I had a good discussion with Erik Heidt today about IT GRC management tools. We were talking about why there is an IT GRCM market that is distinct from the EGRC platform market. It’s clear that there is a separate market — vendors like Agiliance, RSAM, Lockpath and Modulo are IT GRC specific. The buyer tends to be an IT security buyer. But are the buyers of IT GRCM applications getting anything for their money that they can’t get from other tools? And what are they getting. With EGRC platforms you get the same functionality for policy, compliance, and risk management that you get from an IT GRCM tool. As far as monitoring of automated technical controls, the most visible differentiator between IT GRCM and EGRC platforms, aren’t SIEM applications better at that? Plus, it seems most buyers of IT GRCM don’t integrate with automated controls anyway. So, is the only real difference between IT GRCM and EGRC platforms that the former is a security specific play and the latter is a multi-team, cross enterprise play? If that is so, then as IT security buyers start using tools that also support other enterprise users, the IT GRCM best of breed market could slowly die.
Paul Proctor and Erik Heidt are both working on research around the IT GRCM market — it will be interesting to see what they discover about the future for IT GRCM.