SAI Global Digital Manager 360
Strengths: Unquestionably the 800 pound gorilla of content in the GRC space. Solid experience and strong integration with third-party tools make this one of the strongest contenders in pure-play GRC.
Weaknesses: None that we found.
Verdict: This always has been one of our top picks over the years. This year it did not disappoint us, even though it has moved to a new home. We make this our Recommended traditional products this month.
This is one of the heavyweights of GRC. It is composed of five core modules: Risk Management, Cybersecurity and Vulnerability Risk Management, Compliance Management, Policy Management and Workflow Management, including incident management. Formerly Modulo Risk Manager, Digital Manager 360 comes with a significant pedigree and we hope the SAI Global will continue to build on that legacy.
The core of the product is one of the largest and most comprehensive libraries of knowledge bases, controls, regulations and standards, surveys and frameworks in the industry. The tool is organized around use cases such as vendor risk management. It takes about eight weeks to deploy a use case fully including training, site preparation and analysis. Of course, after the first use case is deployed that time decreases significantly making the product one of the fastest to achieve a useful return.
While the tool does not do its own auto-discovery, it does integrate out of the box with over 40 third-party tools and it can take an asset inventory from a tool such as Qualys. Assets also can be imported manually from an XML or Excel file. Objects that appear in and LDAP file can be imported as well.
It can be deployed as a SaaS tool or on-premises. The product focuses on business relationships rather than technology intersects. Some of the third-party integrations provide unique insights. An example is SecurityScorecard. This is especially useful for managing vendor risk. Using SecurityScorecard's API, it findings are integrated into Digital Manager 360. It also connects to third-party ticketing systems such as Remedy or ServiceNow. Communication is two-way so the action needed or taken can be fed back to Digital Manager 360. The tool also has a comprehensive workflow.
Because this tool is business-focused, it reports on such things as strategic - and tactical - business components with the highest risk. It then provides a detailed drill-down to get the details. So, it you are looking at a business unit, and the graph shows some number of red (very high) risks, drilling down can help you triage your way to improving overall business risk.
Content is off the map. With over 44,000 controls and over 68,000 mappings to over 41,000 requirements the tool pretty much leads the industry. The controls and requirements are cross-mapped so establishing a control under NIST Cybersecurity Framework 1.1 also maps that control to all other requirements in other standards.
This product uses surveys, and it has many out of the box, but they also are easy to create. There also is a mobile capability that lets a user respond to questionnaires including using pictures for evidence which is especially good for answering physical security questionnaires. Tracking of the progress of questionnaires is automatic and is built into the workflow. The workflow is, largely, automated and that really is what SAI Global means when it says the Digital Manager 360 is automated. To help with the automation there are many workflow automation rules available out of the box, but, of course, you can build your own if you wish.
Pricing is reasonable and standard support is included with the SaaS offering. Otherwise it is included for the first year and is 20% after that. There are premium plans as well. The web site is largely a marketing site but there is a customer portal. Documentation is complete and comprehensive as we would expect from a company with the experience of SAI Global.