Some of the Stiennon "magic" must have rubbed off on Rich Mogull when they were both at Gartner or maybe in a case of the imitation being the sincerest form of flattery, Rich M secretly admires Richard S. In any event taking a page out of the "xxxx is dead" playbook, Rich writes that GRC is dead. In fact Rich says it was stillborn and never really alive. There are many things that Rich says in his article as well as Gunnar Peterson's article that he references, that I agree completely with. However, overall I think Rich's fatal mistake is one of Titanic proportions. He is mistaking the tip of the iceberg for the entire mountain of ice that is under the water and not as easily seen. The reports and dashboards of GRC products represent the by product of much of the real work and value they bring not just to the "C" level but to the security practitioner who is tasked with ensuring compliance as well. I am seeing the compliance workload fall on the already over worked, underpaid security guy time and time again and they need help with it!

I know people like Mike Rothman say compliance is bull and if you just follow good security practices, compliance takes care of itself. However, lets be real folks, between PCI, SOX, FISMA, etc., compliance is driving budget in the security industry. In an industry where the "security guy" just did not have the tools to push through budget for the resources required, compliance has become the sledgehammer that the CISO and other security types use to crash through the doors into the CFO's office and get the budget required.

Before I delve further into why I disagree with Rich though, let me state where I do agree with him and Gunnar for that matter. I do agree that a by-product of compliance has been a move towards running your business as "audit-driven rather than business-driven". Somewhere along the line we have forgotten that the rules, regulations and statutes that compliance is driven by were put in place to provide a minimum of acceptable security and confidentiality to protect sensitive information. It was supposed to be about protecting the data, not about checking off the compliance box! I agree with Rich that it has become a way into the C-level office. But what is so bad about that? Symantec has been selling their security into the CFO for years. Rich not having worked at a vendor, I don't know if you realize how hard it is for the security folks to get budget approval for the tools they know they need. In order for security to get its fair share of the budget pie, it is imperative that security budget decisions are made at the C-level. If the security team can't get the approval, the security vendor is going to try and help.

While dashboards and reports are the tip of the iceberg and the shiny baubles that are used by the GRC vendors to get the attention at the C-level, I think that the bulk of the work takes place below the water. It is making sure that in fact the enterprise is in compliance. Making sure that everyone has the latest patch level, has AV installed and that data is protected from leakage is the real work. Testing and ensuring this is the real job of GRC, the reports and dashboard is just the way you can show it working. Rich I think you are the one being short sighted if you think these products are just about the reports. Without actually doing the analysis and investigation the reports are meaningless. In my mind is much like SIM reports. Without actionability and correlation, how much value are the SIM reports?

GRC is a needed tool in todays security practitioners tool kit. They are being placed in the position to ensure compliance and they need the ability to do so. They also need help getting the budget approved for the tools they need to do the job. We can rant all we want about compliance for compliance sake being asinine, but the fact is that is the world we live in right now and rather than spitting into the wind, lets figure out how to make it work best for us.