As you will see, the products we looked at this month tend to be large and complicated. However, the job they do is large and complicated. Risk and policy management is not for the faint of heart. It requires dedication and, more than anything, cooperation and support for the effort that cuts across all of the silos in the organization. That, really, is where the rubber meets the road. Such a level of buy-in – especially in larger organizations – can be pretty hard to come by.
Back in the day, when GRC (governance, risk and compliance) applications were in their infancy, it was not particularly difficult to sell the product, especially to a large customer. But, when it came to deployment the monkey fell on one person’s or one department’s back and they were expected to make the whole thing happen. As with any large project that does not appear to affect the day-to-day operation of the business, this often failed and the product became shelfware.
Today, the ballgame is a bit different. Back then executive management did not usually acknowledge the critical importance of the IT security function and GRC just sort of felt like an IT thing. IT was deploying, after all, so it must be their problem and we have bigger fish to fry. No more. The threatscape has become so pervasive and so difficult to manage that organizations are beginning to feel their backs against the wall. One successful cyberattack can devastate the organization. Some enterprises have been put out of business and many more – those behemoths that could withstand a serious breach – lost value and consumer confidence.
So that brings us to the present with a collection this month of 14 different GRC products. Many of these are as different as night and day. They consume data differently. They consume different types of data. They focus on different areas of GRC. But they all, at the end of the day, have one thing in common: Their developers intended them to help the organization shift risk and compliance management from the view of the enterprise as a blank canvas – or, at best, an incomprehensible jumble of data – to a well-understood ongoing analysis of the organization’s risk picture. So risk no longer need be hidden.
There are downsides to this, of course. These still are huge applications. They still cut across the organizational silos. They still are hard to find a home for. There are solutions, though. One of our vendors this month referred to the successful deployment and use of GRC as a journey rather than a destination. That characterizes all of our security – physical or cyber – in today’s business environment. We simply never reach the end of the road.
Oddly, the answer is simple but not simplistic. Organizations need to put away artificial boundaries and look at what the C-suite really needs to answer the most important question in today’s business world: “What is our risk?” Not, “What is our cyber risk?” Risk, today, is risk. Certainly it has many components, a major one – if not the major one – is cyber. But the organization must view risk holistically. And that is what the 14 products we looked at this month all have in common. Some may place emphasis differently from the others. But when it’s all done, there is one – and only one – goal: Protect the organization. And you cannot do that without solid information, solid analytics and a clear way to view the results in as close to real time as possible.