In this interview with Help Net Security, Nichole Windholz, CISO at Onspring, talks about the limits of automated GRC systems and continuous control monitoring. She explains why color-coded dashboards can hide nuance, how teams can check the data feeding their tools, and which risks resist measurement, such as insider behavior and vendor concentration.
Continuous control monitoring tools tend to produce a green-yellow-red mosaic that flattens nuance. When a CISO walks into a board meeting with that mosaic, what gets lost between the telemetry and the conversation?
A green-yellow-red view is a great, and in many cases, a highly necessary starting point, but it’s not comprehensive. The problem is that, without context, color-coded dashboards can make very nuanced issues look equivalent.
A red indicator might mean a control is completely missing, but could also mean evidence is stale, a business owner missed an attestation, a system changed without a corresponding update, or a threshold was crossed for a low-impact asset. Those are not the same risk. They don’t require the same response.
When nuance is flattened, the CISO is forced into a defensive posture. Instead…
