Like any analyst, I spend a lot of time on vendor briefings and meeting with very early-stage startups. Sometimes it’s an established vendor pushing a new product or widget, and other times it’s a stealth idea I’m evaluating for one of our investor clients. Usually I can tell within a few minutes if the idea has a chance, assuming the person on the other side is capable of articulating what they actually do (an all too common problem).
In 2007 I posted on the primary technique I use to predict security markets, and as we approach RSA I’m going to build on that framework with one of my favorite examples: IT-GRC.
IT-GRC (governance, risk, and compliance) products promise a wonderland of compliance bliss. Just buy this very expensive product – which typically requires major professional services to implement, and all your business units to buy-in and participate – and all your risk and compliance problems will go away. Your CEO and CIO get a kick-ass dashboard that allows him or her to assess all your risk and compliance issues across IT, and you can have all the reports your auditor could ever ask for with the press of a button.
Uh-huh. Right. Because that always works so well, just like ERP.
Going back to my framework for predicting security markets, there are three classes of markets:
- Threat/Response – Things that keep your customer website from being taken down, ensure people can surf during lunch, and keep the CEO from asking what’s wrong with his or her email. All those other threats? They don’t matter.
- Compliance – Something mandated by your auditor or assessor, with financial penalties if you don’t comply. And those penalties have to cost more than the solution.
- Internal Motivation/Efficiency – Things that help you do your job better and improve efficiency with corresponding cost savings.
The vast majority of security spending is in response to noisy, in-your-face threats that disrupt your business (someone stealing your data doesn’t count, unless they burn the barn behind them). The rest deals with compliance mandates and deficiencies. I think we only spend single-digit percentages of our security budget on anything else, maybe.
So let’s look at IT-GRC. It doesn’t directly stop any threats and it’s never mandated for compliance. It’s a reporting and organization tool – and a particularly expensive one. Thus we only see it succeeding in the largest of large companies, where it shows a financial return by reducing the massive manual costs of reporting. Mid-sized and small companies simply aren’t complex enough to see the same level of benefits, and the cost of implementation alone (never mind the typically 6-figure product costs) aren’t justified by the benefit.
IT-GRC in most organizations is like chasing Paris Hilton the Unicorn. It’s expensive and high-maintenance, with mythical benefits – and unless you have some serious bank, it isn’t worth the chase.
That’s not my assessment – it’s a statement of the realities of the market. I don’t even have to declare GRC dead (not that I’m against that). If you have any contacts in one of these companies – someone who will tell you the honest truth – you know that these products don’t make sense for mid-sized and small companies.
This post isn’t an assessment of value – it’s a statement of execution. In other words, this isn’t my opinion – the numbers speak for themselves. All you end users reading this already know what I’m saying, since none of you are buying the products anyway.
Reader interactions
5 Replies to “FireStarter: IT-GRC: The Paris Hilton of Unicorns”
To @andrew’s point, compliance is really more of a documentation and workflow issue, not technology and that means consensus. We all know how easy it is to gain consensus on things in large companies, right?
It seems to me that the bigger “firestarter” part of the post is the contention that nothing gets bought unless it’s disruptive, which IT-GRC is not. Compliance reflects things that were disruptive a couple of years prior (and thus become part of the regulation). Guess I should do a FS counterpoint to surface that issue.
Another problem with IT-GRC, perhaps even more so in larger companies, is “who pays the bill”?
Is it the IT dept, teh governance dept, the risk dept or the compliance dept? The difficulties in getting the different groups to agree can kill a sale, even if the advantages are clear-cut.
Personally I think there is a fourth category: The placebo pill. When your senior executives and board members are in fear of the first three categories, it drives an investment into something that solves all three markets/problems. Of course it doesn’t really, but you feel better about it. Then we get to talk about how proactive we are over cocktails.
—
Seriously, I don’t have a problem with GRC as a concept. But GRC as it has become known is little more than brochure-ware to lead people through a generic checklist that gets them up to speed on the compliance flavor of the day. If you are working in a capability maturity model it’s OK, because you are taking the first step away from chaos. The problem is these ‘platforms’ are expensive and don’t provide anywhere near enough value to justify their cost.
-Adrian
pffffft. Where’s the fire in this firestarter? The only appropriate response to this is “yyyyyup”.
“Look at all the shiny bits!” The allure of the exotic and unusual is a surefire way to claim leading-edge innovation especially in and among our security-focused brethren, right? Why if two devices merged together are good, adding a third and fourth will just make it that much better? By way of example, let me introduce UTM, SWG, DLP and networks that still need to be managed.
Now, please don’t think for a moment I’m not for innovation. My own career has been a blazed, or set ablaze, mostly on the fringe of established markets. Embracing the proprietary and patented, I’ve forged ahead with promises of savings and better performance. Sometimes it worked, other times not. Value is often manifest despite bells, lights, whistles and patent claims. Execution is key. It’s basic blocking and tackling that sets the tone. Just ask Big Ben, though he likely wouldn’t answer, what he could have done if his line gave him better protection (tied for 1st place in the NFL with 50 sacks!) Ouch.
In my opinion, ignorance and myopia drive many security decisions. It’s one thing to buy a product to meet a “compliance Check-box.” It’s an entirely different matter to embrace transparent IT management process where everyone knows what’s going on. There are still way too many management silos in place. Thus, as long as silos persist and shiny innovations are all the rage, Paris Hilton-unicorns will continue to make the front page. Scary stuff….but fun.