Posted by Marc Othersen on June 30, 2008
A message for IT-GRC vendors: I am constantly bombarded by vendors touting "I have an IT-GRC solution for you to look at!" Since I cover the IT-GRC space, I naturally am interested. In many cases, my interest quickly turns to disdain after the vendor product demo. Why?
Simply, most IT-GRC "vendors" are not IT-GRC vendors. An IT-GRC vendor, by our definition, automates the governance, risk, and compliance lifecycles to provide seamless integration and data sharing. Most of the IT-GRC "vendors" I get briefed on automate IT controls, not IT-GRC lifecycles. For example, Brabeion automates policy management (a governance process), the testing of IT controls (a compliance process), and the assessment of IT risks (a risk process). Brabeion, therefore, is an IT-GRC vendor. Sun Microststems' identity and access management product automates access controls and NetIQ's SIEM product automates event monitoring controls. Neither of these companies are IT-GRC vendors or have IT-GRC products.
So before marketing a product as an IT-GRC solution please make sure it actually is an IT-GRC solution and not a control automation solution. This will go a long way to reducing the "noise" around the IT-GRC market space.