At the SaltConf19 event in Salt Lake City, we sat down with Tuesday keynoter and Forrester Research principal analyst Renee Murphy, asking her about the possibilities of GRC and security automation.
Q: What’s the primary role of automation in governance, risk and compliance?
If you think about who’s mature in GRC, it’s the heavily regulated industries. People I know who are in utilities or in banking or places like that, they’ll come to me and say ‘why are we talking about this? We know we have to do risk management, it’s part of our regulatory compliance.’ But I say, ‘yeah, you’re doing it, but are leveraging any of the data that’s coming out of it?’ And the answer is no.
My question then is: Why are you not leveraging that for better risk management, better incident management, better change control, better backups. There’s a lot we could be using from this data. For instance, once I know how important something is and what it impacts, I can call it something. So I can call it a high, medium or low risk. The ones that are really low risk? Forget them. The ones that are really high risk – and that should be about ten percent of our data center—those ones we’re going to actively monitor, we’re going to pay a lot of attention to.
Because I can’t do it for fifteen hundred virtual servers but I can do it for the really important ones. And you could be doing way less work if you would just leverage risk. That’s where the disconnect is.
You have so much data, why are you not using it to get rid of your auditors?
Q: There’s leveraging operational data, but there’s also the prospect of automating the collection of control data, right?
That’s where digital transformation is. That’s where we can take the evidence of all the controls and automate that collection. And now it’s no longer my job to prove compliancy–the platform is going to prove compliancy. It’s no longer my job to sit with the auditors–the auditors are going to sit in front of that platform.
It’s going to alleviate for me as a technical operations person the requirement of self-assessment. A security automation platform will tell me when something’s wrong, when something’s out of compliance. Because, quite frankly, by the time audit tells me something is out of compliance, it’s already too late.
Q: Where do security teams fit into this equation?
I go to the security teams and IT teams and I say you are the right people to be talking about risk. If audit is shoving things down your throat, it’s because you’re not using that throat to speak up for yourself. It’s because you didn’t lay down the gauntlet to say, nope, that’s not a risk, here’s the risk assessment. We can disagree on what we think that impact might be, but I’m telling you I’ve already assessed this and it’s not that important.
And security is perfect place for automation, right? Still, I keep telling our own security team it’s almost like you need to have worked at the NSA to understand the threats you’re up against. You need to be that good at security. But how many people have former NSA people on their staff?
So if you’re a midsized company, you’re going to be relying on your vendors to backfill what you can’t do. So that’s when I look at this and I think it’s awesome that you guys are creating all this data. I think it gives me the right data in the right context in order to talk about risk.
Q: What data tells the security story?
And that’s going to be the differentiator. When CISOs and security professionals can tell the story that I can tell, they can have my job. But I have their job right now because I can tell the story about what the data means. And I think that’s what they’re really struggling with. They come in with the slide that says we have 272 vulnerabilities, that’s up 22 percent from last week… who cares?
If you go back and ask yourself: what are the real skills that you need? You need to be really good at putting this into a business context and telling the story.
Renee Murphy, principal analyst at Forrester Research, covers governance, risk, and compliance (GRC), with a special focus on audit, controls management, information security, and risk management. Her previous work experience includes internal and external auditing, security consulting, data center management, network engineering, and compliance program implementations. Her work has spanned financial services, pharmaceuticals, life sciences, entertainment, retail, high-tech, and service industries.