Governance, risk, and compliance (GRC) programs and teams are under tremendous pressure

as regulations increase across the board. Even the most well-resourced teams are stretched

thin, with multiple projects, tight deadlines, and loads of manual work.

GRC teams, of course, don’t want to be bogged down in what we call ‘muckwork’. At Tines, we

understand that teams don’t want to be buried in regulatory work; what they really want, above

all else, is to be strategic rather than reactive and become an important part of the overall

business’s success.

Automation and AI are the obvious answer to these challenges, and can eliminate the remedial

tasks associated with GRC and relieve the pressure on the teams responsible for compliance.

The challenge with this, however, is building trust with the platform providing these automation

and orchestration capabilities.

The key to meeting this challenge is to start with a small, high impact change that shows value

and builds trust across the whole organization. And one of the first places to start is evidence

collection.

Evidence collection as a gateway to transforming GRC

Evidence collection is the systematic process of gathering, documenting, and preserving

information that may be relevant to an investigation, incident, or analysis. It’s one of the most

important elements of cybersecurity and serves as the foundation of tackling cybersecurity

threats.

However, it’s quite time consuming, and GRC teams can find themselves buried in an email

inbox all day; forced into a reactive position without any room to be proactive. It’s regularly cited

as a pain point among security leaders and practitioners—which means it’s an excellent use

case for those looking to embrace automation and AI by starting small.

First, it’s one of the most time-consuming and error-prone aspects of compliance. Auditors and

GRC teams juggle screenshots, logs, process docs, and certificates. This is often scattered

across emails, drives, and memory. Manual workflows stretch audit prep from weeks into

months. Automation can directly address this pain point by seamlessly pulling documentation

and mapping it to controls in real time. Second, it quickly builds trust and visibility. Automated

evidence collection introduces consistent, reliable workflows that stakeholders can easily

understand and trust. It drastically reduces ad-hoc evidence hunts and late-night scrambles.

Therefore, it can serve as an inspiration to others looking for secure use cases to automate and

reduce muckwork.

Finally, evidence collection is ripe for scale. It’s a process that naturally scales as

documentation volumes grow, meaning that the ROI of automating the process only increases

over time.

In short, start with automation where it’s least disruptive and most visible, like evidence collection. Then, 

let success light the path forward. This staged approach creates earlychampions, minimizes risk, 

and avoids overwhelming teams.

Let’s take a look at a real-world example of this process in action.

How Tines and Regscale helped Dragos automate evidence collection

In our recent webinar, Three ways to mature your legacy GRC program in a highly regulated

environment, with Regscale and Dragos, we looked at the biggest roadblocks to maturing a

GRC program and how to evaluate what’s worth automating or standardizing in your GRC

workflows. One of the workflows discussed uses Tines and Regscale together to automate

evidence collection.

The workflow, which you can view here, uses Regscale’s native API and webhook functionality

to automatically send a notification email to external Evidence Manager when a new evidence

record is created. The email explains the evidence collected and allows the Evidence Manager

to submit evidence by replying with an evidence file attached.

The reply is then automatically captured by Tines, and the submitted evidence is uploaded to

the correct evidence record in Regscale. The workflow takes the human out of the loop and

eliminates the need for them to work in email all day. This saves them hours of time and allows

them to focus on proactive and transformative work.

Start small but think big

In the webinar, Gavin Maxfield, VP of Customer Success and Services at Regscale, points out

that organizations that make the biggest leap forward in their GRC programs are those that

start small but think big.And by transforming an acute, high impact pain point like evidence

collection, organizations can take an effective step toward changing the overall culture around

their legacy GRC programs.

The prebuilt workflow is available free to use in the Tines Library, and you can view the full

webinar, Three ways to mature your legacy GRC program in a highly regulated environment,

here.

If you’d like to test this workflow, or any other pre-built workflows, sign up for a free Tines

account.

Brought to you by Tines