by French Caldwell | January 3, 2013 | 1 Comment
I had a good discussion with Erik Heidt today about IT GRC management tools. We were talking about why there is an IT GRCM market that is distinct from the EGRC platform market. It’s clear that there is a separate market — vendors like Agiliance, RSAM, Lockpath and Modulo are IT GRC specific. The buyer tends to be an IT security buyer. But are the buyers of IT GRCM applications getting anything for their money that they can’t get from other tools? And what are they getting. With EGRC platforms you get the same functionality for policy, compliance, and risk management that you get from an IT GRCM tool. As far as monitoring of automated technical controls, the most visible differentiator between IT GRCM and EGRC platforms, aren’t SIEM applications better at that? Plus, it seems most buyers of IT GRCM don’t integrate with automated controls anyway. So, is the only real difference between IT GRCM and EGRC platforms that the former is a security specific play and the latter is a multi-team, cross enterprise play? If that is so, then as IT security buyers start using tools that also support other enterprise users, the IT GRCM best of breed market could slowly die.
Paul Proctor and Erik Heidt are both working on research around the IT GRCM market — it will be interesting to see what they discover about the future for IT GRCM.
Category: Applications compliance Cybersecurity GRC Risk Management Tags:
by French Caldwell | December 31, 2012 | 1 Comment
At the Gartner Symposium in Orlando, I found just about every 1-1 meeting with attendees and Gartner clients could be boiled down to “things just aren’t working right in my organization.” I found that instead of engaging in discussions about the GRC vendors I cover, I was providing leadership counseling. Fortunately, I had just read David Marquet’s book, Turn the Ship Around.
In the interest of full disclosure, I’ve known David since 1989 when he and I reported aboard the USS Will Rogers, a fleet ballistic missile submarine, or boomer. I was the XO and he was Chief Engineer of the blue crew — boomers have two crews so the missiles can remain hidden under the sea as much as possible. At that time, the Will Rogers blue crew was facing tremendous uncertainty — they had flunked a key nuclear weapons examination and had to be re-certified before they could go on another missile patrol, and the skipper was going to admiral’s mast over a collision with a trawler. I fully expected the skipper to lose his command, but he was retained. The next two years were life-changing for a lot of people in that crew, including David.
When David earned his own command, the USS Sante Fe, a nuclear attack submarine, he vowed to apply a new style of leadership — one in which every crew member is a leader. I am going to say without humility that the one lesson I passed on to David is to stand by first principles no matter what. And I was glad to see that in command he did just that. What’s interesting is that the doubters and the resistance to his principles of leadership were not his bosses. His squadron commodore and the commander of the submarine group were fully supportive. Rather it was middle management, the chief petty officers, that resisted and at times caused David to doubt his own leadership principles.
Yet David survived his own self-doubt, his chiefs became fully vested leaders, and Sante Fe went from worst to first in the course of a year.
So how do you turn your organization around in a year? You can’t — but your people can. Study after study shows that when employees are engaged and they believe in the goals of the organization, then companies actually see their valuations increase. The real challenge is getting those very employees to believe that things will be better if they truly take responsibility — and that’s the magic in this book.
While there are many business books that describe strategies for gaining employee engagement, what’s really different about this book is that David ends each chapter with practical action items and workshops that you can use in your organization, whether that organization is a small IT shop or a global mega corporation — or even your son’s or daughter’s scout troop committee. This book is about creating employee, team, and volunteer leaders, no matter what the organization.
The only downside to the book is a dearth of parallel examples from the business world. Perhaps if readers take on the lessons learned from David’s experience, in his next book he’ll have many examples to share.
And as for my advice to clients on governance and leadership, research areas into which I’ve been pulled by Gartner colleagues and clients, you can bet that when we talk, I’ll suggest that you read David’s book – so why not read it now and then let’s talk.
Happy New Year!
Recommended Gartner Reading: Maverick* Research: Socially Centered Leadership
Category: Uncategorized Tags:
by French Caldwell | October 31, 2012 | 2 Comments
I expect to hear a lot of stories about social technology keeping people connected in the aftermath of Sandy — just as after Katrina. However, I am also expecting these stories to take a twist — we will hear about how neighbors organized self-relief efforts using social media.
