GRC Destroyer #9: The Perfect GRC Tool

I discuss the perfect GRC tool based on the community echo-chamber. Hopefully this will spark some ideas for practitioners and product designers alike.

Why discuss the “Perfect GRC Tool”

There’s a bunch of tools - legacy behemoths like Archer IRM or ServiceNow to SOC-In-A-Box solutions like Drata and Vanta. I generated a “landscape report” from Forrester in like Q2 2023 and they listed 33 vendors, and that listing absolutely sucked.

So what do we have to rely on? The vigilant salesforce of new-comer GRC vendors selling snake oil or past job experiences… maybe you’ve used Auditboard back in the day. We can all agree that GRC marketing, much like cybersecurity marketing, is out-of-control, deceptive, and surely not a way to measure apples to apples. See this post from

Ross Haleliuk

about classifying cyber security tooling… really next gen stuff in that post about how to address the marketing problem:

Why we need a standardized cybersecurity classification system

The purpose of talking about a “perfect GRC tool” is because it doesn’t exist yet. It’s useful to brainstorm what core features and add-on features make sense bundled together when context is applied. These tools obviously cater to different segments of customers - enterprises being far more complex and needing real assurance and SMB’s having compliance serve as a sales enablement function more than anything. Despite those differences, there’s a few universal truths of what makes these tools good.

Let’s dive in:

GRC leaders talking about this

A recent post from

Christian Hyatt

, CEO/ Co-Founder of risk3sixty, talking about what the ideal tool looks like in GRC. I think his list of core features is $$$:

COULD BE SICK

1. 𝗠𝗮𝗻𝗮𝗴𝗶𝗻𝗴 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲, 𝗠𝗮𝗸𝗶𝗻𝗴 𝗔𝘂𝗱𝗶𝘁𝘀 𝗘𝗮𝘀𝗶𝗲𝗿

2. V𝗲𝗻𝗱𝗼𝗿 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁/𝗖𝘂𝘀𝘁𝗼𝗺𝗲𝗿 𝗤𝘂𝗲𝘀𝘁𝗶𝗼𝗻𝗻𝗮𝗶𝗿𝗲𝘀, 𝗥𝗲𝗮𝗹 𝗔𝘀𝘀𝘂𝗿𝗮𝗻𝗰𝗲

3. 𝗪𝗼𝗿𝗸𝗳𝗹𝗼𝘄/𝗥𝗲𝗽𝗼𝗿𝘁𝗶𝗻𝗴/𝗥𝗲𝗺𝗶𝗻𝗱𝗲𝗿𝘀

4. 𝗥𝗶𝘀𝗸 𝗥𝗲𝗴𝗶𝘀𝘁𝗲𝗿/𝗥𝗶𝘀𝗸 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁

5. 𝗣𝗿𝗼𝗷𝗲𝗰𝘁 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁

6. 𝗣𝗼𝗹𝗶𝗰𝗶𝗲𝘀

However, let’s compare it against another valid point of view. That’s Ayoub Fandi, Security Assurance of GitLab, in this post describing these very same features as being “stuck in the 2010’s”.

STILL ABSOLUTE SHIT

1. A place to store evidence (GDrive with better search)

2. A way to track compliance tasks (like Jira, but worse)

3. Some tables to map controls (Excel with less flexibility)

4. A dashboard builder (Tableau without the features)

5. "Automated" evidence collection ("do you have 2FA" pdf extract)

Common GRC tool use cases

A lotta vendors bundle major use cases together in an arm’s race to provide value. Here’s a few:

Common Core Use Cases

• Framework Mapping and Control Organization

• Automated Evidence Collection

• Manual Evidence Collection

• Progress tracking for audits

• “Auditor-Ready UI” / export evidence and controls

• Sending compliance requests to stakeholders outside of GRC

Common Add-On Use Cases

• Risk management / Risk Register

• Automated access reviews

• Third-party vendor management

• Trust Centers

• Security Questionnaire Automation

• Policy Management

• Security Awareness Training / Onboarding Management

The actual GOATed tool

People will hate me for this lol…. by far the best tool to simplify the ENTIRE scope of GRC is the Secure Controls Framework (SCF). The SCF is free under creative commons, it’s still updated quarterly to add new requirements, and it literally includes everything. From a pure coverage perspective it’s the GOAT. Yes, yes, I WILL discuss why despite being the GOAT it still sucks. But let’s level set for a moment:

Jacky’s SCF Pitch Deck (No they don’t pay me)

The reason nobody actually uses this is because it’s only free in a giant Excel sheet. Also, the SCF has so much more than just unified controls, it includes risk, evidence requests, and a bunch more. Check out the website for more info.

What does the perfect tool do?

