GRC + engineering?
Governance, risk & compliance (GRC) + engineering can seem like an oxymoron, but I believe in 5-10 years it is how many organizations will approach implementing, measuring, and managing information security programs. In fact, 8 GRC practitioners from companies such as Apple, Zoom, & Netflix have come together to create the GRC Engineering Manifesto, reminiscent of the Manifesto for Agile Software Development that changed the way we develop and deliver software.
GRC Engineering is a fundamental shift in the way GRC is done, with a focus on building GRC as a product for stakeholders leveraging open data models and automation.
What does this look like in practice?
Leveraging data for continuous and automated monitoring instead of manual, disconnected efforts.
But where does all this data come from? How is it organized? And how is it harmonized from disparate sources and workstreams into a delivery mechanism that supports stakeholder's needs?
Introducing Emergence, a security graph for GRC engineering
Harmonizing the disparate data sources and delivering it to stakeholders is a major roadblock in the adoption of GRC engineering, especially outside of technology companies.
Emergence, a security graph for GRC, aims to solve this.
Emergence is comprised of 3 components:
An open-source graph model built on AWS Neptune
GRC-as-code analytics & monitoring
Templated & self-serve reporting in BI tooling
Open-source graph model
The core of Emergence is an open-source security graph model with two functions:
Represent and connect GRC constructs such as, but not limited to policy statements, requirements, controls, & risks.
Ingest, normalize, and connect data from across the environment to inform the GRC program from tooling such as endpoint security, vulnerability scans, human resources, identity and access management, & cloud environments.
Because of the design, organizations can extend the graph model to ingest and normalize data from a variety of sources without relying on a vendor-supported integration.
GRC-as-code
Emergence provides an interface for data-source-agnostic analytics & queries to automate and embed requirements, processes, and objectives.
For example, you can now ask in a single query:
Which controls are not defined in any policy or procedure?
Does the operating system of a device impact the conformance to certain controls?
How many of our controls only apply to one requirement?
You can also automate common manual processes:
Perform risk quantification whenever a risk is added or updated
Assess level of effort to support new contractual requirements
Evidence collection & implementation assessments
Stakeholder-specific reporting
Emergence exposes the security graph to common business intelligence tools & provides out-of-the-box reporting for unique stakeholders.
GRC is comprised of a diverse group of stakeholders and activities. While there is benefit in centralizing GRC data, the opposite is true for the user experience.
Emergence supports micro, stakeholder specific user experiences.
Whether it is a software developer, network engineer, human resources manager, identity and access management administrator, operations manager - each stakeholder has a unique role to play.
With this in mind, you can create better reporting delivered to the right people to enable their workflow, or let them create their own.
Join the people flipping GRC upside-down
An open-source security graph, GRC-as-code, stakeholder-specific reporting.
These are the tools that allow an organization to fundamentally shift their GRC program to drive adoption throughout the organization and better align to business objectives.
If I peaked your interest - join the movement.
Read more