Social media has been playing a part in disaster recovery for some time now. After Katrina, we were able to find out if our family and friends were okay by looking on websites where the names of contacted survivors were posted. During the 9/11 attacks, even as voice communications failed, SMS texting which requires limited bandwidth worked. Companies have been using social media for some time to connect with employees before, during and after natural disasters.
But newer social technologies change the game from one to many and one to one, to one among many to many, and many to many.
The self-organization enabled by social media can be very powerful in recovery. It’s this type of self-organization that enabled people to rescue each other after the flooding in Russia earlier this year, when the authorities were incompetent.
Not that our emergency management authorities are incompetent – they are excellent, frankly. But I wonder how Katrina might have shaped up differently if people had wide use of twitter then.
If emergency managers wanted to take full advantage of social tech after a storm, then they’d prioritize the restoration of cellular communications, wouldn’t they. Perhaps even enable CERT volunteers with the social technology training to organize neighborhood relief.
Think about a flash mob of chainsaws to clear a street of trees. Or to organize a neighborhood flotilla of canoes and jon boats to bring supplies to stranded families. This type of thing is happening lately after disasters, and emergency managers should begin to take advantage of it.
Of course this can be dangerous – downed power lines, burning buildings, and flooding are dangerous for the untrained. Regardless, really good relief efforts are empowering systems – they are not managed from the top – logistics are, but the relief itself is a true many to many people-engagement exercise.
In the Queensland 2011 flooding the emergency management authorities had just a month before established a pilot social media program — the results were phenomenal. Social technology has already proven its value in disasters – even in Katrina when it was in its infancy – and now it is coming of age.
Category: public policy Risk Management Social Technology Tags: crisis management, disaster, Public Policy, social
by French Caldwell | October 26, 2012 | Comments Off
One of the questions I get all the time is, “Where can I find what regulations apply to me?” I talked this morning to Fred Diers who has created GRMpedia which tracks regulations and their retention and reporting requirements. Regs tracked include, marketing, finance, research and development, EHS, contracts, leases, IP, governance, HR and others. Tracking 26 countries, all the provinces in Canada, states in Aus and NZ, SEZ’s in China, major treaties in EU, NAFTA, etc. Total over 11K regs in US and over 8K outside US – this compares to 400 total in the UCF, for instance. Of course UCF services a different purpose for IT controls architecture and audit.
For people trying to solve records retention or regulatory change management GRMpedia looks really helpful.
Category: compliance GRC public policy Tags: compliance, Financial Regulations, Privacy, records retention
by French Caldwell | October 24, 2012 | Comments Off
I’m here at Orlando Symposium talking to a good colleague, Neil McDonald, and I ask Neil, “Why don’t IT service providers, who complain so much about the intrusiveness and costs of customer inquiries, inspections and audits of their security controls, just provide their customers an IT GRC dashboard? That way customers can see for themselves the controls effectiveness at any given time.”
So Neil says, “Think about it. Any heat map of controls is going to have lots of red and yellow on it. It may be better than the customer’s own heat map if they were managing the controls themselves, but customers want to think that it’s all green all the time at the IT service provider — that everything’s patched, that configurations are perfect, changes are made, there are no vulnerabilities and no security events. Their illusions would be smashed if they could see that it’s not really much greener on the other side.”
Category: Cloud GRC Risk Management Tags: cloud, Risk Management, vendor risk management
by French Caldwell | October 12, 2012 | Comments Off
In the last week I’ve had two calls with companies deciding how to respond to the cybersecurity letter that Sen. Rockefeller sent to the CEOs of Fortune 500 companies. The deadline to respond is 19 October.
CEOs are not required to respond, and with the demise of the Cybersecurity Act of 2012, it’s tempting not to answer. However — as I noted in my first take on the Cybersecurity Act, this issue is not going away, and if you want to protect your standing to comment on future legislation and regulations, then at least a considerate reply is in order.
