Evolution of Transformative GRC Platform Support

EDP Auditors in the mid-1970’s learned quickly that they had a problem: Keeping up with expanding technological advances was not going to be easy in the governance and compliance work being done on early computers. “Auditing and control procedures for EDP systems,” two accountants explained back in 1978, “have failed to keep pace with the introduction of new technology and concepts in EDP design.” [1]

I was reflecting on these early challenges during a recent review with Bala Venkat from MetricStream. His comments highlighted and illustrated just how far EDP has evolved from an awkward accounting task into a modern, professional discipline supported by powerful, automated Governance, Risk, and Compliance (GRC) platforms, with their hooks and workflow embedded into critical business processes.

Bala explained that four fundamental initiatives drive GRC platform design at MetricStream: Simplicity, Cloud, Pervasiveness, and Analytics. Each of these initiatives helps to highlight the present state of the art in GRC – and as such, it is instructive to examine each in the context of modern enterprise security architectural evolution. Let’s go through these GRC platform initiatives in turn:

First, there is simplicity: Any cyber security expert will tell you that GRC can become highly complex because it must be embedded into business processes. Thus, if a company requires six levels of approval for access, then the GRC workflow must support this requirement. MetricStream supports the goal of simplicity by optimizing platform configurability options. Thus, as business processes evolve or change, the corresponding GRC platform support can be adjusted accordingly.

Second, there is cloud. It should come as no surprise that as the enterprise pivots to hybrid cloud, GRC support must shift as well. In the early days, enterprise data was resident within a perimeter. As this evolved to workloads in virtual as-a-service infrastructure, GRC support could no longer remain on the local LAN. “We have built a cloud stack for our platform in partnership with the major providers,” Bala explained, “so that customers can support GRC across hybrid architecture.”

Third, there is pervasiveness. This includes driving GRC initiatives to the employee level with individual engagement via mobile apps, customized training, and other functions made available by the ubiquity of mobile devices. Pervasiveness also implies third-party support for GRC to maintain a uniform level of risk management in the presence of outsourcing and offshoring work functions. “Our GRC Pulse functionality includes features designed to optimize pervasiveness of GRC across the employee base, as well as third-parties,” Bala explained.

Fourth, there is intelligence. As you would expect, this involves advanced GRC analytics for data collected around the GRC ecosystem in the context of business processes. This data is subjected to machine learning and correlative algorithms to determine if observed activity is within expected parameters. As you might guess, this results in compliance alerts when gaps are detected. “The MetricStream GRC data aggregation and reporting functions, combined with real time reporting and warnings, result in a highly effect analytics environment for GRC,” Bala explained.

It’s interesting to note that cyber security and risk management experts would more than likely choose to illustrate the advancement of our profession by citing improvements in data security analytics, detection of anomalous indicators, and integration of end-to-end cryptographic solutions. Few would point to GRC as a discipline that highlights and illustrates significant high-tech innovation in cyber risk management.

But the truth is that GRC has experienced impressive advances – a point made clear by revisiting the early views of EDP auditors. They seemed to know that their profession would have no choice but to evolve quickly: “Depending on the particular system design,” an expert wrote at the time, “careful implementation of audit techniques and application controls is likely to diminish the vulnerability to threats.” [2]

It’s time that we begin to acknowledge the significant and transformative advances of GRC in our profession. It’s one of the more positive stories in our long journey together. Today’s GRC expert has at their disposal platforms, such as from MetricStream, that have a powerful impact on the security and risk of the enterprise. This is an aspect of cyber that deserves more attention and recognition from our decision makers.

Let me know what you think.

[1] W.E. Perry and H.C. Warner, “Systems Auditability: Friend or Foe?” The Journal of Accountancy, February 1978, pp. 52-60.

[2] R.H. Dewy, “System Auditability and Control in an EFTS Environment,” AFIPS Conference Proceedings, Vol. 47, 1978, pp. 185-189.