Friday, May 16, 2008
The discussion about GRC
Good information will always come from discussions between people like Gunnar Peterson, Richard Mogull, Chris Hoff and Alan Shimel. This time's target are GRC tools. It started with Peterson, was commented by Hoff and Mogull, followed by Shimel.There is space for GRC tools on the market, but it is really risky to change a security product roadmap to rebrand it as GRC. Axur ISMS is a very nice tool to oversee and manage a security program, leading to compliance results. However, it will never work without all the processes and tools that lie beneath the strategic layer. How can a tool like that replace, let's say, an antivirus or even a firewall?The way that all those tools are being managed and how they are addressing risks is information and it needs to be properly managed. This is were GRC products can help. If you don't have tools and process to be managed, forget about GRC. Do the basics first.