The White House is working on a draft executive order on cybersecurity, which is likely to include a rewrite of HSPD-7. That rewrite was leaked in September. And now Secretary of Defense Leon Panetta is stepping up the beltway rhetoric on cybersecurity – using the cyberattacks on Aramco in August as evidence of the threat.
So, what’s a CEO to do? It’s up to each CEO, of course. You should consult your general counsel and your CISO. If you don’t know know who your CISO is …, well it’s not too late to meet him or her.
Also, consult your Washington representatives — if you don’t have one, that’s fine. Call the head of your industry association, and find out what they’re recommending as a response.
If you do reply, review your letter against the following principles. Any future regulations should be:
1 — Risk and performance based
2 — Industry specific
3 — Voluntary to the extent possible
The bottom line here is that one sized does not fit all.
For CEOs who want to know what a great cybersecurity program should look like, I urge you to talk to my IT security colleagues Earl Perkins, Tom Scholtz, John Pescatore, and others who can help you evaluate your cybersecurity maturity and where to focus on improvements.
Note — I’m just the stray policy wonk at Gartner who happens to live inside the Capital Beltway, and in the interest of full disclosure my cybersecurity interest is primarily at the national policy, not the enterprise program level. Many years ago Richard Hunter and I ran the first ever national cybersecurity wargame, Digital Pearl Harbor.
Category: Cybersecurity public policy Risk Management Tags: cybersecurity, Public Policy, Risk Management
by French Caldwell | October 11, 2012 | Comments Off
Wow – just as we’re starting to grapple with the future of risk from social media and along come researchers with the biological internet. The Harvard DNA storage story broke a few months ago, and now researchers at the Stanford School of Medicine have gotten cells to communicate through DNA packets – with a range of 7 centimeters. Obviously not a useful range for long range comms, but plenty for the internals of your smartphone – or supersmartgeniusphone if this works out.
What new frontiers of biological risk management will IT professionals face? Could your BYOD strategy get the flu?
Category: Uncategorized Tags:
by French Caldwell | October 10, 2012 | 1 Comment
Analyst Having a Major Rant
Dear Michael –
Good to hear from you. Thanks for sending me your latest blog post. I have to say though that when you rant you really do go ballistic — you want to throw six months of my work on the compost pile — ooh, that hurts. But I get it, it’s not me; you just don’t like magic quadrants.
Despite the negativity, you’ve got some interesting points — some valid, some inflated. So let’s take a look at your points:
1 — “There is no transparency or clarity on how vendors are scored.”
There are 12 criteria in the Magic Quadrant for Enterprise GRC Platforms. They are described in the research note, and the weightings are given as well. A client could take these criteria and do their own magic quadrant if they wanted. I’ve even had audience members follow the methodology during my presentations and score vendors in real time. It’s amazing how close they come to the analysts’ scores.
For more on how magic quadrants are created, see: “Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market”
2 — “The current Magic Quadrant is a mile wide and an inch deep.”
My colleague John Wheeler and I worked for over six months with input from 19 vendors and 211 customer references to create an evaluation that is concise and readable. When using the magic quadrant, analyst advice can help clients to extract the details for each enterprise’s particular requirements, and to develop a decision framework for choosing which vendors are most appropriate for a given enterprise to consider — including vendors who are not leaders or who may not be in the magic quadrant itself.
Based on your rant you must not know this, but for the last two years we’ve followed up the magic quadrant with critical capabilities notes providing more details on how vendors rank in core use cases like audit management, enterprise risk management, financial reporting integrity compliance, and policy management. However, the number of use cases is growing rapidly — case management, regulatory change management, vendor risk management, anti-bribery compliance, privacy compliance, sustainability reporting, IT risk management, etc., are all use cases that we commonly see, and there are more. So this time, instead of critical capabilities notes, we’re following up with additional notes on audit management, vendor risk management, transactional controls monitoring, ERM applications and many more.
To meet the demand for the breadth and depth of risk management and compliance analysis, Gartner has enlarged our risk management team and our industries and supply chain teams have expanded their risk management and compliance research.
