Cyverity

Get Started

Tools for Simplifying Regulatory Requirements for Risk Assessment

Secretary by computer

Speaker: James Tarala
Event: SANS Webcast
Date: September 23, 2024
Watch on YouTube: https://www.youtube.com/watch?v=Z4wmagDyTF8 

Introduction 

Regulatory compliance requirements can be overwhelming, especially when organizations need to balance security risks with business operations. In this SANS webcast, James Tarala provides practical guidance on simplifying regulatory risk assessments by leveraging efficient tools, frameworks, and automation. 

James Tarala highlights that many organizations struggle with navigating complex regulatory landscapes, but the right methodologies and tools can streamline compliance efforts while improving overall cybersecurity posture. 

 

Key Takeaways 

  • Regulatory compliance does not have to be overly complex. Many organizations overcomplicate risk assessments due to inefficient processes and lack of automation. 
  • Risk assessments should focus on business mission alignment. The goal is to identify missing safeguards that could lead to security threats. 
  • Threat modeling and safeguard validation are essential. Risk assessments must go beyond checkbox compliance and ensure security controls are effective. 
  • GRC tools, Excel-based solutions, and automation platforms can simplify compliance tracking. The right tools help organizations visualize security gaps and prioritize remediation efforts. 
  • Organizations should prioritize a safeguard-centric approach. Cybersecurity risk assessments should focus on validating existing security measures rather than just identifying threats. 

 

Summary of the Discussion 

Why Regulatory Risk Assessments Matter 

Many organizations conduct risk assessments because they are required to, not necessarily because they see the value in them. However, Tarala explains that effective risk management enables businesses to achieve their mission while minimizing security threats. 

The main objectives of risk assessments include:

  1. Identifying missing safeguards that could leave an organization vulnerable. 
  2. Aligning cybersecurity measures with business objectives. 
  3. Validating the effectiveness of security controls rather than just listing risks. 
  4. Ensuring regulatory compliance without overburdening security teams.

By simplifying risk assessments, organizations can turn compliance efforts into strategic security improvements. 

 

The Governance and Risk Model 

To better illustrate the connection between governance and risk management, Tarala introduces a governance and risk model that aligns business goals with cybersecurity priorities. 

  • Governance establishes the security program foundation. It includes asset inventory, policy development, and security education. 
  • Risk assessments serve two main purposes:  
  1. Safeguard Selection – Identifying which security measures are most effective for a given environment. 
  2. Safeguard Validation – Ensuring security controls are correctly implemented and effective.

Unfortunately, most organizations focus only on risk identification without validating whether mitigations are truly reducing risk. 

 

Tools for Simplifying Risk Assessments 

James Tarala emphasizes that automation and structured processes are key to making risk assessments more efficient and actionable. He categorizes risk assessment tools into three main groups: 

  1. Governance, Risk, and Compliance (GRC) Platforms
  • GRC tools help organizations track compliance obligations, manage security controls, and automate assessments. 
  • Popular GRC solutions include:  
  • ServiceNow GRC – Enterprise-level compliance tracking and automation. 
  • OneTrust – Privacy and compliance management. 
  • Aramba – Open-source GRC platform with compliance tracking capabilities. 
  • Challenges:  
  • GRC platforms require significant setup and maintenance. 
  • Without proper integration, GRC data often becomes outdated or unused.

 

  1. Excel-Based Risk Assessment Tools
  • While many security teams dismiss Excel as outdated, Tarala argues that Excel remains one of the most practical tools for small and mid-sized organizations. 
  • Benefits:  
  • Quick implementation without complex integrations. 
  • Customizable risk assessment templates tailored to organizational needs. 
  • Structured dashboards for tracking security controls and gaps.

 

  1. Automation & Continuous Monitoring Tools
  • Advanced organizations move beyond manual assessments to real-time risk tracking and automation. 
  • Recommended tools:  
  • Cyber Asset Attack Surface Management (CAASM) platforms (e.g., Axonius, RunZero) for asset visibility. 
  • Security Information and Event Management (SIEM) systems for real-time threat detection. 
  • Power BI & Tableau – Business intelligence tools that visualize compliance data in interactive dashboards.Challenges:  
  • Implementing automation requires structured security data and integrations. 
  • Some tools are better suited for mature security programs rather than beginners.

 

Prioritizing Risk Assessments Based on Business Needs 

Not all organizations need the same level of risk assessment rigor. Tarala suggests that organizations should assess:

  1. Maturity Level – Are you just starting, or do you have a structured security program? 
  2. Compliance Mandates – Are you required to follow HIPAA, PCI DSS, NIST, or SEC regulations? 
  3. Operational Risk Appetite – Do executives prioritize security investments, or is compliance the primary goal?

By answering these questions, organizations can determine which tools and approaches are most suitable. 

 

Actionable Insights 

  • Use Excel-based tools to start. Many organizations overcomplicate risk assessments—simple spreadsheets can provide immediate value. 
  • If investing in a GRC tool, ensure adoption. Many organizations purchase GRC platforms but fail to maintain accurate data, making them ineffective. 
  • Move toward automation gradually. Once risk assessments are structured, explore CAASM, SIEM, and business intelligence tools for real-time tracking. 
  • Prioritize safeguard validation over just risk identification. Risk assessments should not just list vulnerabilities—they should confirm that security controls are working. 
  • Regulatory compliance should support security, not replace it. Use compliance requirements to strengthen cybersecurity, rather than just treating them as a legal obligation. 

 

Conclusion 

Regulatory risk assessments do not have to be complex—by leveraging structured processes, GRC tools, and automation, organizations can simplify compliance while improving security. 

Tarala emphasizes that risk assessments should be actionable, safeguard-driven, and aligned with business goals. By choosing the right tools and methodologies, organizations can enhance security governance, improve compliance efficiency, and ensure long-term resilience. 

 

For more insights on this topic, watch the full webcast here.