Great, a food fight erupts on one of my favorite topics, and I’m the last guy to reach for the mashed potatoes. Rich Mogul decides that GRC is dead, and Alan Shimel points out some IT security realities (compliance is a big driver) here. Chris Hoff makes a few points as well here.

By way of introduction, I worked for one of the early IT-GRC product vendors (before the analysts decided that IT-GRC was different from enterprise GRC). I have also done consulting work for another vendor in this area, and I have authored a course on IT Risk Management. I have had enough exposure to large end users that I would like to think that I understand where these products provide value and utility, and where there are holes.

First, I think it’s important to draw a distinction between the enterprise GRC crowd (Pasisley, Open Pages, Axentis, and others), and the IT-GRC crowd (I would put Agiliance, Brabeion, ControlPath, Avior, Compliance Spectrum, Relational Security, Modulo, and Archer in this category). The enterprise GRC products tend to be all about workflow, with little depth in the area of IT risk assessment, analysis, and management, and little depth in the IT security-centric compliance regulations and standards (HIPAA, GLBA/FFIEC, NERC/FERC, PCI, ISO27000, BITS, FISMA). By contrast, the IT-GRC products tend to have a lot of depth in terms of very specific controls and requirements that relate directly to these regulations and standards. These two categories are different products, solving different problems, being sold to different audiences.

My 2 cents on the IT-GRC products- they provide a lot of functionality that highly regulated (read financial services) organizations need. They structure security management, providing the means to assess compliance to an external regulation, or to an internal, best practices framework. They also structure the workflow of security and compliance- in one analyst briefing I did a few years ago, the analyst remarked that the IT-GRC product in question was sort of for security & compliance managers like Peoplesoft was to HR managers. In a large organization, managing security and compliance can be overwhelming, and these tools give the manager a better way to manage the overall effort. And there is value for the business units and their management in these tools.

They are not without fault- as I have blogged previously here, few of them do much in the way of true analysis of risk. Most of them stop at helping to gather data about risk, or they use some proprietary method to try and calculate risk, as I have also blogged about previously. But to characterize these products as dead is wrong.

There’s also the familiar dynamic at work here that the analysts have decided that this category will be called IT-GRC, and therefore the vendors will all have to rush to provide more and hopefully better "R”, and even some “G”, irrespective of what their users are asking for, lest the vendors get left off the MQ, Wave, or whatever.

To Chris Hoff's contention that GRC products are "audit driven compliance all tarted up", I think you have to tell us if you're talking about enterprise GRC, or IT-GRC. Many of the IT-GRC products are *highly* asset focused. There is a direction in some of these tools to create direct linkages to data from other security tools- vulnerability management systems, configuration management, etc..

I will agree with Rich on this point- security vendors putting a little GRC lipstick on their favorite pig probably isn’t a great strategy.