If you have been following my research over the course of the past 15 years you will know that I have often been frustrated when IT GRC has been understood to be confined to IT security management. In fact, you can find some of my Forrester reports (2001 to 2007) that often challenge the captivity of IT GRC by security.
IT Governance, IT Risk Management, and IT Compliance are broader than security. Yes, security is one of the most critical risks in IT departments and to the business. I am not minimizing IT security; it needs to be addressed. However, this gives no right for IT security management solutions that do IT security governance, IT security risk management, and IT security compliance to hold IT GRC hostage.
Consider . . .
- IT Governance. IT governance is the reliably achievement of objectives of IT, whose objectives should be aligned with the business. IT has many objectives that go well beyond security of IT systems and information. If IT governance is only about security, then we might as well give the CIO and CTO job to the CISO. Governance of security is important, but IT meeting business needs and objectives today and into the future is even more critical. IT governance is centered on the performance of IT and alignment of IT to meet business needs. Security comes in and after this context.
- IT Risk Management. Some of the greatest risks in IT are security. But there are a range of other risks that are critical as well: IT service delivery risk, risk in IT operations, IT project risk, IT planning and staffing risks, disaster recovery and business continuity, and more.
- IT Compliance. I will not argue, some of the greatest IT compliance challenges are about security (anyone dealing with PCI DSS and other compliance obligations knows this). The point still is that IT compliance goes beyond IT security. Consider web accessibility to requirements in ADA compliance (Americans With Disabilities Act).
What is frustrating to me is that 95% of the RFPs I assist with, or inquiries from organizations looking for solutions (between 5 and 10 a week), that I answer believe that IT GRC is synonymous to IT security management.
To put it in a formula:
IT GRC ≠ Security Management
IT GRC > Security Management
What is encouraging in the past 12 months is that I have seen several RFPs I have assisted in writing that are taking a broader understanding of IT GRC, and this is supported by growing inquiries from organizations asking me questions about solutions with broader IT GRC capabilities.
IT departments need a 360° contextual awareness of security in IT, but they also need a 360° contextual awareness of a broader understanding of IT governance, IT risk management, and IT compliance management.
As for the market, my definition of IT GRC remains broader than IT security management. There are solutions that deliver on a broader vision of IT GRC, some more than others. As a sub-segment of IT GRC are solutions with capabilities that focus primarily on vulnerability discovery and remediation to IT assets and measuring risk and compliance in a security context.
On October 19th, I will be presenting the next GRC 20/20 Research Briefing, 2015: How to Purchase IT GRC Platforms. This Research Briefing is aimed at defining a framework for purchasing IT GRC solutions, whether focused on IT security management or more broadly on IT GRC management.
The goal is to provide buyers of IT GRC solutions an understanding of different types of IT GRC solutions that have a broad or narrow focus, give them a decision tree to help them define what they need, present critical capabilities needed in an IT GRC platform, and offer advice related to IT GRC and security management RFPs and evaluations.
If you are frustrated with your current IT GRC implementation or looking to purchase an IT GRC solution, then I encourage you to register and attend this Research Briefing (or watch the recording).
NOTE: for clarity, I am an advocate of IT security and if your focus is on IT security management in context of IT GRC there are many great solutions that deliver this, I am just stating this is a sub-segment of IT GRC.