Free cheese in a mousetrap, or a tale of lost time
How I chose the SGRC system for the SME segment
Author: Daniil Kambulov, development director of Smart-Trade
Since 2022, our country's government and commercial sectors have been under a barrage of cyber attacks. Protecting critical IT processes has gone from yesterday's luxury to today's necessity. Information security is the number one trend in the country's IT development. And this applies not only to large companies, but also to small and medium-sized businesses (SMEs). Despite the fact that SMEs do not have large budgets, we are also forced to look for effective means of cyber protection so that there is an optimal price-quality balance.
I am the head of a rapidly growing company engaged in electronics trading through marketplaces and b2b systems. In 2022, our transaction volumes quadrupled and the same in 2023. The multiple growth is ensured by the introduction of new IT solutions to automate work with suppliers and customers. For us, the functionality of our systems for interacting with vendor APIs and broadcasting feeds is a vital need. In the event of a DDos attack or targeted impact on the nodes of our shell, we immediately begin to suffer serious losses. And the more time it takes to eliminate external aggression, the more sensitive the losses become. A rational decision was made to invest in the protection of our IT service.
I would like to share my practical experience when choosing a solution and a set of criteria that are worth paying attention to, perhaps this will be useful to my colleagues in the shop. We at Smart-Trade understand how important it is to ensure information security now, and we are closely working on solving this problem. In particular, we recently thought about purchasing an SGRC (Security Governance, Risk, Compliance) system. SGRC interests us primarily for the purpose of automating routine operations (there are no more employees), managing cybersecurity risks, ensuring compliance with legislation, standards and best practices (compliance), and ensuring the continuity of core business processes.
We proceeded from the axioms that there are serious, proven products on the market from such vendors as R‑Vision, Security Vision, UCSB, and they cost a lot. So we need to “tighten our belts” and consider them or look for a more budget-friendly option, which at the same time will solve the problems we need. We took the second path and after a short search we came across SGRC from SECURITM. The cost of this software is stated to be several times lower than the products of the vendors mentioned above. My colleagues’ price list is open, so I won’t make a big discovery:
Onpremis installation, RUB 1,455,000.
Cloud version from 375,000 rub./year to 575,000 rub.
Driven by strong economic interest and research passion, we began to study this solution, hoping that miracles were possible and in front of us – a simple, effective and extremely cheap SGRC that was about to disrupt the market. Below I will tell you about the results of our research.
What confused me, of course, at the start was that:
– The company does not have FSTEC and FSB licenses to perform work related to information security. There are no licenses at all.
– At the same time, data related to the activities of customer companies is transferred to the cloud (the most cost-effective implementation option and declared as a priority by the manufacturer). But since we only considered perimeter installation, we didn’t think much about the SaaS approach.
– The average number of employees in the company for 2020, 2021, 2022 is 1 person. The number of people has not grown over the years of the company. But still, the price was very attractive.
– The product is de jure not an information security product (neither according to the classification of the Ministry of Digital Development, nor according to FSTEC or FSB), registered under No. 11924 in the Register of Domestic Software as:
12.20 Information systems for solving specific industry problems
05.11 Intelligent means of managing expert activities
63.11 Data processing, hosting and related services
There is a lot of information on the colleagues’ website about information, economic and physical security, but the solution itself is de jure not a means of protecting information, does not have FSTEC certification for the level of trust and does not contain security functions. This was confusing, but as marketing colleagues understood, perhaps someday they will become an information security product. For example, we met on the Skolkovo website (https://navigator.sk.ru/orn/1125052) information about IRP in the product, but there are no such functions in the product. Again, we are not government agencies and for us this is not a strict requirement, the main thing is functions. And then the price clouded my eyes).
To the point
I will say right away that at one time I worked with SGRC-class products, mostly international, so there is an understanding of the importance of different criteria and a depth of technical knowledge. When testing the solution, we prepared criteria for those modules that were seriously considered.
Asset Management Module (ITAM)
Criterion | SECURITM Assets |
Asset types | A large number of asset types are declared, but they are all the same objects with basic properties. In fact, one type of asset. |
Card settings | There are no card settings provided. There is no way to add new properties and change their location on the card. It is not possible to make style changes (font, sizes, colors). |
Connection graph | There is a basic connection graph with the ability to go to the object card directly from the graph. Available only in a separate window. It is not possible to add actions to it; you cannot add the direction of connections and other visual effects. |
Role model | Absent. |
Integration | Limited integration without the ability to create a new one, the “box” has integration with Active Directory and the ability to import from MS Excel. There is no inventory process. |
Process automation | There is no automation. Manual filling and other actions. |
Asset life cycle | Lack of asset life cycle, no ability to manage the state of equipment (breakdown, repair, decommissioning) or software (installation, update, removal). |
The module provides the ability to maintain a register of assets with manually building relationships between them, which makes it useless. Internal examination is not included. There is no data model for each specific asset type. There is no automation, only manual input. Active Directory integration is available, as well as asset import via Excel. No other integrations are provided.
