The central theme here is GRC (governance, risk and compliance). GRC is at once the biggest pain point (arguably) of most large organizations and the most important task that does not usually get done right. GRC is a must for organizations that are subject to regulatory compliance. But more than that, it is the way organizations protect themselves from lawsuits resulting from negligence, weak or non-existent policies and lack of policy compliance.

And it’s not just upstream liability. Breach reporting laws, more sophisticated attacks, increased complexity in achieving and maintaining the security of the enterprise, cloud and virtual computing and a slew of other issues make it pretty important that organizations not only check the appropriate boxes in the audit, but actually perform the right tasks to stay protected. 

So, to be innovative in this space means to bring to your market tools that get the job done, enforce compliance and don’t require a team of engineers just to keep the tool running and fed with up-to-date policies. That is what we found. As in previous years, we have some returning Innovators. We like that because it says that we were right when we selected them the first time.

Innovation is not a flash in the pan. Rather, it is sustained creativity, a strong feel for the pulse of the market and innovative approaches to solving difficult problems first and, hopefully, best making the Innovator the benchmark in the particular market segment. 

We believe that the companies in this section, as with our other sections, exemplify these principles. But more – and more appropriate to this particular group – they are taking a market that comprises tools that are traditionally expensive, difficult to use and that for that reason often sit on the shelf, and they are breaking the mold. These products are manageable, affordable in the context of what they provide and they actually serve an extremely important purpose beyond the audit: they are instrumental in helping the using organization stay really secure.

Brinqa

This company with a unique name is unabashedly a GRC analytics organization. The Brinqa Risk Analytics Platform uses extremely sophisticated Big Data concepts to analyze risk and provide real solutions to mitigating what it finds. That sounds like every other GRC vendor, but every other GRC vendor Brinqa definitely is not.

AT A GLANCE

Vendor: Brinqa   

Flagship Product: Brinqa Risk Analytics Platform 

Cost: Starts at $22,400. 

Innovation: Strong application of Big Data analytics to GRC. 

Greatest Strength: Combination of technical excellence with wide-ranging vision.

For starters, this Innovator does not depend on a typical database to collect information. Data that feeds the GRC analytics process is not structured consistently, so why should an artificial format be imposed? The Brinqa schema-less model allows the free-form flow of information and data that characterizes today’s business environment. All GRC systems need raw data to consume and Brinqa has more than 100 individual connectors for most types of sensors. Of course, those connectors will generate a lot of data and very little of it will be compatible with the rest. This is an example of the free-form nature of the data that Brinqa processes.

But once the data is collected, it needs to be analyzed. Using Big Data constructs, Brinqa develops analyses of data that result in understanding the real impact of the risks discovered. Applying machine learning and business-friendly reporting, critical compliance and risk position reports can be generated on the fly. Part of what enables that rapid reporting is Brinqa’s approach – a baseline is established and maintained. Following that, only changes are considered in creating reports, so extremely rapid analytics and reporting are on offer.

Because IT risk is not all that there is in the modern enterprise, the Brinqa system also consumes business metrics. This allows IT risks to be understood in the context of the rest of the organization. All of this generates a lot of data, hence the reliance on Big Data paradigms. Big Data, however, is characterized by the three Vs: velocity, variety and volume.  In order to analyze credibly, all three must be considered. The Brinqa Risk Analytics Platform does that, creatively and effectively. In our view, that approach, from the conceptual ground up to execution, is what makes this company an Innovator.

Modulo Security

Modulo basically is a GRC (governance, risk, compliance) tool that is, mostly, SaaS-based. As well, there is a platform-based version for large organizations that prefer on-premise hosting. However, saying that Modulo is a GRC platform is a little like saying Moby Dick was a whale. This Innovator goes way beyond typical GRC systems and integrates mobile devices tightly as part of the system’s capability. We see one of the major innovations here as being a platform that covers a wide array of verticals and applying an even wider array of policies. To do that, Risk Manager uses more than 100 different knowledge bases and authoritative articles. 

AT A GLANCE

Vendor: Modulo Security  

Flagship Product: Modulo Risk Manager 

Cost: $18,000. 

Innovation: Provides an aggregated view of risk in a command-and-control environment. 

Greatest Strength: Vision of what GRC in the IT-enabled enterprise really looks like and how to build a holistic model that is easily consumable.

One of the most interesting upheavals we found was the application of the concept of maturity. Capability maturity models have been around awhile, but they usually are focused on some aspect of engineering, such as the security engineering capability maturity model. Applying a maturity model to GRC is a big step toward understanding how your GRC stacks up against applicable standards. In many regards, it enables CISOs to fill the role of chief risk officer, because it clearly defines and positions the business against the standards that apply to the particular type of organization. 

Modulo Risk Manager interfaces with a significant number of sensors as well. We define sensors here as the devices, applications and functions that collect and measure threat and vulnerability data. These include such things as vulnerability analysis, SIEMs, etc. Traditionally, IT risk management tools have focused on IT risk. That seems obvious, but it turns out that there are many other types of risk in an organization, and those risks interact with pure IT risk to complicate the GRC landscape a bit. So to address these interactions, Modulo has included modules for vendor and enterprise risk management, as well as business continuity and enhanced vulnerability and threat management. 

There is a strong trend toward access to data. This brings mobile devices into the game. A key outcome of Modulo’s innovation, then, has been to address this trend and make the important GRC data that the system develops more easily consumable.