MarketScope for IT Governance, Risk and Compliance Management, 2008

Transcription

1 MarketScope for IT Governance, Risk and Compliance Management, 2008 Gartner RAS Core Research Note G , Paul E. Proctor, Mark Nicolett, French Caldwell, 11 February 2008, RA The IT GRCM market was new for 2007, but it is predicted to epand in The functions IT GRCM products provide address needs epressed by 75% of the Gartner client base. WHAT YOU NEED TO KNOW The IT governance, risk and compliance management (GRCM) market is composed of vendors that provide software products that help organizations proactively measure and manage their IT technology and process controls. The IT GRCM market became viable in 2007, with several vendors offering products, but the products are early and lack maturity on many levels. IT GRCM solutions have a repository; basic document management capabilities; good workflow, survey and reporting functions; and dashboarding, with policy content that is specific to IT controls, and support for the automated measurement and reporting of IT controls. MARKETSCOPE This document is an updated version of the document published on 11 February IT GRCM is a new market. Its products support operations risk management through functions that measure, manage, and report on IT-centric technology and process controls. Organizations can use IT GRCM products to document and assess their IT-centric technology and process controls. For more information on the definition and use of core IT GRCM functions: Controls and policy mapping Policy distribution and training attestation IT control self-assessment and measurement IT GRCM asset repository Automated general computer control (GCC) collection Remediation and eception management Basic compliance reporting IT compliance dashboards IT risk evaluation The IT GRCM market became viable in 2007, with several vendors offering products that are strong in the following areas: Policy mapping Advanced in most products, thus making it easier for organizations to document their controls and map them to their control objectives and regulatory requirements.

2 2 IT-centric perspectives and functions Support the unique needs of IT operations, security and risk management managers beyond the generic and financial-centric functions of financial GRCM vendors. Advanced computer controls collection Automated gathering of technology evidence; relatively immature in some products, but strong in others. The products in this market are early and lack maturity on many levels. In general, the products in this market suffer from the following limitations: Lack of integration between many of the core functions in a single offering. Many of the vendors offer multiple disconnected products to cover different core functions. Technology and process controls are not appropriately integrated at the assessment and reporting levels. Treating them separately reduces the effectiveness of risk measurement. Solutions are too auditor-centric. Many of the products betray their roots in support of auditors or as security configuration management technology. IT GRCM should support an organization in its audits and in proactively managing controls. Market/Market Segment Description The IT GRCM market is composed of vendors that provide software products that help organizations proactively measure and manage their IT technology and process controls. They also help: Define IT policies, processes and controls that are based on best practices. Manage policy content. Map policies to process and technical controls, as appropriate. Automate the measurement of process and technical controls. Evaluate the risk of noncompliance. Automate the auditing and regulatory reporting of these elements. IT GRCM solutions have a repository; basic document management; good workflow, survey and reporting functions; and dashboarding, with policy content that is specific to IT controls, and support for the automated measurement and reporting of IT controls. IT GRCM solutions may take input from controls automation and monitoring tools, such as configuration auditing, identity and access management, and security information and event monitoring. Inclusion and Eclusion Criteria Inclusion in the 2008 IT GRCM MarketScope is based on a software product s function in the following areas. Coverage of core IT GRCM functions. Products must be in general availability as of 1 January Products must be deployed in at least three customer production environments, with references available, as of 1 January Participants must be determined by Gartner to be significant players in the market, via market presence and/or technology innovation. Products must specifically target and market to the IT GRCM market. IT Governance Offerings of Enterprise GRCM Platform Vendors The primary reason why some buyers look to enterprise GRC (EGRC) platform vendors, rather than IT GRCM vendors, for IT governance functionality is that they are taking an enterprise approach to compliance and risk management, and want to have all business units, including the IT organization, on the same GRCM solution. Many vendors with EGRC platforms offer modest IT governance functionality. At a minimum, most EGRC vendors offer the ability to document, survey and report IT risks and controls, but lack IT-specific content. Some also provide limited support for an IT asset repository and IT policy management. Although BWise is the only EGRC vendor considered to have enough IT GRCM functionality to be rated in this MarketScope, other vendors have partial IT governance functions. In addition, some IT GRCM vendors provide solutions that can be adapted to EGRC use cases and are beginning to successfully compete in the EGRC market segment. Rating for Overall Market/Market Segment Overall Market IT GRCM products provide functions that address needs epressed by 75% of the Gartner client base. Gartner estimates that software license revenue for vendors that meet our criteria for inclusion in the IT GRCM MarketScope was $73 million for 2007, and we project a growth rate of 70% for For vendors such as NetIQ and Symantec, which have substantial revenue streams from GCC measurement point solution products, we included a percentage of that revenue based on the current adoption rates of other IT GRCM modules. Evaluation Criteria Vendor Product/Service Analysis Agiliance Agiliance is a young company that has been shipping its product (IT-GRC) since December Agiliance IT-GRC provides tightly integrated capabilities that function out of the bo, with little customization required. The highlight of this offering is its intuitive interface and its top-down approach to managing IT-related controls. Although it s not the best in all categories, Agiliance should be considered by organizations that require balanced IT GRCM functionality across all categories Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner s research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions epressed herein are subject to change without notice.

