Vendors claim to be offering products and solutions in the governance, risk and compliance (GRC) space, but these rarely fit the analyst specification.
According to Paul Proctor, vice president, distinguished analyst and the chief of research for security and risk management at Gartner, there are plenty of vendors in the space who have their preference for some technologies, but often technologies do not fit into what it deems to be the GRC model.
Speaking at the Gartner Security and Risk Management summit in London, he said that in a new approach into insight, Gartner de-emphasised the differentiation of the presence and demonstrability of features and functions, and increased its weighting on implementation and production use of GRC products against specific use cases. This led to a number of vendor technologies being classified as “the posers list”.
He said: “I told them to ‘stop saying you do everything when you do not, and stop saying you do GRC when you do not’. You can call your product GRC if you want, but I have given up on the notion of what is and is not GRC.
“I am getting closer to giving up on the term, it is a great management and process term and I am a fan of risk-based stuff and decision and compliance about correct mandates. But everyone’s workflows are different, if you want to call it GRC, go for it, but there are specific guidelines for GRC and there may be something different for you to offer.”
He said that after sending out close to 600 surveys, and getting back 359 at the last count, of 78 vendors it spoke to about GRC, only half had an element of GRC in their product. “Lots of vendors said ‘we are leaders’ but did not produce references. Lots of vendors don’t agree with this as they do not support GRC, but do segregation of duties and enterprise resource planning,” he said. “That is a very specific set of technologies and they call it GRC, and can do it but it doesn’t fit, and we don’t call it GRC.”
He said that a number of technologies do not support the Gartner GRC use cases for IT risk management, operational risk management, vendor risk management, audit management, business continuity management, corporate compliance and oversight. He specifically named HP, McAfee, Microsoft, NetIQ, Oracle GRC, Qualys, Symantec and Trustwave in this section.
He said: “Some do something and call it GRC, but it doesn’t mark Gartner definitions. Just because we say it is great, doesn’t mean it is right for you.
“Many call me and say they do not do good risk management, so what should we buy? Tools automate good process; they do not create good process – everyone who tries to buy a box to solve a problem wastes money!”
He concluded by saying that the simple steps for success for GRC are to: build GRC use cases preparing for no more than ten; prioritise the list and focus on the first three; build good processes and workflow and match the use cases to tool functions.