Industry Innovators: Risk and policy management
On the surface this is a pretty boring category. But don't yawn just yet. There are some really neat transformations taking place here and one of the most interesting is the one that is not obvious. We have observed two basic kinds of risk and policy management (GRC: governance, risk and compliance) tools. The first is what we term next-generation tools. These are cloud-based in many instances but always share the highly technical view of GRC. They may manage firewalls or configure routers, but whatever they do, they wrap it in technology and the cloud.
The complexity of today's enterprises and the myriad of regulatory and policy requirement argues for a next-generation tool.
The second kind is what we term traditional or old school. These products take a very straight-laced approach to gathering data, applying policy and regulatory requirements and generating reports that usually include a way of managing workflows and remediation. When you find a next-generation tool dressed up as a traditional tool you really have something. That was what we were on the prowl for as we searched out Innovators for this category.
Traditional GRC requires that users generate and manage policies and manage regulatory mandates, apply industry-standard best practices such as those developed by NIST, create workflows for the audit and analysis process, and create and manage remediation workflows. Gathering data from the enterprise to accomplish all of this is a challenge, especially for large enterprises, those that arguably need these tools the most.
Collecting data needs to be diverse allowing data collection directly off of network devices and from questionnaires and other “soft” sources. Remediation of discrepancies requires the ability to work the process in the other direction, especially with the network devices. All along the way, regulatory compliance must be addressed and documented.
All of this implies a traditional system, but the complexity of today's enterprises and the myriad of regulatory and policy requirement argues for a next-generation tool. When we started digging for the “perfect” tool to go in this section, what we really wanted, of course, was the Innovator(s) that managed to hit this middle ground, the best of both worlds. We found one.