Vendors providing software that helps manage the overall IT risk and compliance process now have an official category: IT-GRC. Several leading analyst firms have now gravitated to this label. Becoming a part of a recognized market segment has obvious benefits for the leading vendors. But the IT-GRC label has some room for improvement….
I have an issue with calling this category IT-GRC. First, having looked at most of the leading products in this area, there is almost no “G” there, just risk and compliance capability and functionality. That’s probably to be expected as most of the tools started out ai
ming more at compliance or risk management. Most of the vendors are struggling to understand just what governance functionality is required in their products. Having previously worked for one of these vendors, we had very little (as in *no*) customer requests for new features to help with IT governance. The leading analysts in this space are only now starting to define governance functionality requirements for IT-GRC products.
My advice here for analysts and vendors alike is don’t get too carried away on the governance aspect- IT-GRC should not become an IT-focused version of enterprise GRC. Customers have too many painful new problems to be solved related to IT controls, risk and compliance. Problems like mapping multiple compliance regulations, streamlining and automating information collection for risk management and compliance, and adopting more rigorous approaches to risk analysis.
Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University. Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
|
said this on 05 Apr 2008 8:28:23 AM EST
Funny, because I see almost no "R" there, as well!
|
|
said this on 05 Apr 2008 11:17:05 AM EST
For true risk analysis, I would agree, and I have another blog post coming on the lack of risk management, threat modeling, etc. in these tools. Many of the IT-GRC tools do however provide some overarching risk management capabilities- managing workflow of remediation items to closure for example. And despite most of the tools lacking a rigorous way to *analyze* risk, there is still a lot of value in helping organizations manage closure of the big gaps.
|
Author)