I’ve been doing GRC consulting for many years now, and over that time I’ve watched the market expand at an ever-increasing rate. I’ll spare you the intricate “back in my day” stories and just say this: In terms of major players, the number has gone from 5-10 to 25-30. So obviously, choices abound for organizations that are looking to implement a comprehensive GRC program. However, the increase in options brings with it an increase in competition. With an increase in competition comes the need for each tool to say “I can do what that tool does, and I can do it BETTER!”
(If you’re a salesperson, know that I intend no ill will with the following paragraph.) I’ve been involved in the sales cycle for various GRC tools, and I’ve learned that truly great salespeople are what I like to call “honest at a high level” in certain situations. They aren’t lying when a prospect asks “Can your tool do this and that?” and they say “Yes!” HOWEVER, the “Yes” may come with quite a few conditions they don’t care to divulge at that particular moment unless pressed by the prospective customer.
In the social media saturated world in which we live today, the above sales practice reminds me of a prevalent new advertising scheme known as “clickbait.” Chances are if you peruse any major internet news site or Facebook/Instagram/etc., you’ve seen clickbait. For those not hip to this lingo, here is the official definition as provided by the Oxford Dictionary:
Definition of clickbait in English:
(On the Internet) content whose main purpose is to attract attention and encourage visitors to click on a link to a particular web page.
You may be shaking your head after reading that definition. I would guess that the majority of us have all succumbed to clickbait at some point in time. A lot of these are just straight up scams. Some aren’t, but they are ALL purposely misleading at some level. A few examples:
1. Doctors HATE HIM because he is 65 years old and can bench press 500 pounds! Click here to find out how he does it!
Ok, I made this one up…but I’m sure it exists out there somewhere. You click on the link because you say “Wow, I am genuinely curious how he does it! Maybe there is a fitness strategy here I can use.” Then you find out it’s because he takes “performance enhancers” and has bionic arms. Is he bench pressing 500 pounds, though? Technically, yes, he is.
2. Here’s What Happened When Six Corgi Puppies Visited a College Campus!
This is a real one my wife fell prey to a few weeks back. I can tell you what happens. SPOILER ALERT: Nothing! No hilarious shenanigans, no mishaps, no explosions. It’s just footage of adorable corgi puppies running around on a college campus. Now read the link again: It isn’t really lying to you. Clicking the link does indeed show what happens…only the “what” is “not a whole lot other than general cuteness.”
How does this relate to GRC tools, you ask? While a lot of the aforementioned GRC tech vendors may not employ clickbait, when it comes to one solution in particular, a lot of them will say they can do it without including the much-needed asterisk(s). That solution is Vulnerability and Threat Management.
On the surface, it’s easy for a GRC tool to say it can perform this function. At a high-level, the questions are essentially this:
1. Can your tool integrate with current vulnerability scanning technologies to bring in massive amounts of security data?
2. Can your tool integrate with my organization’s CMDB/etc. to create and maintain an accurate list of company assets?
3. Based on the answers to 1 and 2 above, can we create a process in which these vulnerabilities and threats are managed?
From my experience, the most daunting tasks are #1 and #2. Once those are taken care of, #3 is completely doable. During the sales cycle, it’s easy to simply say “Yes” to #1 and #2. And when these vendors say yes, again, at a high level they aren’t technically wrong. Their tool may have the capability to integrate with your vulnerability scanning tools and asset data warehouses. But much like the senior citizen with robot arms, when we dig deeper we may realize there are significant unmentioned factors at play. For example, I can tell you with utmost confidence that there are plenty of GRC tools out there that have a robust Vulnerability Management solution and the capability to integrate with major scanning tools (Qualys, Foundstone, McAfee, etc.) relatively easily. But then all of a sudden you’re bringing in 100,000 vulnerability alert records a day and the infrastructure these tools are built on can’t even begin to keep up from a performance perspective. This has happened in more cases than I’d like to admit.
Obviously, when it comes to purchasing any specific GRC solution, you want to do your homework. And from my experience, Vulnerability Management requires the most amount of research, particularly regarding daily record volume and throughput and the types of scanning tools and asset catalogs your company currently uses. Long story short: Don’t get “clickbaited.” Make sure your GRC vendor’s promise reflects reality (with no bionic arms or corgi puppies required).
— Evan Stos
Image Source: https://tellier.edublogs.org/files/2015/03/corgistampede-671×324-24jkp0a.jpg