Continuing
our discussion about how GRC is transforming from an adhoc,
rationalized stage to a more mature, optimized stage leveraging real-time
information that gives us dynamic GRC – this post is about Understanding. See the earlier post on Seeing, Understanding and Believing as concepts that
usher in this new era. Why do we need a
new way of Understanding? The key
ways in which Understanding is different in the new era of Dynamic GRC are:
contextual relevance, traceability and the way we map the ecosystem. Let’s take
them one by one.
Contextual Relevance is richer. The bottom line is that we need context. Too
much information and we will get lost. What are we seeing and how important is
it, really? What is the contextual relevance? If it isn’t tied somehow
to a key risk indicator (KRI), why get distracted? What
regulatory of business requirement is this in scope for; what policies and assets
are relevant; what business processes is a risk? That is why we GRC people are
so obsessed with mappings.
Traceability is unbroken. As our environments
become more complex and dynamic, human beings can’t keep up with manual
mappings. We need to be able to traverse the contextual
connections- again I quote a CRO I know who told me ‘I need to pull the
thread – whether it is PCI or SOX or the latest risk exposure – and know – very
quickly where the problem truly is...’ . GRC 2.0 systems have a sort of ‘segmented’
traceability – you can only go so far – perhaps a regulation is mapped to a
policy and control - then you need to search to pick up the thread again. How
is this control failure associated with a business process, and through the stack
to an asset – ultimately to a measurement – such as the vulnerabilities in the
application or on the servers, virtualized or not, that support that business
process?
Mapping the eco-system is inference-based. So, ok - we know that understanding absolutely depends on being able to
traverse the web in many directions, through requirements, policies, processes,
controls, inventories, measurements and metrics in a meaningful way – and we can depend
more and more on classifications and mapping to give us that context. But how do we keep our models dynamically
updated to reflect what if often daily or even, hourly significant change? Well, we need technologies based on inference
engines, where many associations are made dynamically, based on rules and
transitivity (A is connected to B and B is connected to C so A is also a
connected to C….) to do this. Embedded
and harvesting from the systems that we use every day.
That’s two out of three critical concepts in Dynamic
GRC: Seeing (providing great visualization and analytics) and Understanding
(providing contextual relevance through traceability of the eco-system). There are
many great GRC applications and technologies out there today doing exactly this
for a small targeted part of the GRC world – let’s hear from you! Isn’t it time to pull this together across the
entire spectrum?
Next time we’ll talk about the third critical
concept in dynamic GRC: Believing.
Recent Comments