I had a good discussion with Erik Heidt today about IT GRC management tools. We were talking about why there is an IT GRCM market that is distinct from the EGRC platform market. It’s clear that there is a separate market — vendors like Agiliance, RSAM, Lockpath and Modulo are IT GRC specific. The buyer tends to be an IT security buyer. But are the buyers of IT GRCM applications getting anything for their money that they can’t get from other tools? And what are they getting. With EGRC platforms you get the same functionality for policy, compliance, and risk management that you get from an IT GRCM tool. As far as monitoring of automated technical controls, the most visible differentiator between IT GRCM and EGRC platforms, aren’t SIEM applications better at that? Plus, it seems most buyers of IT GRCM don’t integrate with automated controls anyway. So, is the only real difference between IT GRCM and EGRC platforms that the former is a security specific play and the latter is a multi-team, cross enterprise play? If that is so, then as IT security buyers start using tools that also support other enterprise users, the IT GRCM best of breed market could slowly die.
Paul Proctor and Erik Heidt are both working on research around the IT GRCM market — it will be interesting to see what they discover about the future for IT GRCM.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.