Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/5/2011
11:49 AM
Commentary
Commentary
Commentary
50%
50%

IT GRC, ESIM Vendors Dig In For War

With no sign of the two technologies combining into one, where does that leave the buyer?

Although IT GRC and the easily identifiable vendors that compete in the sector might sound fairly cut-and-dry, there is an adjacent technology sector muddying the water and causing confusion among buyers: enterprise security information management (ESIM).

The ESIM sector is composed primarily of security information and event management (SIEM) and log management vendors. One could easily draw static lines dividing disparate security technologies, but the lines (if they ever truly existed) between ESIM and IT GRC products are starting to blur.

Since EMC's January 2010 acquisition of Archer Technologies, ESIM vendors are including more risk-centric capabilities within their core products. In fact, many ESIM vendors began searching for an IT GRC product acquisition to achieve the competitive parity presented by a joint RSA (enVision) and EMC (Archer) product pairing. From a 10,000-foot view, one could easily draw parallels between both product sectors.

Generally speaking, both can consume log and vulnerability data in addition to providing users with alerting, dashboard, and ticket workflow capabilities. The biggest difference, however, is the audience for which each product is designed. ESIM products have always had a heavily weighted operations and security side, whereas IT GRC products are traditionally presented to CISO-, CSO- and CFO-level executives, in addition to the somewhat newly minted chief risk officer (CRO) and chief compliance officer (CCO) designates.

To appeal to all levels of the organization, nearly all of these vendors present their products with an alluring and whimsical term to hook buyers: a single pane of glass. Promising the coveted single pane of glass for all levels of the organization to leverage, vendors are hoping to bring their products to bear in support of the entire business stack -- from the entrenched security practitioner at the bottom to the executive branch of the organization.

Unfortunately, it is extremely difficult to present data in a way that is everything to everyone, since ESIM and IT GRC products were designed with different business use cases in mind. So ESIM is a more security-centric and operationally positioned technology, while IT GRC is a more business-centric and process-positioned technology.

So which one should you pick? One issue that plagues the adoption of IT GRC systems is the cost of purchasing both an IT GRC and ESIM product. Organizations faced with having to choose between an IT GRC or ESIM product typically do not have the budget to purchase both. Since the purchase of an ESIM is predominantly driven by a compliance mandate, the water becomes even more muddied when the buyer learns that the ESIM could cover everything but the "G" portion of IT GRC -- a somewhat lofty claim when the capabilities of both product sectors are examined under the end-user microscope.

So who's the buyer for IT GRC? The side of the organization that purchases IT GRC products remains those responsible for the measurement and reporting of risk and compliance within the organization. These people are also the holders of the budget for projects of this nature and might see the security aspect of an ESIM as simply "nice to have," as opposed to a primary purchasing driver. Should the security team have little sway over those further up the management stack, increasingly more organizations could find themselves adopting IT GRC products over ESIM products.

While I don't see the ESIM and IT GRC sectors converging to create a new combined sector, it is likely safe to postulate that there will at least be some overlap in the immediate future as the adjacent sectors figure each other out.

A more likely result will be closer integration and data sharing between the products in each sector. Why send IDS logs to both an ESIM and an IT GRC product when one could simply forward the data to the other? Instead of poking holes in a perimeter firewall to allow data sources to feed a cloud-based IT GRC product, why not allow the on-premises ESIM product to aggregate and forward, or vice versa? Of course, in order to facilitate this transparent cooperation, a promiscuous integration stance will need to be embraced by the vendors in their respective sectors to further the cross-pollination between products.

Andrew Hay is a senior security analyst with The 451 Group's Enterprise Security Practice

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...