becoming increasingly GRC-aware?
And they have point.
Yikes! Is GRC becoming a byproduct of Performance Management?
So, why not? With the amount information exploding (by 2011, the digital universe will be 10x the size it was in 2006) and increasing Regulations – (lots of evidence that isn’t going to stop) and our infrastructures becoming more fluid and elastic (virtualization and cloud computing are more than trend…) – well, we need more than surveys and screen shots to demonstrate compliance and get a handle on what the exposures are – let alone really manage risk to acceptable levels.
So what would it look like - can the dream become a reality? I’m thinking yes, absolutely, totally and if we really look at it, we are actually there. IDC says the market for GRC across the Information IT infrastructure is huge – $50 billion this year - and growing at more than 10% CAGR. And that further, most organizations are heading for a switch-out of their compliance infrastructure systems in 2011 – because we can’t do it with static, trapped and stale evidence anymore – we are quickly moving to a world of ‘dynamic risk management’ made possible by embedded continuous controls monitoring that produces the measurement granularity we need for real risk management.
Yes, there are challenges. Many , and not insignificant. But, we can get there. Virtualization and scalable, service-oriented architectures are giving a path to the Dream that was ‘hitherto unthinkable’. Over the next few weeks I’ll share more thoughts on conversations on how we can do it…. and I’m invited your take on the concept too. One thing is for certain – this need for this kind of risk analysis isn’t going away any time soon. GRC is getting plenty of attention and it is good for you to learn more about it, not just because it is interesting, but because it is good for your career.
What do you think?
So what’s going on in your world? Are you dreaming of a nirvana where compliance results are leveraged for risk management? Where continuous controls monitoring in our increasingly virtualized environments is a reality? How far away do you think it really is?