The Simplest GRC Tool

In a wonderful reflection written thirty years ago, the great Edsger Dijkstra described an automatic tool that helped him with his groundbreaking work on a compiler for Algol 60, a precursor programming language to just about every language we’ve had since: “I then allowed myself the luxury of a portable typewriter,” he explained, “which I still have. It had square brackets. It had braces too. I could also type - > and = >.”

I know this sounds so ancient today, but there are so many wonderful things to admire about Dijkstra’s Hermes Media typewriter with its now retro-awesome Techno Elite font. That tool elegantly addressed the practical problem of representing arrows, and it made its owner happier and more productive. If there was one goal that I would recommend for those of you in the cyber security vendor racket, it would be that you make your own customers feel thus.

I was thinking of this cool little typewriter while watching a live demo of a new governance, compliance, and risk (GRC) tool called Defensix. The demo was somewhat unexpected, because it comes from a company called Silent Break Security, which was founded by expert penetration tester and DEFCON speaker, Brady Bloxham. To be honest, the last thing I would have expected from Brady and his team would be a GRC tool. But I was pleasantly surprised. Here’s the scoop:

We began with a demo and I almost couldn’t believe my eyes. And this was NOT because the tool included the usual every-feature-but-the-kitchen-sink, but because of precisely the opposite. The Defensix tool includes only those basic – and I mean basic – features that are required for a typical compliance expert to do their job. I realized quickly that this was the Dijkstra typewriter version of a modern GRC tool.

“We start with an organizational profile to determine which compliance frameworks are in scope for the GRC work,” explained Richard Bradshaw, an executive with Silent Break Security. I examined the list, and it included the most popular frameworks you’d expect to find in the first step of operation from such a tool: HIPAA, PCI, NIST, and so on. I was surprised (and strangely excited) by the simplicity of the screen. It looked like it had been programmed by a hacker.

“We then offer a simple place to put your documents,” Bradshaw said, “and this includes security policies, security standards, and your organizational security charter.” Again, I was pleased to see that this was included, because these documents create a baseline for so many GRC projects, especially in smaller environments. So, again – I was pleased with the simplicity of purpose with Defensix.

Bradshaw continued: “Next, we offer a place to run reports such as gap analysis or status summaries. And we include the ability to support questionnaires, vendor ratings, and a simple dashboard. These are the features we see being used by our customers.” And yes – I agreed with that assessment. As a compliance consultant myself, I generally like stored frameworks, stored documents, gap capability, and report generation. These are my typewriter specs.

Now comes the fun: You’re probably expecting me to explain all the new Defensix features being planned, including machine learning, artificial intelligence, contextual security, and on and on. But the good news is that what you see is what you get with Defensix. It is the simplest tool I’ve ever seen for GRC, and I think you would be able to use it before the demo is even completed. (Compare that with the months of training required for most GRC platforms.)

I totally understand that if you are JPMC or the US Treasury Department, that you’re going to need a more feature-rich GRC tool. United Airlines doesn’t fly Pipers across the ocean, and neither should big companies try to stretch tiny tools to big job. But for most of you out there doing compliance assessments, I must say that this little tool looks seriously useful. It includes just the features you need – and nothing more.

(As a fun-fact footnote, Dijkstra claimed that his little Hermes developed its first technical troubles in 1979, after about two decades of operation. Now, that is another reason to keep your tools simple.)