Yawn. We probably have started this category that way before but the fact is that risk and policy management doesn’t sound all that exciting. No next generation stuff. A lot of interpreting spreadsheets. Looking at endless tables of data.

Well, fasten your seatbelts. This year the ride gets a lot faster, smoother and exciting with today’s generation of risk and policy management tools. Yes, we do have next generation and no we are not limited to boring spreadsheets. If you yawn during this group, you’ll miss something important.

Typically, we divide these tools into traditional and next generation. The next gen tools have the same types of criteria as next gen in other categories has plus we expect next generation risk and policy management tools to be able to self-populate their asset lists. This may be the last year that we can make that distinction because most of the tools that we are seeing either are full-on next gen or are getting very close.

The reason is, oddly enough, obvious: enterprises are more complicated, larger and more distributed globally than ever before. Add the increasingly rigorous regulatory requirements and it is becoming infeasible to manage risk and policy manually. Spreadsheets – even spreadsheet lookalikes – are out and machine learning is in. One of our two innovators this year might be – and in years past was – thought of as mainstream traditional. However, this year, in keeping with the mandate to continue to innovate, it has become as close to next gen as it can be without completely crossing the line. We predict that next year will see this fine product take the final leap to full automation, auto-population and all of the other features that we look for in next gen risk and policy management tools.

Our other innovator has carved out a unique niche and is definitely next generation. There is no need to populate with the entire asset list of the enterprise because this one is concerned with third party risk. That means monitoring the globe. The only way to do that is with the most intelligent tools, algorithms and information gathering techniques. The bottom line is that this category has become as interesting and fast-moving as any we looked at over the past year. 

MetricStream M7 platform and apps


Company Name

MetricStream

Flagship Product in this Category:

M7 platform and apps

Flagship Product cost

Contact the innovator for details – MetricStream pricing is based on the number of application modules and number of users. Perpetual licensing as well as term/monthly subscription pricing options are available.

Web

https:// www.metricstream.com

Innovation

A modular GRC system that can move readily into the next generation

Greatest Strength

One of the most forward-looking and flexible innovators that we’ve seen. Its move to the modern cloud is unexpected generally in this marketspace but with this innovator we were pleased but not surprised. These folks certainly are future Hall of Fame material.

This innovator is quite unusual because although it is a rather large organization and a current market leader it still behaves like a small startup in that it keeps innovating, can turn on a dime to address emerging issues and have made a mantra out of staying very close to its base of customers and prospective customers. We find this a bit out of sorts in the security marketplace and it is refreshing to see. We expect to see this innovator in the Hall of Fame eventually if it keeps up this fine performance.

This is the poster child for what happens when a traditional GRC product starts to go next gen. The product really is less a product and more a platform. And, in fact, last year we got a hint of where this tool set is headed. Then it was rather vaguely referred to as “GRC Platform and GRC Apps & Solutions.” This year it has earned a formal name: M7 Platform. To support the various specialty areas of GRC there are around 20 applications that snap into the platform.

But the big news – and the solid step into a new category (admittedly, this is just our way of thinking at the moment) we are referring to as next generation traditional GRC, is the move to the cloud. But not just any cloud it turns out. This is the “Modern Cloud.” It is a multi-instance (rather than multi-tenant) architecture. This architecture allows elastic provisioning, gives a global presence, and is faster and less expensive plus it offers improved security. It also allows hyperconvergence for fast start as well as rapid change management. That makes it one of the first to use next gen analytics in a pure GRC tool which allows easy capture from third party sources (e.g., threat data).

There are several important applications released for M7. This snap-in architecture allows them to add functionality that moves rapidly, and can be rolled out quickly. Everything is tagged and stored in the MetricStream data model which gives you all the tools you need for operation, tactic and strategy… all in the GRC library. This approach allows all sorts of evolution such new types of analytics. It also leverages the strong data model and make it very nice for users at any level because it is extremely customizable. 


BitSight Security Ratings


Company Name

BitSight

Flagship Product in this Category:

BitSight Security Ratings

Flagship Product cost

$20,000 annual subscription

Web

https://www.bitsighttech.com/security-ratings-vendor-risk-management

Innovation

A cyber security ratings service that is accurate, complete and unbiased.

Greatest Strength

These guys amazed us with their well-thought-out and constructed service. In our experience this is the only one of its kind and clearly, based upon impressive customer acceptance, they are succeeding.

This innovator is new in the Class of ’17 and it is so innovative that we couldn’t resist. What if there was a Moody’s-style service for determining the cyber risk associated with any organization, including governments? There is and it’s this innovator. The best description of BitSight’s service comes right from its web site landing page: The BitSight Security Rating Platform generates objective, quantitative measurements on a company’s security performance to produce daily security ratings ranging from 250 to 900. BitSight analyzes existing security incidents and practices and applies sophisticated algorithms to produce these ratings, which are based on externally observable, non-intrusive data and methods. This is a subscription service very much like the familiar credit score model.

BitSight integrates with typical GRC programs to provide an ongoing data input for third party risk modeling based upon reliable, repeatable rata. The company was formed in 2011 starting with an NSF grant. Its aim was to be a rating agency (e.g., Moody’s) for cyber security. This had been tried before by another company but the concept of a central hub did not work well in that trial. BitSight wanted to be like consumer credit score so the company developed an unbiased format. BitSight just measures and you buy the service but you don’t pay them to do the analysis on your behalf so, like Consumer Reports it is not biased by payments from the organizations being rated.

The methodology is to measure behavior without being on site or without any disclosure. The results are not about controls existence. Rather, they are about controls effectiveness. One of BitSight’s innovations is developing a distinction between a system compromise and a breach. Watching communications into and out of an organization the service sees what code is inside and calls out where it calls. The more the platform sees, and the longer it goes on the higher probability of breach grows. To help correlate to breach, BitSight has all publicly-disclosed breach data.

Core use cases include third party risk, mergers and acquisitions, cyber insurance and first party risk. This can be especially useful to incident responders since all of the data in and out of the victim is known and rated by this innovator. Even at this early stage in the development of the service BitSight quotes an impressive customer list including seven of the top ten cyber insurers, 80 Fortune 500 companies, and three of the top five investment banks.