Not Your Mama's GRC


Ok, to be fair, GRC has only been around for about a decade, so it's a bit disingenuous to suggest your mother would know anything about it, but nonetheless, you might have missed the exciting 10/10/10 release of LockPath Keylight. LockPath was founded by two former Archer officers with the sole intention being to reinvent the GRC product space. Thus far, I think they're off to a great start.

To be clear up front, I'm a bit biased in favor of these guys as we've been chatting about their product for the better part of the past 2 years. It's been very interesting getting to watch the product evolve and grow. It incorporates a lot of key characteristics that have been missing from other products, or were simply not done well. What differentiates LockPath Keylight from the competition is that they started fresh with nearly a decade of experience in the product space.

What Should GRC Be?

Perhaps the first question worth considering is what GRC should be or mean. In its infancy, GRC platforms tended to be really awful policy repositories that eventually added dozens of bolt-ons, such as around training/CBT, policy awareness, policy sign-offs, auditing, etc. The organic development of the product space meant that there wasn't any one good definition of what it should be. Instead, vendors got into feature-based races to apparently see who create the most ridiculous product ever. And, unfortunately, they were largely successful. I've yet to meet someone, for example, who actually likes their Archer deployment.

There are a few key features that I think should be core to a GRC platform. It should be the center of your security management universe. It should bring together policy, audit, compliance, asset management, training & awareness program management, risk management, and assessment management all through one single dashboard. It should allow you to track your assets, including current vulnerabilities and patching status, as well as provide central reporting and dashboards that allow you to actively manage information risk within the organization. Audits should flow in and out naturally, and the platform should generally make auditing a much cheaper endeavor by helping quickly answer policy questions, providing ready examples of compliance toward generating artifacts, and for providing full traceability between policies, systems, and applicable compliance topics.

This perhaps sounds like a laundry list of ideals, but it really is what is important and needed. We don't need SIEM here, just SIEM reporting. We don't need vulnerability scanning, just vulnerability scan reports. It should pull together all of the information important to an active security management program and easily and readily cross-link all of this information in order to provide a complete picture. LockPath Keylight seems to be on the right path here, and they've done it in a completely new from-the-ground-up build.

Integrated IT UCF v2

One of the very cool features of LockPath Keylight is that it is built around version 2 of the IT UCF. From their website:

The Unified Compliance Framework (UCF) is the first and largest independent initiative to map IT controls across international regulations, standards, and best practices. The UCF accomplishes its goal by harmonizing terms and controls against the backdrop of a master hierarchical list. In simple terms this means that we can present the complex rules, standards, and policies you must follow in a simple spreadsheet format with in-depth links for you to drill down for as much information as you need.

In a nutshell, UCF takes all of the regulations, standards, and requirements that your organization may be managing and cross-maps them. Integrated into LockPath Keylight, this means that you can then take all of these cross-mapped requirements and link them to policies, systems, vulnerability management, assets, audits, and - ultimately - your risk management strategy.

Another great advantage to using the latest version of IT UCF is their approach to audit and audit questions. They've developed and approach that is far better and more effective than standard yes/no checklists. Instead, they go for informative questions that provide more complete and useful answers. For an overview, check out their highly-amusing (and informative!) presentation that makes use of clips from My Cousin Vinny to demonstrate their audit question approach.


Back on the topic of LockPath Keylight, one of the biggest pros of their solution is scalability. Scaling has historically been an achilles heel in the GRC space. Typically you get stuck with a single dedicated box and the darn thing just doesn't scale. At the same time, the platform has grown over time into this monstrosity that simply becomes untenable to manage. Want to run parallel instances with inheritance, such as for subsidiaries within a company? Forget it, it's just not there... until now.

Comprehensive Risk Management

Perhaps the coolest part of LockPath Keylight is that it finally provides a full-fledged risk management platform. It still has a little way to go in terms of getting quantitative risk analysis capabilities integrated, but they have fully embraced the notion of evidence-based risk management. As such, this platform will not only help you manage your audit and compliance load, but it will provide you with the tools necessary for truly analyzing and managing information risk. It's exciting to finally see a product come to market that combines this capability with all the other key management attributes (asset management, vulnerability management, training management, audit management, and compliance management).


With the release of Keylight, LockPath is well on their way to redefining the GRC product space. There are several big competitors in this space already, but none of them provide overly compelling business cases. At a vastly lower price point, LockPath is providing a better product and delivering a higher value to the enterprise. The time is ripe to rip out those old non-functional shelf-ware GRC platforms and put something useful in place. Or, if you've never had a GRC platform before and have been wondering how to most effectively manage risk and your security and compliance programs, then now is a great time to take a serious look.



Great to hear your comments. I understand your bias towards LockPath (will explain my bias in a minute) and I did have a look and they seem getting it right. Its even more interesting that being ex-Archer somehow they seem to have moved from custom-built GRC (e.g. Archer) to COTS-based GRC and now singing the merits of the latter. In fact you mentioned it yourself that " I've yet to meet someone, for example, who actually likes their Archer deployment." Today for the first time (apologies if I have been hiding under the rock) I have seen somebody actually questionning Archer and the whole custom built GRC.

Interestingly Agiliance and RSAM which has been recognised by Gartner has Strong Positive along with Archer have been around for sometime, but nobody seem to notice them. Blame it on their marketing. ;) Unfortunately maybe they were have been doing everything what LockPath is doing and more but I guess somehow this point seems to have been missed completely by the analysts. Maybe its the price point, but what I have observed is that GRC processes while having a common thread can be very unique to every company (maybe more commonality in their respective industries). Due to this, there is a requirement for some flexibility even in the COTS based products (which indirectly drives the costs up). Ofcourse we don't need so much flexibility that we need a fully fledged custom built GRC platform.

Well at least now that we have LockPath - promoted by ex-Archer - we might really have an some light shed on Archer and whether it is really working. For all you know there might be renewed effort especially after with the consolidation occuring in the SIEM-GRC space.


About this Entry

This page contains a single entry by Ben Tomhave published on October 26, 2010 11:23 AM.

Consumer Computers: The Weakest Link? was the previous entry in this blog.

Stuxnet: The Future of Malware (is now) is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7