Risk management module
Criterion | SECURITM Risks |
Threat model | Absent. |
Questionnaires | There is no full-fledged mechanism for sending questionnaires to experts for assessment. It is not possible to send a questionnaire to a specific employee to fill out information. The Polls functionality does not work. |
Calculation method for risk assessment | Several simplified formulas for calculating risk assessment are built in. There is no possibility of using your own methodology. |
Automatic start of assessment | There is no possibility of regular assessment. |
Key risk indicators | None. |
Protection measures | There is no modeling to assess changes in risk assessment when implementing protective measures. |
Tasks for implementing protective measures | Only general functionality of tasks with a fixed set of statuses. There is no way to set an SLA, accept/send a task for revision, send a notification if deadlines are missed, etc. There is no option to view the “timeline”. |
The product does not have a built-in threat model. It is possible to maintain a threat register with the ability to assess risks, but without linking risks to a specific asset. Risk assessment is carried out using formulas with no validation, which can lead to results that are inconsistent with logic. There is no automation and the possibility of customization for the introduction of custom calculation methods.
Compliance module
Criterion | SECURITM Compliance |
Availability of boxed standards | The product includes a set of standards. New external standards are added through a technical support request. In addition to the license, the CP includes development hours, so we understand that this is a refinement and development, and not configuration through the interface of an already installed solution. The approach is clear, it’s a question of speed and whether the standards and requirements I need will be in the company’s roadmap. |
Creation of internal standards | It is possible to create internal standards, but this cannot be done on the basis of existing requirements; they must be rewritten manually again. |
Evaluation process | The assessment is carried out according to selected standards without reference to specific objects. Works like a manual questionnaire. |
Role model | Absent. |
Questionnaires | There are questionnaires. Difficult to use: there is no way to send a questionnaire to a specific employee to fill out information or to customize the form and life cycle of the questionnaire. The Polls functionality does not work. |
General view of the working document | Requirements are displayed in a single list; there is no way to group the standard at the domain level or by another directory. To process each requirement, it is necessary to expand it or “fall through” into the requirement card, which multiplies the number of clicks. “Bored” UX design makes it difficult to visually perceive information and makes it necessary to constantly scroll. There is no possibility of adjusting the visual appearance of the document, adding new attributes and additional information on the object of assessment; the form is rigidly defined. |
Manual closing of requirements | It is possible to close requirements manually, through a fixed set of answer options, without the ability to add/remove answers. |
Response weights | Absent. Weighting does not apply to responses. |
Closing requirements through measures | Closing requirements through measures is available. One measure can cover several requirements, and when the corresponding document is completed, all such requirements will be automatically completed. Measures are available from the supplied measures database, and it is possible to create custom measures. |
Measure life cycle | The life cycle of measures is available; all transitions between statuses are carried out manually. Measure statuses are hard-coded and cannot be customized. |
Validation of responses | There is no response validation. |
Correction tasks | There is functionality for adjustment tasks with a fixed life cycle. There is no possibility of setting SLA, escalation, monitoring implementation, etc. The system is for one employee, he set the task himself and completed it himself. |
SD Integration | One-way integration with JIRA, sending requests without status feedback. |
Notification system | There is no notification system. Which is impossible to use in the current realities of remote work and the impossibility of constantly being in front of a monitor. |
Automatic audit | There is no possibility of automating the process in terms of automatically launching a regular audit on a schedule. |
Auto-compliance | No. What you fill out will be in the system. |
Visualization | Several pre-configured widgets are included. You cannot customize or create widgets. There are no full-fledged clickable dashboards and there is no possibility of creating your own. |
Reports | There are two reports available for download. There are no regulatory reports or reports in the required forms. There is no provision for creating custom reports. |
The module is a strictly fixed functionality that allows you to fill out information according to the standards and evaluate the percentage of compliance with the requirements from the point of view of the filler. You can only evaluate one organization and, in fact, one person. One-way integration with Jira does not allow you to automatically update statuses, so you will have to work fully in two interfaces. It is impossible to expand or modify the functionality. There is no opportunity to test your own work methodology. The functionality imposes its own approach without the possibility of adaptation to the Customer’s requirements.