To see some of the new focus on audit, take a look at Khushbu Pratap‘s research, and for enterprise risk management take a look at what Paul Proctor is doing with risk value management. We’re also expanding into related legal IT areas — besides e-discovery where we’ve had a strong research base for sometime thanks to Debra Logan and Shelia Childs, John Wheeler is addressing Enterprise Legal Management. And we have analysts leading research communities for privacy, Carsten Casper, and BCM, Roberta Witty.
Oh, gosh, I shouldn’t forget that Jacqueline Heng and John Wheeler are tracking the consultancies that support GRC services and have a Marketscope for Global ERM Consulting Services. Man — so much stuff ….
I could go on — but you get the point, right Michael — there’s an ocean of depth under that inch of magic quadrant.
3 — “Gartner has a script and gives a vendor a short time period to demo their GRC product to Gartner. They do not allow you to go off script – I have heard this from multiple vendors frustrated with the process. “
For two hours of one of 365 days in the year, we hold the vendors to a demonstration script. The vendors have the other 364 days of the year to communicate to us all the breadth and depth of the capabilities that they have and those are considered in the magic quadrant.
A vendor does not have to be a Gartner client to do a vendor briefing. They talk, they show us what they do, and we listen to them the rest of the year — but for two hours of one day, they follow our script. Michael, is that really unreasonable?
When establishing a baseline of capabilities for evaluation, we compare apples to apples. But the demo script is fairly open — any vendor who can’t find a place in it to demonstrate their best differentiators is slipping up.
By the way, we’ll share that script with Gartner clients who want to build their own customized script. We tell them to have the vendors follow their customized script first, but then to give the vendors plenty of time afterwards to demonstrate additional capabilities that were not in the script — just as we encourage the vendors to demonstrate their capabilities throughout the year — most take advantage of that open door, some don’t.
Everything we learn about the vendors over the course of the year is considered in the magic quadrant evaluation — not just the two hour demo, or the vendor questionnaire.
4 — “I also take issue with how Garter defines and presents the GRC market. While they give lip service to a lot of areas of GRC throughout the document they assume that an EGRC platform is comprised of only the four categories of risk management, audit management, compliance and policy management, and regulatory change management. “
On one hand, Michael, you’re mixing markets with the core functions on the platform, and on the other hand with broad categories of related markets — what we call a marketplace. The Enterprise GRC Platform is just one of many GRC-related markets.
The Gartner “Hype Cycle for GRC Technologies” lists over three dozen technology markets. And then there’s the “Hype Cycle for Legal and Regulatory Information Governance” that lists over two dozen technology markets. For more background on how we view the broad GRC marketplace, take a look at “A GRC Marketplace Comparison Model, 2011 – 2013.”
You’ll find, Michael, that you and I are not so different in our points of view on the elements of the GRC marketplace — but with dozens of contributing analysts, Gartner just has loads of depth.
5 — “Gartner states that there are many businesses implementing a single EGRC platform.”
Michael — where’s the integrity, the transparency. That’s selective quoting. Here’s the full sentence from the magic quadrant (italics added): “Instead of acquiring separate solutions for finance, IT and other business units, many enterprises are choosing to use a single EGRC platform and, when necessary, integrating the many point and functional solutions to satisfy specific GRC needs.“
So yes, there are often many solutions for specific compliance and risk management needs, but lots of enterprises are using the platform to get that holistic top level enterprise view for the board and senior executives. Otherwise, it’s not really enterprise, is it?
Okay, Michael — I hope this helps. I haven’t seen you in a few months, and I look forward to seeing you soon. I’d like to talk to you about my new GRC 4G concepts.
Cordially — French
PS — Remember the time in Rio when our hotel was taken over by an armed drug gang. Who’d have put that in their risk assessments? Fortunately we had skipped town! See ya on the circuit, buddy.
Category: Applications compliance GRC Risk Management Tags: compliance, GRC, Risk Management
by French Caldwell | October 9, 2012 | 5 Comments
Some vendors and their auditors appear to be misusing SSAE 16 the same as they did SAS 70. For example, today I saw an announcement from security vendor Prolexic with the headline, “Prolexic Completes SSAE 16 Examination for Distributed Denial of Service (DDoS) Attack Mitigation Services.”
