Calling all security pros and IT managers bogged down by compliance and governance paperwork: Toronto-based cybersecurity expert Ben Sapiro wants to make your job easier. And this year at SecTor 2016, he’ll unveil a tool that will help.
Sapiro, a long-time SecTor speaker, first appeared in 2007 with a data-driven talk describing how threats were evolving. In subsequent years, he returned to talk about how cybersecurity statistics could help security pros to sell cybersecurity to the board. And then again to propose a methodology for analyzing risk in a more digestible way (see that talk here).
There’s a trend here: the blending of data and process to make risk easier for businesses to manage and mitigate. When he returns this October, he’ll be pushing that concept still further by unveiling an open-sourced tool for governance, risk management and compliance (GRC) called G.Tool.
GRC is an area that needs work, Sapiro said. “There are so many different ways to do it and so many fall back to Excel or buying expensive GRC tools and then under-using them.”
Effective governance and risk management relies on solid information. Mismanaging GRC by not collecting or using the data properly can leave businesses flying blind.
“We need to solve the problem. That’s not through methodologies. It’s through easily adaptable tools,” he said.
That’s what Sapiro will deliver along with his talk: not just ideas, but a tool that will enable businesses to easily set up their own GRC regime. So what will it look like?
Ease of use is a top design priority for Sapiro, who is already busy coding. “You’re dealing with a lot of information, and you want to structure it efficiently. You don’t want to have to understand how to set up a database or a web server,” he said. “You want tools that are usable from the desktop, with outcomes that are relevant to you, and the ability to use existing tools in the organization.”
We need to solve the problem. That’s not through methodologies. It’s through easily adaptable tools
The tool’s architecture features three parts: the first will be a language for describing and structuring data, while the second will focus on transforming it for some useful output, which could be as simple as a report.
Report generation alone will be useful in one of Sapiro’s use cases, which sees a busy manager preparing a top-level risk and governance report for senior executives each month. That can be a tortuous process, he suggests, with complex aggregation and calculation going on behind the scenes. That’s before the manager even gets to the document formatting part.
Automation and GRC
The use cases don’t have to stop at static reports though, and this is where the third part of the G.Tool architecture comes in: “It has to be accessible for automation,” he explained. The data should be available in a format that can kick off other processes.
He gives an example, in which a system dumps a log report to a file server’s directory every week and is then scanned by G.Tool. It could search for text patterns defined by the user that indicate particular problems, such as servers not meeting a required configuration, for example.
Upon discovering a particular condition, the tool could interact with other software to trigger an email asking a technical to resolve the issue. Perhaps in the future it could integrate with an IT service management or workflow automation system to trigger particular jobs that would help to bring a system into compliance.
The tool will be made up of pre-built components that the user will connect together in the order that they need. “The best analogy is a big box of box of Lego Technic (the ones that come with gears),” Sapiro said, calling G.Tool a “batteries included” framework. “You can build anything as long as you spend the time figuring out how to put the pieces together.”
Users will string those blocks together using a simple text editor, and import data or connect to other sources using a file manager. They will process the data using a command line interface.
How easier will this make the security pro’s job? For one thing, it might mean that they never have to talk to the compliance guys again. Ultimately, Sapiro wants it to do for GRC what Ruby on Rails did for web development.
Interested in finding out more about G.Tool and seeing Sapiro talk in person? Registration is open for SecTor 2016, which takes place at the Toronto Metro Convention Centre from October 17-19. Sign up here.