The march of the compliance management frameworks has begun, and some of the industry's largest vendors are looking to grab the lead.
IBM today launched a broad effort to help users with IT governance, compliance, and risk management. Big Blue's framework is headed by the Business of IT Dashboard, a suite of asset-based services designed to help enterprises assess their current strengths and weaknesses in critical areas of IT governance, including security.
The new initiative harnesses many of IBM's recent acquisitions, including products from Micromuse, Internet Security Systems, Consul, FileNet, and Rational.
"These are products and services that help fill the holes between management and security tools and help bring the business and IT together," says Kris Lovejoy, director of strategy for IBM's Governance and Risk Management (GRM) unit. "We want to be the glue that brings them together."
IBM's announcements come just a day after Symantec launched an updated version of its Symantec Control Compliance Suite, which is "designed to reduce the cost and complexity of IT policy management and compliance by automating the assessment of policies against industry regulations, standards, and best practices," the company said.
"Most organizations already have the controls and processes they need to achieve compliance," says Indy Chakrabarti, group product manager at Symantec. "What they don't have is the means to look across the different tools and silos that all play a role in compliance, and the means to enforce the policies. CCS can help them do those things."
IBM and Symantec join a raft of smaller vendors that have been rolling out new compliance management tools in recent months. Agiliance, CipherTrust, LodeStar, and Blue Coat Systems are just a few of the many companies that have entered the compliance race in recent months. (See 10 Hot Security Startups and Compliance Announcements Show Breadth of Concerns.)
Analysts generally agree that enterprises need some sort of tool to track their security compliance efforts, but they are not all sold that there's a need for an enterprise-wide framework for "governing" and monitoring policies across the entire IT environment.
"I'm excited to see IBM trying to tie its efforts together with a consistent strategy, instead of going off in a lot of different directions," says Michael Rasmussen, an analyst at Forrester Research. "Standards like COBIT and ITIL only go so far, because they don't give a lot of specifics. IBM is taking IT governance more down into the weeds, putting some real products in with the concepts."
But Eric Ogren, founder of the Ogren Group, says enterprises should be wary of frameworks that promise to take all security and management data and put it into a single structure. "The idea that you're going to categorize everything and put it into some kind of IT governance 'dashboard' is just a crock," he says. "It's a fool's errand."
The most important promise that compliance management products can help fulfill is to lower the costs of compliance, Ogren says. "Companies are putting a ton of money into compliance, and they're looking for ways to generate better return," he notes. "To the extent that these products can cut costs and speed up the compliance effort, that's where their value is."
IBM's Lovejoy says the company doesn't expect most customers to deploy its entire compliance and risk management framework. "We wanted to help them with their key pain points, which are security and compliance, business resilience, and service management," she says. "We're giving them the tools to help solve those problems individually, but then they can re-use the resources we're giving them to address other issues of IT governance as well."
IBM will drill deeper into the security compliance with its next round of announcements, Lovejoy says. The company is preparing a "risk readiness" service through its ISS unit to help assess vulnerabilities and do a proactive analysis of risk, she says..
Tim Wilson, Site Editor, Dark Reading