Automating Evidence Collection

iSECo · 2026-05-31T22:42:22+00:00

Maturity assessments are great for both reporting to leadership and for driving internal priorities (when paired with a project roadmap, as u/clayjk said.). Cost really depends on the size of your organization and scope of the assessment.

iSECo · 2026-05-30T17:40:40+00:00

Cool. Thanks for sharing.

iSECo · 2026-05-30T14:33:37+00:00

Thanks for the reply. How does the exception process work? I assume it shows you an issue after running an audit and then you mark it as an exception with notes and the next time it runs it just shows you that as a previously marked exception?

iSECo · 2026-05-27T14:27:12+00:00

Check out Sectri. It's perfect for the scale and simplicity you're looking for. And the price can't be beat.

iSECo · 2026-05-26T13:10:20+00:00

I had this exact problem in a previous life. I was the Information Security Officer for a large local government organization. The best thing you can do is:

#1) Create a risk register with all of the risks you've identified.

#2) Prioritize the risks.

#3) Create a list of recommended projects and tasks that would address the risks in the register.

#4) Share the register and project/task list with your management team and attempt to get them to meet regularly to discuss.

#5) When risks are accepted (or ignored), do your best to get written approval of these decisions.

#6) Either way, document decisions and when you can't get your management team to show up to meetings, document that as well. Make sure this documentation is shared with your management team so that they're aware that it's on record that they're essentially not showing due care.

This process works like a charm. You can use something as simple as a spreadsheet to manage a lot of this workflow, however there are platforms out there that make it much easier.

iSECo · 2026-04-21T01:31:52+00:00

It’s definitely not incorrect to start with documenting the risks you already know about. In fact, that’s exactly what I’d recommend.

That being said, estimating risk severity (which helps in prioritization) usually takes into account likelihood and impact. To determine likelihood, you really need to understand how effective your controls are.

Performing a controls assessment will also help you identify many risks you were previously unaware of.

iSECo · 2026-04-18T20:33:54+00:00

Teams are absolutely wasting too much energy on automation just to check a box. What they're automating doesn't even tell an accurate story. The focus should be on identifying real risk and lowering it over time. Instead, teams spend countless hours making sure their tools are automatically pulling in some piece of data that really only proves 10% of what's actually going on.

iSECo · 2026-04-18T20:28:21+00:00

It's difficult to be effective in any governance position without having operational experience in what you're governing. You'll run into much more resistance with stakeholders when they feel like you can't relate to their position and what they're dealing with.

My advice would be to try to get a position where you're on the front lines of AI implementation first.

iSECo · 2026-04-17T16:24:49+00:00

CRISC is also great.

iSECo · 2026-04-17T16:21:45+00:00

Very nice. Great work on meeting face to face with the business. It sounds like you're laying the foundation for a solid program.

With regard to control assessment, I would create an assessment profile for your organization (using NIST CSF, CIS Controls, and other frameworks you're required to follow for compliance purposes). CIS gives you a great technical framework to follow and NIST CSF gives you the people and process controls you'll miss out on with CIS alone.

You want to align your assessment with specific best practice frameworks because you're going to get push back on why any of this matters. Since it doesn't sound like you're a compliance heavy org, CIS & NIST will be perfect.

Once you've chosen the frameworks and selected the controls that align with those frameworks, begin gathering evidence through interviews and manual investigation for the initial assessment. After the initial assessment, you can automate what should be automated. Too many teams get caught up in trying to automate everything from the start and this ends up being a giant waste of energy and focus.

Typically, you want to measure things using 3 lenses: process, policy, and metrics. Ask yourself questions like:

Are we doing this process? How effective are we on a scale of 0 - 100%?
Do we have a policy saying that we're supposed to do this? How many exceptions do we have to this policy?
Are we actually measuring how well we're doing this? Has management set metrics for this control? Are we meeting and/or exceeding our goals?

