Gartner Blog Network

Will IT GRC Begin to Die This Year?

by French Caldwell  |  January 3, 2013  |  1 Comment

I had a good discussion with Erik Heidt today about IT GRC management tools.  We were talking about why there is an IT GRCM market that is distinct from the EGRC platform market.   It’s clear that there is a separate market — vendors like Agiliance, RSAM, Lockpath and Modulo are IT GRC specific.  The buyer tends to be an IT security buyer.  But are the buyers of IT GRCM applications getting anything for their money that they can’t get from other tools?  And what are they getting.  With EGRC platforms you get the same functionality for policy, compliance, and risk management that you get from an IT GRCM tool.  As far as monitoring of automated technical controls, the most visible differentiator between IT GRCM and EGRC platforms, aren’t SIEM applications better at that?  Plus, it seems most buyers of IT GRCM don’t integrate with automated controls anyway.  So, is the only real difference between IT GRCM and EGRC platforms that the former is a security specific play and the latter is a multi-team, cross enterprise play?  If that is so, then as IT security buyers start using tools that also support other enterprise users, the IT GRCM best of breed market could slowly die.

Paul Proctor and Erik Heidt are both working on research around the IT GRCM market — it will be interesting to see what they discover about the future for IT GRCM.





Category: applications  compliance  cybersecurity  grc  risk-management  

French Caldwell
VP and Gartner Fellow
15 years at Gartner
19 years IT industry

French Caldwell is a vice president and Gartner Fellow in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio

Thoughts on Will IT GRC Begin to Die This Year?

  1. To answer the question in your title, quite the opposite, French.

    Let’s look at the following; laws, buyers, tool capabilities.


    If you look at the number of laws and international standards passed over the last 18 months, the number pertaining to ITGRC (information protection, privacy protection, configuration management, monitoring of events including threats) outweighs the number of laws and international standards passed by general EGRC about 6 to 1.

    Health IT specific laws (records management, configuration management, privacy) account for nearly 10% of all GRC-related laws passed last year.

    SmartGrid computing, Cyber Defense, and international Cloud based laws and regulations make up about another 10%.

    So the laws say that ITGRC (if you want to call it that) is a really big concern (seeing as how these laws passed don’t go into effect until this year and next).


    I don’t know who you are talking to, but IT security is only *one* of the many buyers of the GRC products you mentioned above. IT infrastructure, general audit, and many others are in the mix. And the end using *audience* is definitely cross functional and outside of the IT space within the organization. I know, I have to talk to people and support our customers on a daily basis. Most of the organizations that utilize the UCF within a GRC tool are including people within the insurance team, the CFO’s office, supply chain people, DR people, audit people, and specific BU leaders who have to stay on top of compliance.

    –Tool capabilities–

    I’ll go with you in your argument that many of the IT GRC tools are way behind the mark of where they need to be in interoperability between their tools and communicating with SIEM and SCM (secure configuration management) vendors. Way behind.

    I believe the root cause is that the original model of GRC vendors was to stand up an application framework and then act like the Thomas Pink of the GRC world–building bespoke applications for each client.

    The RSAM, Modulo, Agiliance days are numbered. The LockPath, Trace Security, and other days where the vendor builds an application a client can *use* without millions of dollars of “consultative design” are on the rise.


    My prediction isn’t that ITGRC will be on the wane. GRC as a consultative tool build will be. GRC as an application you can use will grow.

    And these new tools will be built to connect to SIEM products, CAP feeds, SCM products.

    Because the Cloud world demands it. The US and many foreign governments are demanding it.

    The smart vendors are already working in that direction. They just might not have shown that to you yet.

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.