Industry Innovators 2016: Risk and policy management
Risk and policy management is a necessary evil (common misconception: while it is necessary it does not need to be evil). The problem with risk and policy management that makes it seem evil is that it can be very tedious. We looked at several risk and policy management products and we found that, no matter how well the product processes data and gives users everything needed to manage risk and tweak (or develop) policy, the big gotcha is getting source data into the system.
For example, a tool that does not do auto-discovery (or consume data from a tool that does on an ongoing basis) is pretty useless, especially in a large enterprise where assets are changing constantly. To our amazement, there were several products at which we looked that were deficient in that regard. Our Innovator this year is not one of them.
There are several elements to consider in a product of this type. Let's go back to first principles: Risk is a combination – however you chose to characterise it mathematically – of threat, vulnerability and impact. To lower risk, we need to address one or all of these three elements. To that end we need to know everything we can about them. That means, first and foremost, knowing that they exist on our enterprise and what they are (host, operating system, applications, communications, etc.).
Then we need to track vulnerabilities in these assets. We cannot trust a once-per-year pen test either. We're talking about ongoing vulnerability testing, automated and feeding the risk calculation. Then we need threats. That means threat intelligence services and threat documentation. Finally, we need to wrap all of that up, do whatever risk calculations are in order and package the results for their intended audience. We would like to automate as much of that as we can, but we certainly want to automate the workflow.
Our sole entry in this category this year does all of that and a lot more. And, in order to dispel some of that resident evil, the company has an aspect called the GRC Journey that helps work new GRC (governance, risk, compliance) analysts through the long and necessarily complex process of deploying a useful GRC system in their enterprise. It's really a “kinder and gentler” GRC.