A growing need for security discipline and the availability of better threat data are changing the monolithic Governance, Risk and Compliance (GRC) concept into a near-term enterprise risk management project, experts say.
GRC, a methodology for building global IT policies, priorities, and practices around key risk and compliance factors, has long been viewed as a framework that was too complex and resource-intensive for all but the largest enterprises. But driven by a need to improve security and add some means of measuring risk, many businesses are pushing past these old perceptions and implementing elements of the technology, without necessarily tagging their efforts with the GRC name.
"The market for [GRC] management is growing, as more companies recognize the value in safeguarding their business practices -- not just because doing so is good for business, but because it's necessary for protection against specific economic and market conditions," says William Jan, vice president and practice leader at research firm Outsell, in the company's 2013 GRC market assessment.
Chris Caldwell, CEO and founder of GRC firm LockPath, agrees. "Security and risk are driving enterprises to contact us, even if they don't necessarily call what they are doing GRC," he says. "What they are really looking for is business visibility -- a clear way to show what assets are at risk, what needs to be patched, and how to get more budget [for security]. Every IT department is overwhelmed right now. They need a structure for prioritizing remediation."
GRC vendor Agiliance reported last month that its revenues grew 65% between Q1 2012 and Q1 2013, with more than 415% growth in the financial services sector. But like LockPath, Agiliance is increasingly stepping away from calling its technology GRC.
"GRC is not a good term for this market," says Torsten George, chief product strategist at GRC vendor Agiliance. "GRC is an internal process, and an internal process shouldn't drive a software category. We have been calling what we do 'integrated risk management' because we're tying together IT operations and security risk management.
Gartner analyst Paul Proctor concurred in a blog earlier this month, entitled "Why I Hate the Term GRC." "GRC is the most worthless term in the vendor lexicon," Proctor wrote. "Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. For seven years I have battled this monolithic term and I fear I'm losing the battle."
Whether they call it GRC or not, however, enterprises are investing more in the concept of adding structure and metrics to the assessment of risk and the IT security choices they make.
"The early implementations of GRC were mainly built around compliance and checking off the boxes for the auditors," says Steve Schlarman, eGRC solution manager at RSA Archer, the oldest and largest of the GRC technology vendors. "Today, companies are getting beyond the crust of compliance and getting into deeper inspection of the infrastructure -- they want a broader sampling of data so that they can get a more accurate measure of risk."
One of the most significant recent shifts in GRC is the addition of threat intelligence as a variable in the calculation of risk and the subsequent decisions on what steps to take, experts say. In the past, most GRC initiatives calculated threats only internally to the enterprise, but the emergence of new threat intelligence data feeds and services means that businesses can now add factors such as growing Internet threats -- and the likelihood that they will strike a particular enterprise -- into the risk management equation.
LockPath, for example, recently added a new module called Threat Manager, which integrates internal security information with a variety of data feeds, recording key information about secured assets and creating an audit history. Agiliance is also feeding a variety of data into its Threat and Vulnerability Manager module.
"Tying threat data to vulnerability data and overlaying risk and business-criticality is the trend," says Vivek Shivananda, CEO of GRC technology vendor Rsam." As we see it, risk-driven compliance management is the future model of GRC. "Security Risk Intelligence is the answer -- creating an architecture and a process that ties threat data to vulnerability/incident data and overlays risk and business-criticality is the answer to intelligently allocating resources against appropriate threats/incidents."
Experts also generally agree that while compliance initiatives provide most of the funding behind GRC, it is IT security issues that create the most variables in the risk equation -- and keep both IT and business executives awake at night. "Companies are now looking at legal defensibility when a compromise or a compliance failure occurs," says Caldwell. "They want to be sure that they are doing all they can to prove that they doing their due diligence -- they don't want to be asking, 'Could I have done more?'"
Schlarman agrees. "Security is playing a bigger role in the [GRC] picture," he says. "Enterprises are still looking at the criticality of their information assets -- putting them in business context -- but they also want to take that data and push it down to security operations and security analytics, so that they can filter out asset data and figure out whether a particular infection has touched a particular group of assets."
But for GRC to help with the management of current threats and new security risks, Caldwell says, its implementation and adaptation will need to become much faster. "Some of the early [GRC] products had a ramp-up time that was completely insane -- it could take six, 12, 18 months just to stand up the product and get a viable report. That's one of the reasons why GRC got a bad name. But now we're making that quicker. We're making separating the products from the program, and making the products more immediately useful."
GRC technology is also moving down market and becoming available for smaller companies that don't have huge IT organizations, says Agiliance's George. "We are working with [managed security services providers] to provide a managed services offering that's accessible to businesses that are smaller, but still need some of these functions," he says. "Again, they might not necessarily call it GRC, but these are functions -- things like measuring compliance posture and security posture -- that are important no matter what the size of your organization."
But for GRC technology to grow faster, it will have to cast off its perception as a monolithic, expensive, and complex initiative, experts agree.
"IT pros are seeking to steer toward the same risk, compliance, and security goals, but they are avoiding the use of the GRC moniker and the perception that GRC is exclusively an 'enterprise-level' project," says Rsam's Shivananda. "This perception also can make it more difficult to select and acquire the necessary tools in highly political environments, or competing departmental agendas."
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio