If you are involved with, or interested in, the data security world then no doubt you have heard many definitions of integrated risk management (IRM) and Governance, Risk, Compliance (GRC). Should we simply be looking at “GRC 3.0” as professed by Michael Rasmussen at Forrester, the self-proclaimed “Father of GRC”? Or is IRM an entirely new evolution of risk management tools, as Gartner has attempted to rebrand it, declaring dramatically that “GRC is dead”? Regardless of the definition you choose, the landscape of IRM is evolving and creating a risk and compliance program should be your focus in order to protect and prepare your organization for the future.
In planning a security program, most companies first look at the tool or platform they will use. Security and risk management platforms have come a long way since the initial GRC/IRM definitions were established. In a world where data no longer resides in a single environment, access is required from both the boardroom and the home office, and threat actors can be literally anywhere in the world. One of our biggest challenges is how we protect our information when it has become exponentially more complicated, and we are becoming an increasingly data-reliant society. So how can any tool or platform solve this problem?
Reviewing the latest IRM Gartner report
In Gartner’s recent publication, Competitive Landscape: Integrated Risk Management Report, Elizabeth Kim, Gartner’s leading analyst in this space, attempts to untie this Gordian knot of which platform would be the best solution for her customers. She positions the various “IRM” players in the market but starts by rearticulating Gartner’s flawed IRM Use Case Domains model which inexplicably has no risk use case for Data Security. This is a significant misstep when a data breach is the single biggest risk factor for most businesses. Kim then applies a more logical segmentation of technology providers into three primary categories:
Multivendor Point Solutions which she refers to as “Siloed”
Single Vendor Solutions she calls, “Integrated”
Multivendor, Multisuited labeled as “Connected”
This segmentation is unnecessary particularly as it is hard to understand how a point solution fits into Gartner’s own expanded definition of Integrated Risk Management. But, in a market valued at $5.6m and forecasted to grow at a CAGR of 11.4% (from 2020-2025) it clearly pays to be inclusive. I believe that segmentation here is overkill. Of course, no solution can support everything, which is the folly of many past GRC providers and is the principal reason GRC has such a poor reputation. And so I think this additional segmentation provides more confusion than clarity.
Overall, this remains a valuable report. It provides the reader with a clear understanding that the landscape is changing quickly and that new competitors are entering the market at an unprecedented rate. The good news for customers is that this activity is driving innovation and forcing providers and customers to re-assess their IRM/GRC strategy. Indeed, it is causing the industry to re-think the very definition of IRM/GRC (beyond the Wheeler and Rassmussen fractious debate).
IRM/GRC past vs. future
Traditionally IRM/GRC solutions have been standalone platforms that rely on data from multiple data sources, either through custom integrations or via manual data entry. This has always meant that evidence gathering was time-consuming, often incomplete, and generally not real-time. Traditional platforms also supported access to a limited number of users, such as the dedicated security or compliance team responsible for interpreting and presenting the data. This burden made these tools difficult to implement and expensive to maintain, resulting in adoption being limited to large or highly regulated organizations.
But in a cloud-based world, where multiple integrations are built as standard, and solutions are accessible from anywhere, we are seeing a new generation of IRM/GRC platforms. These new solutions leverage SaaS (software-as-a-service) to provide a more comprehensive and inclusive solution. The demarcation between providers is becoming more functional. Some solutions are expanding to support areas like Environmental, Social and Corporate Governance Risk (ESG), while others specialize in Cybersecurity and Risk Management. The key concept here is to remove compliance as a primary driver and to focus more on the functional and operational benefit that can be achieved via the execution of the core function. It is more important today to be secure than it is to demonstrate security.
Time to refocus on efficient data security
This is shifting the emphasis of today's IRM/GRC tools away from simply reporting to actually operating. This refocus has the added benefit of not only adding efficiency to the operation but reducing the duplicative effort of tracking secondary data since it is now captured at source. Because of this, we are seeing an emergence of a new type of IRM/GRC platform. For example, this ranges from organizations that focus on an efficient collection and analysis of data like Vanta, to a truly integrated platform that generates compliance data as a natural by-product of its core operation, like Ostendio MyVCM, to businesses that are focussed on interpreting data through the use of machine learning and artificial intelligence such as Diligent and Reciprocity.
In the Gartner report, Kim lays out these options, while highlighting the need for continued innovation, integration, and partnership. One example of innovation she calls out is the Ostendio MyVCM solution, stating “Ostendio’s innovative approach across its MyVCM platform and MyVCM Trust Network helps organizations save time and effort by creating a network of vendors and auditors to reduce the amount of assessment that needs to be completed.”
The Gartner report states:
The MyVCM Trust Network is a live ecosystem of organizations that connect with each other via their respective MyVCM instances. One of the MyVCM Trust Network features is called Vendor Connect, where Ostendio customers can invite their vendors (at no cost to the vendors) to create and maintain online records of their security and compliance readiness via assessments using MyVCM Lite. Responses are linked to supporting documentation that is easily accessed and kept up to date within the vendor’s MyVCM instance. Ostendio customers can designate assessments to vendors based on specific regulations or tailor them to their specific requirements. The vendor will become a part of the MyVCM Trust Network, which allows them to map their responses from other Ostendio customers, without having to start from scratch for similar questions. Ostendio has a similar feature targeting audit partners called Auditor Connect. The customers, vendors, and auditors together create a network effect that improves transparency and efficiency for all participants.
The biggest benefit of the evolving IRM market is that customers today have a range of options to choose from when looking to optimize their ESG, Security, or Compliance programs. In the end, this is more important than whether we call it IRM 2.0 or GRC 4.0. The evolving market means there are options for all organizations, regardless of size or industry to take control of their data security and protect their business. The important first step is to recognize that building a risk and compliance program is becoming a business necessity and in fact, a competitive advantage for many organizations. Ostendio experts help customers with their data security and risk management programs whether they are establishing one for the first time or building on an existing program.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
A Guide to SOC 2 audits
This ebook helps you understand SOC 2 audits including background, preparation, costs, and benefits.