We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Business IT Buzz Blog

Kaitlin Brunsden

Integrated Government, Risk and Compliance (GRC) Solutions: Talking with Agiliance

Vote 0 Votes

What follows is my podcast with Joe Fantuzzi, CEO of Agiliance. We discuss the challenges organizations face when adopting IT-GRC solutions. Once deployed properly, we learn how automated GRC technologies benefit enterprises. Joe will offer his insight on maturity models, and what would be more suitable for each technology.

Listen to the 10:13 podcast below:

Download file

KB: Can you please provide us with a brief overview of your company?

JF: Sure, I'd be happy to. Agiliance is a leading independent provider of integrated Governance, Risk and Compliance or GRC solutions. GRC has become a requirement for both public and private sector organizations, to comply with external regulations but also their own internal policies, to provide a real time view of risk in their organization. Our Agiliance GRC solution enables these organizations to manage their IT and operational risk much more effectively while reducing the cost to meeting these compliance mandates.

Our customers include Global 2000 companies from leading private sector areas in financial services, healthcare, energy, and high tech organizations as well as major government, both state and local, and federal governments here in the U.S. and in Europe.

KB: Today's topic is Integrated Governance, Risk and Compliance, GRC Solution. So Joe, explain the key challenges organizations face in adopting IT GRC Solutions.

JF: Okay. For IT and integrated GRC Solutions, there's really two challenges that we see in the marketplace. One is the maturity level of the customers. Many leading analysts such as Forrester and Gartner see the same problem and that is the myriad of compliance mandates, internal policies, industry specific regulations these organizations are under makes it difficult for them to understand which ones apply to them. And once you understand that, then they need to understand what policies and what are known as controls, that's sort of the operative word here. What controls can they put in place that limit the risk and put them further into compliance? If you think of it, compliance and risk are opposite ends of the spectrum. The more compliant you are, the less risky and the vice versa.

So the other piece of this is once they understand what controls apply to them, then they need to understand what kind of data feeds are needed from their security systems and other overall IT systems. So they can actually prove to an auditor that they've applied these controls in the right way.

The third piece is they need to be able to understand from people who are part of these controls. There are these people actually behaving as these controls say. That's the real first problems, the maturity level to understand all of that. The second is there have been a number of GRC products that were built under what we call the first generation in the early 2000s that are building block approaches. These building block approaches tend to be very costly, they have a lot of consulting services and customers are gun-shy of sort of implementing such costly, long-term implementations and are looking for second-generation solutions like Agiliance that provide a purpose built platform and a set of appliances that specifically focus on Integrated Governance, Risk and Compliance.

KB: What does today's maturity model look like and why is this commonly accepted?

JF: Okay. So there's sort of three levels to the maturity level. First level is what we call manual GRC. Here, we have sort of a silent approach. One small department in the organization for example, Tame It Credit Industry, which is PCI. Compliance might be one piece that an organization needs to do. They might use some simple documentation using Excel spreadsheets, and SharePoint, other common used tools to document their processes and then manually figure out are the people and are the systems actually doing it, very costly but very silent the one level.

The second is people that actually look at across a number of these compliance mandates. They could be FISMA for government, they could be PCI as I mentioned earlier, it could be IT SoCs, etc., etc. It could be privacy mandates and they try to cobble together a set of workflows that address all of these. Again, but using their own homegrown system and they build these one off and connect them together through data in a connection. They tend not to have a lot of connectivity still to the IT or security systems, which gives what we call a bottom-up correlation against these top-down assessments that are provided to people for a survey. But what's good about this second level anyway, at least its connecting multiple regulations and trying to get those understood in organizations; it's still not automated.

The third level we call automation GRC. So we have manual GRC, process GRC, and now automation GRC. That's where you have a central policies and controls but you have bottom-up data coming from all your systems and you correlating in one [indiscernible] swoop the information you're receiving from employees, the information you're receiving from IT systems and security systems, and coming up with a real time view of risk and that's what we enable these customers, Agiliance enables these customers to do.

KB: What are the problems that companies run into with this adoption model?

JF: Well, from either the manual GRC or the process GRC level, the problems are threefold. One is there's inefficient controls mapping. Control I mentioned multiple times. It could be, for example, how often do you need to change the passwords in your organization. The control could say it needs to be done on a quarterly basis and the sub-control could be that it needs to be ten digits, some capitals, some letters, etc. And how do you map that then to your PCI, or IP SoC, or some other compliance. That's not automated; that's a problem.

