Last Updated on March 10, 2023
Our customers that are working towards compliance with information security standards like ISO 27001, SOC 2 or CMMC often ask,
“Should we get a tool to support our process?”
There’s certainly a lot of debate around this question. All governance, risk and compliance (GRC) tools are not created equal. Many out there lack a modern, cloud-based architecture and are bigger and pricier than most SMBs need.
What are the top challenges that a modern GRC tool should address? And what are the key features that businesses need most in the current environment of increasing regulation and growing demand for security and privacy attestation/assurance?
On a recent episode of The Virtual CISO Podcast, Craig Unger, Founder and CEO at GRC SaaS provider Hyperproof, explains the top use cases today’s GRC tools really need to support.
“What we saw happening was compliance was following the same path that security did, where it started out as the domain of a few people who would take a look at your security posture, generate a report, maybe they’d hire some white hat hackers, send it over to the board and you’re good for a year,” observes Craig. “That’s the way compliance is still being treated, largely.”
“But we see compliance moving more toward security, where it’s continuous, people need to be trained on it, and everybody is a steward of it,” Craig continues. “So now you’re looking at compliance as a business process that requires collaboration, automation and a functional, modern system of record. That didn’t exist. When we talk about those other products, they were really for specialists.”
That legacy mode of operation Craig calls “occasional compliance”: you get compliant when you need to for an audit, then you don’t revisit compliance again until the next audit.
But in today’s organizations, there are a lot of groups doing audits. People in diverse non-audit roles like IT or cybersecurity or operations are being asked for a lot of evidence, often the same things over and over.
That sounded like a task that software could simplify, which was the impetus for Hyperproof. As Craig explains, “It gives you agency to take it back and say, ‘Look, I’m going to create a program here that stands outside the audit, which I can maintain throughout the course of the year. When people ask me questions, I’ll just answer them with the evidence I already have.’ So it avoids all the audit fatigue and the concept of, ‘Are you really asking me for that again?’”
With a “continuous compliance” GRC tool like Hyperproof, you can address the issue of needing to demonstrate compliance “on demand” from internal staff, external auditors, customers, etc. You’re always prepared to provide assurance that you’re doing what you said you were doing.
But what about support for all the specific compliance tasks that relate to each key regulation or audit cycle?
You need to answer different questions to satisfy a SOC 2 auditor versus complete a NIST 800-171 self-attestation, even if many of the same information security controls are involved.
Craig explains that controls and audit requirements are two different concepts that “come together and intersect at a point in time” (an audit). Organizations today need a GRC tool that not only helps teams collaboratively collect the data for compliance, but also drives the work management process to ensure you provide the right artifacts in the right timeframe for a specific audit—from a data flow diagram to a policy document.
“If you look at what’s been done in the industry before, those types of concepts haven’t been separated,” notes Craig. “It’s mostly been audit preparation types of software.”
Simply put, you want your GRC tool to help you build and manage your security and compliance program.
To help build compliance programs, Hyperproof comes with support for 40-plus different frameworks, including sample controls. It also allows you to automate workflows among the people who need to track compliance over time.
On the management side, Hyperproof gives you visibility into the health of your program. “You can setup a policy that says, ‘Here’s how frequently you need evidence updated,’ so you always have visibility,” Craig clarifies. “We’re heavily invested in the analytics and the visibility for compliance, and we’re very focused on the program and bringing that together.”
For more insights on GRC automation, you can listen to the complete show with Craig Unger, and also access all our episodes from The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.