SSAE 16 (aka SOC 1) like SAS 70 before it is a standard focused on financial reporting integrity — a fact that Prolexic clarifies in a note at the bottom of its press release. To the extent that Prolexic’s customers must ensure that Prolexic has adequate controls to support Sarbanes-Oxley or similar rules, then SSAE 16 is appropriate — but you have to read the press release carefully to glean that context.
However, Prolexic’s president Stuart Scholly went further and stated in the press release: “Completing these examinations assures enterprises that Prolexic has adopted relevant controls that are well designed and operating properly.”
That’s just not true.
SSAE 16, aka SOC 1, does not contain a list of control objectives. The controls to be audited are specified by the vendor and agreed upon by the auditor, and thus it is not easily comparable between vendors. And the SOC 1 report is not supposed to be shared with prospects.
So, to be clear, SSAE 16 (or SOC 1) is relevant for compliance with Sarbanes-Oxley and similar laws. It does not provide comprehensive assurance for security, availability, processing integrity, confidentiality or privacy controls. That’s the purpose of SOC 2, a companion standard to SOC 1.
SOC 2 and SOC 3, a short form of SOC 2 that can be used in marketing, do have a set of control objectives that can be objectively audited, and the results compared to other companies. INetU is an example that has used SOC 2 and SOC 3 to communicate its controls assurance. And the SOC 3 can be shared with prospects.
Now, Prolexic goes on to state that they have PCI DSS certification. Good on ‘em — PCI DSS is one of several alternatives for vendors who want to demonstrate effective controls. Other standards and certifications include ISO 27001 certification, Shared Assessments, Cloud Security Alliance, and many more.
For more on SSAE 16 (SOC 1), SOC 2, SOC 3, and alternatives see:
Cloud Security and Risk Standards, by Jay Heiser and Rob McMillan
IT Audit Standards, Frameworks, and Guidelines for Auditees and Auditors, by Khushbu Pratap
SAS 70 Is Gone, So What Are the Alternatives?, by French Caldwell
Category: Cloud compliance GRC Standards Vendor Contracts Tags: cloud, compliance, vendor risk management
by French Caldwell | August 13, 2012 | Comments Off
Living inside the capital beltway, you meet all kinds of people that have jobs that just don’t have any equivalency anywhere else: Like the lady I talked to last week who provides advice on safety issues associated with the modernization program for the nation’s nuclear weapons stockpile. I mentioned to her a recent GAO report about how the Navy is using risk management to support its strategic basing decisions for aircraft carriers, and I said it was welcome news to see the federal government starting to use risk management strategically. So we started talking about risk management for her program, and I asked her what the primary KPI, key performance indicator, was for nuclear weapons modernization. She said it was the number of incidents. Right then I knew we were going to have a disagreement on risk management.
You see, she was approaching risk management from a safety and security standpoint. That’s not helpful strategically, since if number of incidents is the KPI, then the most effective way to achieve that KPI is to stop modernization. I suggested to her that the real KPI would be something that represented the time it took to achieve some milestone in modernization — it could be the time until the first new warhead was produced, or the time until the old stockpile was retired, or something in between that reflected the time to value of modernization. She was aghast that I of all people, a retired nuclear submariner, would not put safety or security first!
But — here’s the problem — if safety and security are first, then your business goals are secondary and potentially will never be reached. So I explained that her suggested KPI was really a KRI, key risk indicator. As illustrated in the Gartner Business Risk Model, to determine an acceptable risk threshold it needs to be compared to the key performance indicator. What over the thirty year period of modernization are the number and severity of incidents that can be effectively managed — what’s the acceptable risk index? As a nuclear weapons professional in my past life, I can tell you it is not zero.
It’s really tough for safety and security professionals to think this way — zero tolerance is a much cleaner concept. Anything short of zero tolerance implies that the safety and security people are not on the ball. But by not addressing the real risks, and the analysis of those risks on performance, it’s impossible to determine what are the most significant risks to monitor. And thus a zero tolerance mentality increases uncertainty in the achievement of business objectives, rather than decreasing them — in other words, zero tolerance sets you up for a major incident.
Category: GRC public policy Risk Management Strategic Planning Tags: