May 13, 2023
Near realtime GRC
While I was at RSA Conference, I had the privilege to interview a trailblazer in the field of Governance, Risk, and Compliance (GRC), Anil Karmel, the CEO and Co-founder of RegScale, a small business that's making big waves in federal and DoD markets.
In the landscape of cybersecurity, GRC is both foundational and bothersome. It's a crucial framework that guides organizations on how to align their operations with regulatory requirements, manage risks effectively, and meet business objectives. However, traditional GRC approaches can be a bit of a double-edged sword.
On the one hand, GRC provide a structure for managing risks and ensuring compliance, but on the other hand, they can be cumbersome, time-consuming, and often involve manual processes that are prone to human error. They can also struggle to keep pace with the rapidly evolving cybersecurity landscape, where new threats and vulnerabilities emerge daily.
So, what's the solution to these challenges? Well, many believe it's automation. By automating GRC processes, organizations can streamline their operations, reduce the potential for human error, increase efficiency, and more effectively keep pace with the dynamic nature of today's cyber threats. Automation, it seems, could very well be the future of GRC.
And, like nearly everyone practicing GRC in cybersecurity, compliance was a true challenge for Anil.
“I ran into a brick wall of compliance, having to write compliance artifacts, word documents, and Excel spreadsheets and defend them like thesis dissertations.”
"Our compliance, uh, processes and procedures have not scaled or kept up to date or kept pace with digital transformation efforts and have in fact been a bottleneck to these transformation efforts.”
So Anil decided there had to be a better way to scale GRC activities to keep pace with technology and digital transformations and to address the us vs. them mentality between security and compliance.
There's been, you know, for decades this adversarial mindset between security and compliance. It's usually security versus compliance. Um, you know, if you adopt a compliance mindset, it's traditionally, "How quickly can I check the box?” But that doesn't necessarily equate to security.
So, what’s the answer? Well…Anil “built a platform that can meet and serve any regulatory requirement, and be able to allow you to continuously keep your compliance artifacts up to date and understand your risk posture in near realtime, and ostensibly the world's first realtime G R C.”
Real-time GRC. What a notion. Imagine having all the evidence you require for your ATO continuously, in real time. GRC experts can then focus on control gaps and not just keeping paperwork up to date. Anil is excited about OSCAL, too, a standard his RegScale platform is using.
“Both FedRAMP and NIST partnered to create this transformational standard called NIST Open Security Controls Assessment Language or OSCAL. If you wanna learn more about that, go to pages dot NIST gov slash capital OS C A L. This particular standard allows organizations to produce and consume compliance artifacts and conduct assessments leveraging a standardized machine, readable language or schema.”
We're leading a movement here of trying to transform how an entire industry has been doing work that really hasn't seen tangible tooling and innovation in decades.
So if you’re looking for relief from the toil and drudgery of Excel spreadsheets and Word documents for your SSPs, SARs, RARs and POAMs, check out RegScale and the NIST OSCAL.