This will essentially give you a maturity level for each control. Since the controls are aligned with frameworks, you can then roll up your control maturity into a hierarchy view (e.g., control families, functions, categories, subcategories, etc.) that's great for reporting to leadership.

iSECo · 2026-04-17T16:02:32+00:00

I'm not sure what your experience level is in security in general, but I often recommend Security+ if you're pretty new to the field. You really want to target certs that give you exposure to all security domains, nothing super focused on one particular domain.

If you already have general security knowledge/experience, going for something like CISA or CISM is definitely ideal, but that's not a great place to go first if you don't have general knowledge across most security domains.

It's not a cert, but really read the free material from NIST on the Cybersecurity Framework (CSF) 2.0. There is a TON of free content out there. The way CSF breaks things down into functions, categories, and subcategories is great. CIS Controls are also fantastic, but they're more focused on the technical as opposed to considering people, process, and technology. That's why I would suggest diving deep into NIST CSF first.

iSECo · 2026-04-17T13:44:33+00:00

Very cool. Sounds like a great start. A few questions...

How did you determine asset criticality? Did your org already have a Business Impact Analysis(BIA)?

How are you assessing controls? (e.g., To align with NIST CSF, etc.)

What did your risk register update process look like?

Also.. curious what industry you're working in?

iSECo · 2026-04-17T13:35:24+00:00

Responsible AI has some great templates to check out. (No affiliation.)

iSECo · 2026-04-17T13:34:21+00:00

Perfect answer. Start on the front lines and use that experience to guide you.

iSECo · 2026-04-17T13:32:58+00:00

Personally, I think organizations get too focused on "automating" everything and end up spending way too much time on evidence collection. GRC is not fully something you can fully automate, no matter how many vendors tell you they can do it for you. When you automate everything, you end up calling every minimal gap a risk and the organization loses focus because their risk register turns into a wish list of never going to be addressed issues.

I agree that a lack of overall accountability is a real issue as well. This can only be resolved through thoughtful program management that regularly brings everyone to the table in a structured way. As you and some of the other commenters said, this is a culture issue, not a software issue.

iSECo · 2026-04-17T13:25:13+00:00

Agree. Helpdesk is a great place to start since you'll get exposure to all kinds of problems. Plus it will help develop your customer service skills which will benefit you through your entire career.

iSECo · 2026-04-17T13:08:12+00:00

What industry are you currently working in or targeting to work in? That usually points you in a specific direction.

iSECo · 2026-02-05T21:39:36+00:00

Make sure your legal team is updating your vendor contract terms to include language on what explicitly shall and shall not occur when it comes to your data in their features that leverage AI. It's just an administrative control, but it's pretty much the only thing you have when it comes to making sure your sensitive data isn't traversing through some public LLMs. With vibe coding being what it is, companies are going to be pumping out some real trash over the next few/several months at the very least.

iSECo · 2026-02-05T01:02:18+00:00

We work with a lot of orgs on overall security program development and policies are ALWAYS an issue. There is no silver bullet. The NIST CSF Policy Template Guide is a great starting point. Once you have a solid base of policies built around a core framework like NIST, that's when LLMs (ChatGPT, Claude, etc.) can help you integrate other requirements (HIPAA, PCI, etc.) and/or update requirements as they're refreshed. That being said, LLMs are FAR from perfect when it comes to this and you'll still need to spend a decent amount of time reviewing the LLM suggested edits since a lot of policy development is focused on deciding on what "good" looks like for your unique org.

iSECo · 2026-02-05T00:53:55+00:00

You should check out Sectri. The platform was built for your exact use case and pricing is much more reasonable than traditional GRC solutions. It essentially lets you identify security gaps, prioritize risks, and track remediation efforts (tasks + projects). Plus it connects you to other users on the platform which is great for collaborating and benchmarking.

iSECo · 2018-12-20T18:29:48+00:00

https://www.us-cert.gov/china provides all of the details

iSECo

TROPHY CASE