3 3 Table 1. Evaluation Criteria Evaluation Criteria Market Understanding Comment Ability of the vendor to understand buyers wants and needs, and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers wants and needs, and can shape or enhance those with their added vision. Weighting high Customer Eperience Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), the availability of user groups, service-level agreements and so on. standard Offering (Product) Strategy The vendor s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. low Product/Service Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. high Sales Eecution/Pricing Operations The vendor s capabilities in all pre-sales activities and the structures that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel. The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, eperiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. low low Source: Gartner

4 4 Figure 1. MarketScope for IT Governance, Risk and Compliance Management, 2008 RATING Agiliance Archer Technologies Brabeion BWise Information Governance Modulo Security NetIQ Symantec Strong Negative Caution Promising Positive Strong Positive As of 6 February 2008 Agiliance IT-GRC has an intuitive, clean interface; and its top-down approach should ease implementation. It has good out-of-the-bo policy and assessment data; its risk assessment function is comprehensive; and it has good detail and fleibility for confidentiality, integrity and availability assessments. However, simplicity is provided at the epense of some fleibility. The Agiliance product s automated GCC data gathering is relatively weak compared with competitors such as Symantec and NetIQ, and Agiliance is a small company with limited production deployments. Archer Technologies Archer Technologies has provided IT GRCM functions since 2003, and has established a modestly sized installed base of large customers. Archer found initial success in the financial services industry segment, but it now has customers across many segments. Archer provides a suite that is composed of seven management modules (policy, incident, asset, threat, risk, vendor and Sarbanes- Oley Act [SOX] compliance) that can be integrated using the Archer Framework. Archer s offering is oriented to large companies that value the ability to customize over pre-defined functions; therefore, each module requires customization prior to deployment. Although Archer s customer base is small when compared with vendors such as Symantec and NetIQ, its customers are top down users of the technology, and the technology is optimized for risk- and compliance-oriented buyers that are not focused on automating the measurement of GCCs. Because of its design, which supports customization, Archer s offering can also be fleibly deployed. However, automated GCC measurements are not formally supported by the product and require a service engagement. The stability of the automated GCC measurement is also highly variable, depending on the source. Brabeion Brabeion is a young company that started shipping its product in March It has two products: IT Risk and Compliance Center (ITRCC) for policy management/controls mapping, and IT Risk and Compliance Manager (ITRCM) for automated GCC collection. ITRCC is a rewrite of the PricewaterhouseCoopers (PwC) ESAS product, and ITRCM is powered by integrations with the GCC collection components of NetIQ and Symantec. Licensed content from PWC is augmented with Brabeion-developed content. The two products are loosely coupled through a common Web interface. Brabeion s major differentiator is its eclusive licensing of PWC controls framework content, which makes it an obvious shortlist choice for organizations that are looking to address eternal-attest auditor requirements. This strength is also Brabeion s greatest weakness, because the company s offerings are better-suited for supporting auditors than internal teams proactively managing an enterprise risk control program. Brabeion s products offer internal and eternal auditor support, especially for organizations that use or are considering PWC for eternal services. The ITRCC product s version management for the creation of policies is a differentiator. Brabeion s risk assessment capabilities and GCC functions are not as mature as its competitors, which are best-in-class in this area. ITRCC and ITRCM are not well-integrated, even though they have a common interface. Rating: Promising Rating: Strong Positive