Technical vulnerability management module
Criterion | SECURITM VM |
Vulnerability Management | The main task of the Technical Vulnerability Management module is to process reports from vulnerability scanners for subsequent: · linking assets and identified vulnerabilities; · creating tasks to eliminate them; Additionally, it is possible to calculate an integral vulnerability assessment based on information about the vulnerability and information about the host (such as access from the Internet, the number of vulnerable hosts, information about the host group). |
Vulnerability card | Limited set of fields without customization options. |
Vulnerability enrichment | There is no mechanism for automatic enrichment of both the vulnerability and the host. There is no integration with external vulnerability databases. Thus, the vulnerability in the system will be exactly the same as in the vulnerability scanner report, and if the analyst needs additional information, he will have to look for everything himself in third-party systems. |
Vulnerability check | There are no mechanisms to verify the presence of a vulnerability. There is no tool that could contact a vulnerable host and confirm the presence of vulnerable software of a specific version. |
Automatically run regular scans | No possibility. |
Software Update | There are no ways to run software updates from the system itself. |
Integration with newsletters | Absent. |
Vulnerability Management Policy | Absent. |
Vulnerability scanner (our own) | Absent. |
Vulnerability elimination tasks | Only general functionality of tasks with a fixed set of statuses. There is no ability to set SLAs, no ability to delegate responsibility to a group, etc. |
The product provides the ability to maintain a register of vulnerabilities obtained from external vulnerability scanners. Vulnerability enrichment is not provided. There is no way to regularly run scans of internal or external scanners and automatically process the results. I don't have my own scanner.
Common modules (task management, surveys, RPA automation)
Criterion | SECURITM |
Setting up menu sections | You cannot customize the solution menu to suit your needs, change the nesting of tabs, or rename individual sections. |
Role model | The role model consists of 4 fixed roles without the ability to customize them for yourself. You cannot add new roles. |
Displaying objects | Objects are displayed in views without the ability to customize them. You cannot save filters, there is no hierarchical display, and there are no quick transitions between related sets of objects. |
Changes to objects | Changes are made manually, there are no mass actions. |
Working with data | There is no validation of values, auto-filling of fields and removal of duplicate cards. |
General view of objects | Object cards represent a limited set of basic properties. There are no card settings provided. There is no way to add new properties and change their location on the card. There is no possibility to make style changes. |
Connection graph | There is a basic connection graph (in the assets module), but without the ability to add actions to it, you cannot add the direction of connections and other visual effects. You can go to the object card directly from the graph. Available only in a separate window. Manual graph, which makes it useless. |
Workflows | No workflow functionality. Preconfigured transitions between built-in states without the ability to make changes. |
Questionnaires | There are questionnaires. Difficult to use. It is not possible to send a questionnaire to a specific employee to fill out information. The Polls functionality does not work. |
Integrations | Several out-of-the-box integrations (Active Directory, Kaspersky, Excel, vulnerability scanners, JIRA). There is no way to customize existing integrations or add new ones. |
Notifications and Reminders | There are no built-in notifications or mail server integrations. |
Widgets and dashboards | A number of widgets are built in (in each module), but there is no library of widgets for creating custom dashboards. There is no ability to create your own widgets and group them into dashboards (for general filtering and analysis). |
Reports | There are a small number of built-in reports. There is no report library, and there is also no ability to create your own reports. No automatic report generation. There are no regulatory reports, there are no reports in the required forms. |
Appearance | There is no “dark” or other theme. |
Multilingual | English interface or other languages are not supported. |
The product is declared as a service for automating information security management processes. Delivered as a boxed solution with modules for managing assets, vulnerabilities, risks, monitoring compliance with requirements and standards, and others. Provides the ability to manually create objects. The ability to customize and expand functionality is not provided. Internal expertise is not provided (with the exception of some protective measures in the Compliance module). None of the modules are fully developed and completed. The issue of automation without the presence of workflow functionality calls into question the feasibility of implementing the solution.
conclusions
The conclusion is simple: a miracle did not happen, no matter how much we wanted it. Time was spent on research and testing. As a result, we returned to the starting point of choice.
It turned out to be more of a tool similar to CRM or Service Desk, but without workflows and manual control. We lacked information security expertise in the product in the form of out-of-the-box content and flexibility for information security automation. Perhaps it will be enough for someone, it’s difficult to judge.
Now, for us, dumping prices are rather a reason to be wary. This concludes our epic search for budget options; the next stage is finding a budget for a mature, high-quality solution that will increase the level of information security of our company to an acceptable level. Perhaps reputable vendors will also have a high-quality budget solution. I consider it valuable and important to share our experience in researching the current information security market in the Russian Federation, which will be useful to my colleagues in the selection of SGRC solutions.
