These CISOs GRC is Failing Them And I Know Why

Frustrated CISO

Most of the people who know me know that even though I have the "CEO" job title, I'm a pretty technical guy. I designed SimpleRisk and built it from scratch. I was the only developer for the first two years of its life. And I did this all while running the Information Security Program at National Instruments. I took on the formal CISO role at SimpleRisk because it's one of many things that forces me to keep my technical skills sharp, but it has the added benefit of continuing to allow me to participate in the same CISO roundtables that I did when I was at NI. The only thing I enjoy more than learning from my peers is teaching them from my knowledge and experience. It was today, at one of these CISO roundtables, that I had an enlightening experience that I wanted to share more about.

The topic of this particular CISO roundtable was Third-Party Risk Management. This is an interesting topic, and one that I naturally know quite a bit about, so I wasn't surprised when a number of the participating CISOs started talking about their GRC platforms. What did surprise me, however, was what they said. I'm paraphrasing it a bit, but several of their comments were something along the lines of "We're still in the process of implementing our GRC program and have been working to 'connect all the wires' for about a year now". Now, I attend these meetings as a practitioner, not as a sales guy, so I bit my tongue and just listened to their complaints about the time it's taken to implement these platforms and how complicated it is to configure them. They talked about the employees they've hired with "Risk Assessment" skills who are currently diligently working to make their GRCs useable while all I can think about is what a waste of talent that is. Surely they have better things they could be working on, yet here they are tasked with making the GRC platform work. This got me thinking about the promises of Integrated Risk Management (IRM) and just how much this marketing buzzword has failed us.

In theory, Integrated Risk Management sounds great. I have one platform that has hooks into all of my other platforms, they are monitored in real-time, and then a bunch of magic happens and the system surfaces the risks that are important to me. That's the panacea that each of my peer CISOs were promised when they were sold these GRC platforms. The reality was that the system they got was essentially worthless without those hooks and it would take either a sizable investment in professional services or a boatload of internal resource hours to get it to a useable state. Regardless of the approach, it would take so much time that the ROI was quickly slipping away. These CISOs were clearly frustrated and many were talking about replacing these platforms before they ever churned out their first risk. So what went wrong?

To start with, I think there was a bit of putting the cart before the horse here. GRC, IRM or whatever your buzzword of choice is, is just a tool. It can help with managing and reporting on your risks, but you need to lay the groundwork for it first. When I talk about my experiences when I first got started, I frequently refer people back to the NIST 800-30 framework that outlines the steps for risk management. This document covers the fundamentals that your organization needs to be prepared to support, regardless of the tool that you're using. Things like assessing your risks, keeping a registry of your risks, planning mitigations for your risks, ensuring that management reviews your risks and, finally, treating risk management as a cyclical process, not just a one-and-done activity. None of this requires a fancy GRC platform to do, and much of the world relies on spreadsheets for this activity, but we hope that you'll consider giving our free and open source SimpleRisk Core a try before you settle for them just because they're there.

Once the fundamentals are in place, the secret to success is incremental improvements and not trying to boil the ocean. You've now got a risk registry so how about we figure out which assets are impacted by those risks? Maybe we look at our control frameworks and identify the appropriate controls for these risks? Perhaps we start looking for more efficient ways to conduct our risk assessments and identify more risks so we can properly plan for them? Note that all of these activities could add immediate value to our program and don't have to wait weeks or months to be integrated into any of our existing platforms. Which brings me back to our platform...any GRC platform worth its price tag should fit to you, and not the other way around. It should scale with your organization's size and requirements and quickly provide a return on value for the effort that you put into it. The comments I was hearing from my CISO peers indicated that quite the opposite was happening here.

As I said earlier in this post, I wasn't in this meeting to sell, but I wanted to scream the benefits of SimpleRisk from the rafters. Our motto is "From ZERO to GRC in minutes" and we stand behind it. I tell prospects that if it takes more than 30 minutes or so to stand up a SimpleRisk instance, they should reach out to support for help because something is wrong. Once running, our data schema is essentially what I used for my risk management program at NI. You should be 90% of the way out of the box, but more importantly, you should be able to start working on managing your risks immediately. The last 10% is just customizing the configurations for your organization and adding your own teams, technologies, categories, etc. All of our licensing is for unlimited risks and users, which means you don't have to guess how many employees you'll have using it in one year, two years, or more. More so, it means additional ROI achieved because you can quickly expand use of the platform to other teams or even your whole organization at no additional cost. And as your program grows, we have a whole catalog of SimpleRisk Extras to provide you with advanced features like integration with SAML/SSO, email notifications, risk assessments, incident response and more. But, most importantly, we do all of this in a simple and intuitive platform that anyone in your organization can use, which brings me back to my CISO peers... They've spent a boatload of cash and a year of effort, have nothing to show for it and are already talking about ripping and replacing. We can do better.

If you've made it this far, thank you. Maybe you're one of those CISOs who was in that roundtable. Let's talk about how we can help you make better use out of your time and money. Maybe you're someone looking at buying one of these GRC platforms, and if so, hopefully sharing this story will change your mind before its too late. Regardless of how you got here, I hope that you'll agree that there needs to be a better way and I hope you'll give us the opportunity to show it to you.

compliance free governance GRC mitigation risk SimpleRisk