Site Menu

IT-GRC

By Jim Hietala
Published 03/12/2008

Michael Rasmussen has a great post on the difference between enterprise GRC and IT-GRC up on his blog. As someone who has previously worked for an early IT-GRC vendor, I have a lot of thoughts on the topic of GRC and IT-GRC.

Michael's fundamental assertion that enterprise GRC is a lot broader than IT-GRC is I think true. I also believe that the IT-GRC products tend to go a whole lot deeper than the enterprise GRC products, meaning that IT-GRC implementations necessarily get into the details of IT assets, and the multitude of controls that affect compliance and risk status.

Both IT-GRC and enterprise GRC are concerned with helping organizations to manage governance, risk and compliance, and there are many similarities between the products that address these markets. Both generally have assessment engines, status dashboards, and policy management functions. The IT-GRC products tend to have much less mature governance capabilities.

Both categories seem to be moving quickly towards automated (vs. assessment-based) gathering of control state.

More blog postings to come on the topic of IT-GRC. It is nice to see the large analyst firms come around to recognizing that the IT-GRC products are fundamentally different than the Paisley's, OpenPages, et al of the world.

Jim Hietala
www.compliancefocus.com

Jim Hietala

Jim Hietala, CISSP, GSEC, is Research Director and a principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. He is also the Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities.

Jim has provided research and consulting services to organizations such as SANS, The Open Group, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An industry veteran, he has held leadership roles at ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric Network, and Digital Pathways. He developed and launched the industry’s first remote access VPN service (Concentric RemoteLink) and encrypting ISDN router (at Network Express), and launched a compliance and risk management software start-up in the IT-GRC market.

He holds a B.S. in Marketing from Southern Illinois University.

Blog: www.compliancefocus.com

Twitter: http://twitter.com/jim_hietala

LinkedIn: http://www.linkedin.com/in/jimhietala

Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com