Dashboard Insight recently spoke with Joe Krause about GRC solutions and his company's acquisition of Mirage Networks, plus a quick snapshot of some new developments they have planned.
Dashboard Insight: Tell us about the history of Trustwave?
Joe Krause: Trustwave is the leading provider of on-demand and subscription-based information security and payment-card industry compliance management solutions for business and government. For organizations faced with today’s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions. Trustwave has helped more than 30,000 organizations—ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers—manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia.
DI: What areas of the B.I. stack do your GRC solutions cover?
JK: Trustwave GRC covers reporting, analytics, data mining, business performance management and benchmarks.
DI: Your Compliance Suite offers a compliance regulation and security controls knowledgebase, coupled with workflow and enterprise risk reporting capabilities. Can you elaborate how your Compliance Suite automates the enterprise GRC lifecycle?
JK: The enterprise GRC lifecycle consists of several areas, all covered by Trustwave GRC:
In the governance area:
- Program management: Pre-configured or custom controls and policy libraries to establish internal policies, procedures and controls to address legislative, industry or internal policy mandates.
- Remediation management: Custom remediation management workflow to track non-compliance of established policies, procedures and controls.
- Exception management: Custom exception management workflow to approve and track exceptions to established policies, procedures and controls.
- Reporting: Enterprise reporting through Cognos.
With risk management, we offer:
- Asset management: Custom organization modeling to identify business and IT assets, including their relationships and interdependencies.
- Risk analysis: Custom risk analysis methodology and workflow to identify, prioritize and mitigate risk throughout the organization.
And in the compliance area:
- Controls analysis: Custom self-assessment workflow to analyze established controls.
- Controls testing: Custom testing workflow to periodically measure and test established controls.
- Controls automation: Custom APIs to automate collection of established controls from other products.
DI: How has the recent acquisition of Mirage Networks improved your product offerings in the GRC market?
JK: Mirage Networks’ Network Access Control (NAC) solution will provide real-time vulnerability and compliance information integrated directly with Trustwave GRC assessments and dashboard. It will be utilized along with TrustKeeper®, Trustwave’s industry-leading, web-based portal used by organizations to monitor their security, as well as with TrustKeeper Agent, an on-site monitoring software that performs policy checks and inspects for prohibited data storage on any system in which it is installed. Additional third-party GCC systems are also part of the mix.
DI: What’s the process if someone wanted to evaluate your solutions?
JK: Contact the Trustwave sales department to set up a generic and/or customized demo. A customized demo will illustrate the core functions of Trustwave GRC in relation to an organization’s high-level business needs. If interested, Trustwave offers a proof of concept to further align your business requirements with the Trustwave GRC solution and allow you dedicated access to the system for a finite evaluation period.
DI: Tell us about your customers, what key clients are using your solutions?
JK: While we cannot name specific clients, but we can say that we use our solution and have the following types of clients: a global travel provider, national banks and a large medical facility, just to name a few. Clients deploy in both hosted and customer premise equipment (CPE) environments. They use the system for distributed vendor risk management, PCI DSS compliance, regional standards and regulations, internal policy, and combinations of these.
DI: Have the recent economic troubles affected the GRC solutions industry and the demand for your products?
JK: Demand for the product is driven by industry and legislative regulations imposed upon business. The economic situation has not affected that in a negative way, and in fact, may have increased the drive for risk management and compliance. While the demand is the same, the funds available for enterprise-level purchases have become more competitive within any given potential customer. It puts the onus on us to provide clear understanding of customer needs, a specific value-add and definite ROI.
DI: What new products or developments are in the works that you would be able to share with us?
JK: Three items come to mind:
TrustPAKs: Preconfigured out-of-the-box workflow supporting the end-to-end GRC lifecycle for specific control areas with little-to-none client or Trustwave consulting required for configuration. We intend to start with TrustPAKs for PCI DSS, PCI Self-Assessment Questionnaire and Vendor Management, followed by others such as ISO27001, BITS/FISAP, HIPAA and combinations of cross-mapped control programs.
There's also internal customized configuration: This configuration supports our global professional services group in Compliance Validation Services (CVS-1) and Payment Application Data Security Standard (PA DSS) allowing full transparency into the Trustwave processes, as well as, direct client feedback and dashboarding. The tool ensures consistency across our CVS-1 and PA DSS service as well providing the metrics to reengineer the processes to benefit clients.
And finally, continued research: We are identifying areas of new functionality to support ease of configuration for both internal staff and clients to ensure fast and efficient deployments.
Joe Krause is the Director of Product Management, responsible for the Trustwave GRC product line. Joe has more than 13 years of experience in information security, including implementation of security solutions as well as building corporate information security governance and compliance programs. Prior to his current position, Joe served as a Managing Consultant for Trustwave, responsible for managing a team of consultants and organizing and executing information security and compliance validation assessments for merchants and service providers worldwide.