On the occasion of reaching my first anniversary with anecdotes, I wanted to introduce myself and share my unique experience and consequently, insights about the history of GRC. My name is Kerwyn Velasco, and I have been involved in GRC (Governance, Risk, and Compliance) in various capacities for the past ten years. I have practiced GRC for a publicly-traded organization, assisting several other organizations in implementing their GRC programs and integrating multiple tools. Additionally, I have experience creating, selling, and marketing GRC software for enterprise and mid-market customers. While a significant portion of those ten years involved using software to streamline GRC programs, my background as an IT auditor initially set the standard for the tools I used.
That's right, folks! You probably expected something unique, but I relied on the trusty old audit programs and work papers stored on my organization's SharePoint with carefully labeled file structures. This served as the means of corralling my Risk Control Matrix, walkthroughs, narratives, and supporting evidence for all my control and follow-up testing. These documents could be easily accessed by other Compliance folks, internal/external auditors, and relevant stakeholders I worked with. I had templates for document request listings with examples to ensure the people I asked for supporting evidence provided me with the correct information rather than just rolling forward last year's evidence.
This all worked to a point, but as I handled the following year's audit period, the task of maintaining communication, updating matrices, creating audit reports, and generating audit packages became untenable. Fortunately, my company’s leadership recognized the need for cohesiveness between Compliance and the various stakeholders and licensed a GRC tool. This tool is still in use today, and eventually, I transitioned from my practitioner position to becoming a GRC consultant to help others implement GRC technology. Even at that time, the idea of automation was just emerging. The tool utilized an open-source agent to directly collect evidence from servers through SCAP (Security Content Automation Protocol) and used Open Vulnerability Assessment Language (OVAL) to scan for misconfigurations.
The downside of using this burgeoning GRC technology is the requirement for elevated permissions for the agent during scanning, which also brings the possibility of using incorrect OVAL code for a specific asset (imagine checking AWS configurations against GCP—it simply wouldn't work). However, in capable hands, it became clear that GRC automation had the potential to be a game-changer for any organization.
I eventually found my way to a GRC platform that was a leader in the once glorious Gartner Magic Quadrant: RSAM. RSAM took a two-fold approach to justify control effectiveness. First, it utilized questionnaires to gather responses from control owners, which were then maintained within the tool. Second, it integrated with other tools that brought in supporting evidence, storing them as records in RSAM. This development in the history of GRC systems was truly magnificent, as it was the first time I had witnessed all the information related to my relevant controls, risks, and policies consolidated in a single place. This tool was aptly described as an Enterprise GRC that could be fully configured to meet every need.
As I learned and imparted to others, building your own application that fits your organization's unique users and domain can be done, but it comes with the cost of a full-time employee and constant vigilance over upgrades that may potentially break the functionalities you created. I have spent some time in organizations that aimed to fulfill this enterprise need, with varying levels of success in terms of the configuration required to get use cases up and running. eGRC tools were lacking a level of sophistication that had already begun to emerge in other mid-market tools. The focus was too broad, making it difficult to narrow down to specific problems. At this point, evidence automation came into the picture.
As with my previous awareness of SCAP and OVAL, I became familiar with the Center for Internet Security (CIS) Benchmarks, which provide configuration recommendations for vendor products using their Critical Security Controls. This was precisely the direction the GRC journey needed to take for widespread adoption. The focus shifted toward the problem of collecting evidence directly from the source application. CIS benchmarks helped me comprehend the importance of transparently outlining the steps or commands required to gather this evidence, linking those recommendations to controls, and providing solutions for fixing the identified issues.
At this stage in my GRC journey, several companies were pursuing similar approaches, but one that particularly stood out to me was anecdotes. While others in the field simply collected information (similar to SCAP and OVAL), they didn't invest enough effort into reusing that information for different use cases. Additionally, many tools in the industry lacked the necessary credibility to ensure that the evidence collected remained relevant and applicable to the controls being tested.
On the other hand, anecdotes offered a forward-thinking comprehensive package, considering how various departments (such as policy creators, risk managers, and application owners) would utilize the collected GRC data. It was scalable to accommodate the unique needs of different organizations and configurable in a way that didn't require a full-time employee to maintain the system. Upgrades no longer disrupted the functionality of different use cases.
The focus of anecdotes was truly centered around the Compliance data underlying the evidence. The platform allowed users to analyze and establish their own monitoring criteria while also offering cross-referencing against other frameworks to facilitate a quick understanding of control alignment. This aspect was particularly important to me.
anecdotes has consistently shown itself as a true pioneer in this space, and has earned its place in the history of GRC. I appreciated that the company dealt with the GRC problems of old using a fresh new approach and not just copying what was already done by others. I have been given the opportunity to dive into new relationships in the GRC realm and was even recognized by Gartner for my efforts in evangelizing Continuous Compliance Automation in DevOps. It has been a great ride with anecdotes this past year, and I am super excited to continue to share the fantastic things anecdotes have in store for you over the next year!