Organizations are often faced with requirements for compliance against multiple frameworks, standards, or regulations. Qmulos’ Enterprise Compliance (Q-Compliance) application, powered by Splunk, has a Frameworks Dashboard feature that enables organizations to score themselves against other frameworks using the NIST 800-53 controls catalog as the common Rosetta Stone across these other frameworks. In the Spring Release, Q-Compliance takes this flexibility to the next level with the introduction of the Dynamic Control Architecture.
The Dynamic Control Architecture will enable Q-Compliance to integrate controls from multiple standards beyond NIST 800-53 such as GDPR, HIPAA, PCI and even custom controls. Now organizations can automate compliance against multiple standards down to the individual control level independent of any mappings. Compliance against those multiple standards can be automatically assessed against a single source of truth, the events in the Splunk indexes, using a vast and growing library of reusable components for analytics and visualizations. In addition, these analytics and visualizations for technical control evidence can be added or changed dynamically through a simple plug-and-play interface allowing for easy customization.
I can’t believe it, but Qmulos is celebrating our Five-Year Anniversary! I couldn’t be more excited about our clients, our team, and our future. I don’t usually like to talk about ourselves, I prefer to let our customers to do the talking for us, but I’d like to make an exception, just this once.
We started with an idea and a passion to change how cyber compliance gets done and what it could mean to overall security if it was done right. We used to share the belief, one that many security practitioners still hold, that compliance is a complete waste of time and money and doesn’t actually improve security. People even started calling it “risk management” to get away from the negative connotations of “compliance” but this didn’t actually change anything. CISOs I have worked with in virtually every industry have essentially been forced, due to fear of audit findings, to spend untold millions on armies of people to generate paperwork, issue data calls, fill-in static spreadsheets, and upload “evidence” into extremely expensive legacy GRC tools, where they spend many more millions to show auditors how “secure” they are and how well they are managing risk. Sadly, this had been going on for 30 years and we felt it was finally time for a change.
What we realized when we started the company was that implementing a set of thoughtful security controls, the underpinnings of cybersecurity compliance, and monitoring them in near-real time, is extremely valuable to improving real security. The only bad thing was the way this was being done. Out of necessity, since it was the best technology available, compliance was implemented using relational databases. The Gartner Quadrant for IT-GRC is littered with legacy vendors promoting this type of approach. The problem is that this architecture does not provide the vital flexibility and adaptability necessary to do compliance in a valuable way. Compliance, or, real-time risk management, requires a method to keep up with a large volume of constantly changing disparate data from various tools, operating systems, and devices across your IT infrastructure to inform security personnel and system owners about the real-time status of their security controls and systems.
We solved this problem by building the first, as far as we know, GRC solution on top of the world’s leading big data platform, Splunk! As a result, we’ve come full circle to understand that compliance (e.g. monitoring a comprehensive set of security controls), when done on big data, is VITAL to real security. To understand the value, just look at the security controls within the NIST RMF Catalog (NIST SP 800-53). These controls have been defined over many years, are updated frequently, and cover virtually every threat. What does that mean? Well, if you can implement and monitor this holistic set of security controls in near real-time, you will likely have the best security program on the planet- the exact opposite of a complete waste of time and money!
Qmulos has realized the dream of Information Assurance professionals at all levels across the Globe. We have disrupted the legacy compliance market and are enabling CISOs around the country to realize that doing “compliance” on top of big data is the best way to dramatically improve operational security. We are enabling CISOs to finally bring together their operational security budgets and resources with their compliance budgets and resources and align them toward one common goal – better security. At Qmulos, we holistically define what you need to monitor (breadth of security controls), enable you to do so accurately (automation), in a timely manner (near-real time), and on a flexible platform (Splunk) that adapts to constantly changing environments in hours instead of months.
I am very proud of how far we’ve come, very appreciative of all of our forward-thinking customers and partners who immediately saw the value of our “new paradigm” of compliance on big-data, and very grateful for our dedicated team of super-humans, thanks Qmulites! The future is limitless as we continue to help others realize the value of doing compliance and risk management in a way that improves security!