1. Provides Complete Coverage

The perfect tool is framework-agnostic so you can build your program outside of the bullshit language of these 250+ laws, regulations, and industry frameworks. Controls need to be unified in a common catalog to cater to the vast differences in organization complexity, industries, locations, etc… Control owners don’t care about these regulations, they want concrete “rules” to be accountable for. We call these rules unified controls… and if they’re unified it saves a TON of time and confusion. Don’t tell me “THe fRameWorks HaVe DiFfeRent ScoPes” - that’s coward mentality. Yeah there’s nuances, but basically all these controls are rules and you can pick OR be told which ones to follow.

Build it unified then automatically map it back

Basing the tool on the SCF ensures that you could scope and report against any framework in the world. Yeah, it’s not 1-to-1 language but when you’re an early stage startup and a customer wants to know if your “PCI DSS” compliant (even though you don’t process PCI data) it’s helpful to see how you stack rank against controls in that framework. The perfect solution uses the SCF mappings to automatically track progress against any framework you want to monitor. No “paying additional per framework” it includes everything - we need consistency and it’s only a matter of time before everyone realizes it.

2. Unlimited Integrations and Automations

The perfect tool does not put you into a box. It can connect to any system in your stack given that system has a valid API. The tool may offer packaged control automations for the low hanging fruit (“is MFA configured” or “did all new hires do a background check”) but it doesn’t restrict you from gluing systems together in a flexible way to actually build custom control auditing. If you build a control automation, that in-itself becomes part of the control so their is robust information about the design and effectiveness of the automated control test in-addition the source systems being used in that automation.

Not only should the tool integrate to systems for automated control testing but it should also integrate to the project management and communication tools. Necessity integrations:

• JIRA and Confluence - policy management, findings management, risk management power use cases

• Slack or Email - control ownership acknowledgement, evidence requests, findings and issues alerts

3. Bring your own risk management or do it natively

The perfect tool allows you to integrate risk management tools like CyberSaint or even SaaS Security Posture Management (SSPM) like Valence because there are several layers of “risk management”. Tools like these absolutely have a hand in satisfying risk management controls. However, the perfect GRC solution also allows you to natively link risks (however you do it) to controls. It’s important to understand most risks are managed at the control level so if you have a framework-agnostic source of truth which includes info like, control narrative, last time it was audited, who the owner is, and can see the corresponding evidence to prove it’s working, that’s the most powerful form of risk management there is. No need for the tool to add flashy risk rating logic - all you have to do is link controls with risk and figure out the rest the easiest way possible.

4. Robust RBAC and unlimited seats

The perfect tool welcomes users outside of GRC to view and update data with very granular “least privilege” access roles. Most of GRC is quarterbacking requests from other teams and putting those requests into a story for a third-party. The perfect tool allows freedom by control owners and evidence owners to really own the requests. While GRC manages the governance of the program and ties it all together.

Roles for management

Additionally, management is also welcome to areas of the tool to see executive dashboards and to generate on-demand reporting of KPI’s (audit readiness, scope of frameworks, domain coverage, controls failing, etc..)

5. GenAI against all the data

If the tool is used right, there is no need for a security automation tool. An AI agent can scrape the underlying data and metadata to answer customer due-diligence questionnaires. After all, this would be the organizations source of truth - not 5,000 Q&A pairs answered arbitrarily in another system. No need to reproduce work.

6. Understands the audit process

The perfect tool has a logic layer on top of all unified controls that allows for evidence to be reset or “expired” in a flexible and easy way. Even though you have one source of truth for the controls, the evidence should still be allowed to flow with traditional audit practices. In detail, a continuously monitored control can go back and produce evidence within the last year. A policy control will switch to expired after a certain pre-defined cadence. Or, bulk reset all your controls when a new audit period starts. The idea is that the tool shouldn’t add complexity for gathering audit evidence within a specified audit period.

7. No scope creep

I’m just one voice so do what you want… but… who gives a shit if this tool does TPRM or Trust Centers - TPRM could be integrated by another tool to show compliance to controls and it doesn’t make sense to have that as a core feature.

Sure, it could have a Trust Center feature but I surely don’t care.

THE END (argue with me and check out the people I like)

I would love to hear your feedback on my perfect tool. Shoot me a DM or leave a comment.

People I like and mentioned:

Ayoub Fandi - True GRC engineering pioneer

Christian Hyatt - Knows what’s going on

Ross Haleliuk - Has the best cyber industry blog

David Forman - Progressing ISO audits

Ethan Altmann - Taking control automation into the future with Anecdotes product

Rachel Curran - Unifying the GRC community

Yair Kuznitsov - Built the smartest GRC tool on the market (Anecdotes)

Mike Kim - Building smart AI-powered GRC tools

Chris Honda - GRC thought leader at Whistic

Tom Cornelius - Founder of the Secure Controls Framework (GOAT)