The second is inaccurate assessments. Without data coming directly from the IT systems or security systems, you really don't know what's happening. You can only have your ear to the ground as many companies say and they believe that the process is correctly done but they don't know what's actually happening in their system.

The third is insurmountable cost overrun. By having an inefficient controls mapping and these inaccurate assessments because there's no automation to data in your system, you then start to do a lot of manual work to prove to the auditor, prove to your board that you actually have these systems in place so that's what's inefficient and its problems that occur with the non-mature adoption models.

KB: What kind of maturity model would be more suitable for this type of technology and how would it work?

JF: Well, as we propose to the industry as a leading independent player, we believe that an Agiliance model has to allow for both top-down which we call process based GRC and bottom-up which we call automation based GRC in one combined framework so that allows you to test a thin slice of any piece of your organization against not one risk or one compliance initiative but against any. But you can get started with that kind of an application to do one piece and then add as you go so it allows people to get started, prove the value of these systems and then move across their entire organization, across all the compliance mandates, across all the risk policies that they need to address in a complete application. The other thing we think is really critical is that companies need to be able to deploy this not only on-premise but also in the cloud. Many companies have people who are far flung operations, some of their systems are already in the cloud and so Agiliance offers both cloud and on-premise deployment or a mixed deployment such that wherever your data is, wherever your people are, we can get at that information to provide you a view in real time to your risk and compliance.

KB: What are some of the advantages of the BUTD model?

JF: The BUTD is bottom-up/top-down model. Well, we see three advantages. One, it allows these thin slices or minimal use cases to validate how Governance, Risk and Compliance should be used inside a corporation. Much of the immaturity is that not that IT, and security, and operational folks don't understand the need but the business people who need to be involved need to see what's going on. They need to give their view into this risk because only they have certain aspects for that knowledge and they're being tested and that's part of the auditor requirement to ask the business people, in a business unit, in an operation like that as to what's going on. So its allowing you to get started with a singular compliance initiative that goes from the systems but also goes out to the people in one combined system is very important.

Secondly, it minimizes what we call change management. A lot of people are worried about change management because they're using spreadsheets today very manual but they know that at least people accept the process. By doing a thin slice with a system that's [indiscernible] still, like Agiliance, you're able to prove the case and have minimal disruption to the business and then add more and more initiatives for risk compliance as you go.

The third is that it validates the kind of technology that people want to invest in. They want to invest in an Agiliance kind of system but it validates the system so that people at the top levels of the organization, the CIO, sees what is actually being spent on in their organization, what needs more spending and then what needs less spending, that's the view that they don't have today. And the other advantage to the CFO, they know when they're spending in a certain area, they have some governance over that area and they know what the report looks like to the board and to the auditor, which they're responsible for.

KB: Once deployed properly, how can these automated GRC technologies benefit enterprises?

JF: Well, we see the benefit across a number of areas. One is standard frameworks. You may have heard of the International Standards Organization, that is an example of a framework that is now pretty worldwide accepted and Agiliance has the International Standards Organization or ISO standards built into our system so it gives people a way to provide frameworks that are accepted by your auditors and by the industry in a common application or a common platform like Agiliance GRC.

Second is it gives organizations continuous compliance. That's a [indiscernible] idea. They think its compliance as, well, I need to pass the compliance with the auditor that happens once a year, or maybe once a quarter, sometimes once a month and it's in different areas so most of these organizations are under audit fatigue because they think of compliance as a one-time event. With Agiliance, you have continuous compliance across all different compliance initiatives, that's a very different benefit and very new concept many people don't even believe it's possible.

And the third is Agiliance provides a business risk view into IT and operations. Many business people look at IT and operations and say, what are you doing. Why is this important? And we give the business user a view into why compliance and risk management of their IT and operational areas helps the business in fact be more profitable, make their numbers and succeed. These are the factors that we think are the benefits and automated GRC solutions such as Agiliance.

Keep up with what's hot in the world of business and IT integration.

Jayaprakash Kannoth

Jayaprakash Kannoth is Software Engineer at TechTarget. His areas of interest include business process management, enterprise architecture, business intelligence , cloud/infrastructure computing and technology in business.
The opinions expressed herein are my own and do not represent my employer’s views in any way.


 Subscribe in a reader

Recently Commented On

Monthly Archives