The whole area of Governance, Risk and Compliance (GRC) is a perfect example of automation failing to live up to its full potential. There are many products automating aspects of the GRC process, but none that look at the whole process from end to end.
The result is what BMC calls the SecOps gap.
This is named by analogy with the more famous DevOps gap. In that case, the gap between Developers and Operations results in botched application rollouts and production outages. In the same way, the SecOps gap between Security (GRC) and Operations (ITOM) spans two very different ways of looking at the world. GRC teams focus on working out how things should be in an ideal world, and want to get there as quickly as possible. On the other side, ITOM teams have to deal with the messy real world, and live by the maxim “if it ain’t broke, DON’T TOUCH IT!“.
The conflict between these two different worldviews arises over the issues of changes. GRC teams want changes to be made as quickly as possible to reduce vulnerability windows and non-compliance exposure. ITOM teams know that change is dangerous, especially in modern environments with many moving parts and interactions between different teams. Gartner tells us:
Through 2015, 80% of outages impacting mission-critical services will be caused by people and process issues, and more than 50% of those outages will be caused by change/configuration/release integration and hand-off issues.
(Ronni J. Colville and George Spafford, Configuration Management for Virtual and Cloud Infrastructures).
In both cases (SecOps and DevOps) both teams have dedicated tools, and indeed various sub-teams within each area will have their own increasingly specialised tools. While these tools may help with one specific task, none address the overall issue of the entire process.
What BMC does is to close that gap, providing a single unified view of how things should be and how they are, and giving options to manage the inevitable differences. BMC plans to provide SecOPs Portal application which leverages the power of Vulnerability Scanning tool for identification of vulnerabilities and then leverage the BladeLogic Automation to automate the triage and remediation of vulnerabilities to improve the overall security posture of the organization and close the SecOps gap.
If you are interested in learning more about the SecOps application or would like to get demo or would like to explore the SecOps Portal application then feel free to contact firstname.lastname@example.org.
In the request please provide your name, organization you are working for and name of vulnerability scanning tool is used by the organization.
There is also a whitepaper on this topic, which you can download here