5 BWise BWise is the only EGRC platform vendor in this MarketScope. The BWise GRCM product suite is driven by a robust business process management (BPM) engine, which provides good workflow and even some process controls automation. BWise has some of the highest growth rates of any of the vendors in the EGRC platform market, and a large number of customers are using it for IT GRCM purposes. In evaluating BWise s offering from an IT GRCM standpoint, the company was able to demonstrate key IT GRCM elements, including an asset repository, IT-specific policy and controls content, and good policy mapping. Its inherent BPM functionality also proves useful in integrating the collection of GCC information from other vendors technical controls products, but BWise does not have a fully automated collection of GCC information. BWise is particularly strong for buyers who are looking for a crosscompany approach to GRC, rather than an IT-specific solution, but it offers less appeal to those focused specifically on IT security and configuration management controls. BWise has good reportfiltering capabilities, which provide targeted views of risks and controls. Another strength is the company s integration of IT GRC and finance GRC functionality. Information Governance Information Governance is a small company based in Europe with a primary consulting business. Using its consulting eperience and international standards, Information Governance has developed the Proteus product suite to address IT GRCM functions. Although primarily designed to support the internal audit process for international standards such as BS/ISO 27001, it provides good support for small to midsize implementations to proactively address risk management. The primary differentiators are the product s ability to track accountability, schedule, its development plan and its cost justifications for each identified control gap. This structured approach to risk management has more depth than most IT GRCM offerings, but it is less scalable than other parts of the product. Proteus is best for enterprises focused on management and compliance against the information security management system, as defined in BS/ISO Information Governance has good coverage of European standards and localization in several European languages. It has strong support capabilities for controls and audit management in enterprises adhering to international standards. Being a small company that is self-funded can be challenging. Information Governance supports an open application programming interface (API) for integration with third-party GCC collection products; however, there is only one production user for this function. The company is also challenged with integration and content development that is required in larger enterprises with broader control requirements than published BS/ISO standards. Rating: Caution Modulo Security Modulo is an established Brazilian company that provides security software and consulting services. Modulo opened an office in the U.S. to sell to the North American market. The company is large and the products are mature based on their past eperience in Brazil, which positions Modulo to do well in North America if it can develop its sales and marketing effectively. Modulo Risk Manager is primarily a self-assessment and controls management product, and was one of the most fleible products we evaluated, especially in controls mapping and policy management. However, it was not as intuitive as competitors such as Agiliance. Native GCC collection is provided and widely deployed, but it lacks some centralized management capabilities. There is also no integration with eternal ticketing systems. Modulo, however, is a strong company with mature products, and it has good auditor workflow support. Rating: Promising NetIQ The NetIQ division of Attachmate offers a loosely integrated IT GRCM product suite. The suite is comprised of three components: Secure Configuration Manager (SCM), which provides automated GCC definition and measurement, as well as an asset repository; VigilEnt Policy Center (VPC), which provides policy mapping, distribution and response, along with controls self-assessments; and Risk and Compliance Center (RCC), which provides compliance reporting and risk management functions. NetIQ is an established provider of security and operations management software, and has a large installed base for SCM. NetIQ SCM s primary competitor is Symantec. NetIQ tends to sell each component of its suite as a point solution to a specific buying center, in contrast to others that are attempting a topdown sale of broad GRCM functions to risk- and complianceoriented buying centers. NetIQ s strengths include automated GCC definition and measurement, and a loosely coupled suite that enables function acquisitions as needed. NetIQ is an established company with a large customer base and multiple revenue streams; however, its policy mapping and risk assessment functions are focused primarily on technical controls. Automated computer-controls-measurement is not an initial focus of RCM-oriented buying centers. Symantec Symantec s IT GRCM offering Control Compliance Suite (CCS) is based primarily on technology from its 2006 acquisition of BindView, but Symantec is aggressively epanding its product capabilities. IT control self-assessment capabilities are provided through technology from its more-recent acquisition of 4Front Technologies. Automated general-control-collection is provided by the CCS standards module security configuration policy compliance component. Symantec has the largest installed base of 5

6 6 security configuration policy compliance customers and GCC and measurement users spread across its Enterprise Security Manager (ESM; Symantec), CCS (Bindview) and Security Epressions (Altiris) products. It is also the largest provider of IT GRCM technology, with the potential to capitalize on a large services organization. Symantec plans to combine the automated GCC collection capabilities of its ESM and CCS products into a single solution in It is also attempting to sell its CCS suite to risk- and compliance-oriented buying centers, but automated computercontrols-measurement is not an initial focus of these buying centers. Symantec needs to continue developing its risk assessment capabilities. Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mi of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the net does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Gartner MarketScope Defined Gartner s MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor s products in comparison with the evaluation criteria. Consider Gartner s criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs. In the below table, the various ratings are defined: MarketScope Rating Framework Strong Positive Is viewed as a provider of strategic products, services or solutions: Customers: Continue with planned investments. Potential customers: Consider this vendor a strong choice for strategic investments. Positive Demonstrates strength in specific areas, but eecution in one or more areas may still be developing or inconsistent with other areas of performance: Customers: Continue planned investments. Potential customers: Consider this vendor a viable choice for strategic or tactical investments, while planning for known limitations. Promising Shows potential in specific areas; however, eecution is inconsistent: Customers: Consider the short- and long-term impact of possible changes in status. Potential customers: Plan for and be aware of issues and opportunities related to the evolution and maturity of this vendor. Caution Faces challenges in one or more areas. Customers: Understand challenges in relevant areas, and develop contingency plans based on risk tolerance and possible business impact. Potential customers: Account for the vendor s challenges as part of due diligence. Strong Negative Has difficulty responding to problems in multiple areas. Customers: Eecute risk mitigation plans and contingency options. Potential customers: Consider this vendor only for tactical investment with short-term, rapid payback.