Vendors providing software that helps manage the overall IT risk and compliance process now have an official category: IT-GRC. Several leading analyst firms have now gravitated to this label. Becoming a part of a recognized market segment has obvious benefits for the leading vendors. But the IT-GRC label has some room for improvement….
I have an issue with calling this category IT-GRC. First, having looked at most of the leading products in this area, there is almost no “G” there, just risk and compliance capability and functionality. That’s probably to be expected as most of the tools started out aiming more at compliance or risk management. Most of the vendors are struggling to understand just what governance functionality is required in their products. Having previously worked for one of these vendors, we had very little (as in *no*) customer requests for new features to help with IT governance. The leading analysts in this space are only now starting to define governance functionality requirements for IT-GRC products.
My advice here for analysts and vendors alike is don’t get too carried away on the governance aspect- IT-GRC should not become an IT-focused version of enterprise GRC. Customers have too many painful new problems to be solved related to IT controls, risk and compliance. Problems like mapping multiple compliance regulations, streamlining and automating information collection for risk management and compliance, and adopting more rigorous approaches to risk analysis.
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
|
said this on 05 Apr 2008 8:28:23 AM EDT
Funny, because I see almost no "R" there, as well!
|
|
said this on 05 Apr 2008 11:17:05 AM EDT
For true risk analysis, I would agree, and I have another blog post coming on the lack of risk management, threat modeling, etc. in these tools. Many of the IT-GRC tools do however provide some overarching risk management capabilities- managing workflow of remediation items to closure for example. And despite most of the tools lacking a rigorous way to *analyze* risk, there is still a lot of value in helping organizations manage closure of the big gaps.
|
Author)