The Technology Side of GRC

Pravin Kothari

This is that time of the year when all the IT GRC vendors hold their breath to see how they are ranked in the Gartner IT GRCM MarketScope.  I’m happy to say that for the second year in a row, Agiliance RiskVision has received the highest possible rating of “Strong Positive”.  Not only have we retained the highest ranking from last year, we scored at the top for all three core IT GRC capabilities.  As a result, we have further separated from other vendors in terms of having the most capable IT GRC solutions.  Here are the actual scores:

• Controls and Policy Mapping: 5.0 out of 5.0, highest of all vendors
• Automated General Computer Controls Collection: 5.0 out of 5.0, highest of all vendors
• IT Compliance Dashboard: 4.5 out of 5.0, highest of all vendors

This also gives us the highest score of 4.8 out of 5.0 for the Automated Technology Control Assessment use case.  This is a very important accolade because the true value of IT GRC solution lies in the automation.  The GRC market is quickly maturing to focus on the Risk component.  Risk is dynamic and inherently real time, especially when it comes to IT and security risks.  As business processes continue to be automated and data become electronic, every single risk in the enterprise will be correlated to IT and security risks.  Thus, it is impossible to manage enterprise risk unless you can manage risk in real-time, and managing risk in real-time requires end-to-end automation.  Of all the IT GRC technology components, automated technology control and risk assessment are by far the most difficult to build.  This type of automation requires highly scalable engines to perform real time data correlation and calculation across large data sets.  I would like to give kudos to my Agiliance engineering team for achieving the highest score on the toughest portion of the evaluate criteria.

Two major changes are noteworthy in this year’s MarketScope.  The first is the inclusion of some EGRC vendors and the addition of Financial and Operations GRC Support as the fourth Critical Capabilities.  This change is somewhat controversial, because it is based on the hypothesis that the traditional EGRC and IT GRC markets as we know them today will converge into one.  While there are signs of that buying pattern, we also see a very strong trend that indicates possible convergence of IT GRC with security and configuration management products.  The two different trends are driven by the two different buying centers.  CFO and internal audit are the buying centers for EGRC solutions.  They are now asking for more in-depth and timely data from IT, thus driving the EGRC solutions to include better IT GRC capabilities.  However, CFO and internal audit do not look for the very granular and real time data that CIO and CSO need, so for the CFO buying center, some limited extension of EGRC solutions maybe all that is required.  There maybe more IT data, but the data is still static and high level.  CIO and CSO on the other hand, are the buying centers for security and configuration management and now IT GRC solutions.  CIO and CSO look for real-time risk management and situational awareness with continuous connectivity to the IT infrastructure.  CIO and CSO need GRC solutions that can support IT operational requirements.  A pure survey and workflow based solution maybe useful to check-the-box for compliance needs, but it is of no practical use as an IT operations tool.  So how important is EGRC requirements when you are looking for an IT GRC solution?  It depends on what is your function and what are you looking to achieve with the solution.

The second change in this year’s MarketScope is that Garter has done away with the Out-of-the-Box vs. Rapid Development Platform differentiation.  The new differentiation is Top-Down vs. Bottom-Up.  This new differentiation is a good way to capture the difference between the EGRC vendors and the IT GRC vendors.  It is a short-hand to summarize the different buying centers needs we discussed above.  The CFO and audit approach is top-down with little detail from IT and security.  Top-down approach provides a nice enterprise wide picture quickly, but lacks details and is not capable of reflecting the real-time nature of risk.  Bottom-up provides the real-time visibility and ability to react, but can be more narrowly focused on just IT risks.  Most organizations will need a combination of both Top-Down and Bottom-Up approaches to be effective.  Today no one solution can meet the needs of both buying centers and it is likely that no one solution ever will.  The best approach for most organizations is still to buy the best of breed solution based on requirements and roadmap.  For CIO and CISO we talk to, they are looking for a strong automation GRC platform that can integrate to their existing IT and security management tools to provide real-time visibility and operations support.  They also want the tool to have very good Top-Down capabilities to support process centric use cases.  This was my goal when I founded Agilinace years ago and it’s gratifying to have Gartner validate that our solution and approach is a great fit for our target market of CIO and CSO.