IT-GRC is essentially enterprise GRC functions (workflow, data repository, regulatory mapping, etc) focused on IT specific needs. The only reason we have IT-GRC is because, traditionally, the original GRC vendors were focused on addressing SOX and other global financial integrity regulations and were terrible at IT requirements. That gap is closing however.
For the last two years, IT-GRC has started to bifurcate into IT-related GRC functions and security operations functions. These market changes have caused us to reset Gartner’s use of the term IT GRC to provide useful guidance to our clients in selecting appropriate technologies for their requirements.
GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. See my previous post Why I Hate the Term GRC.
In 2013, there is little evidence that security technology data is being used in any material or comprehensive manner to directly support senior IT and business leadership in decision making. However, there is an important evolution in the prioritization and remediation of vulnerability and security configuration management data using business context that is changing vulnerability management and other security operations use cases. This evolution will be covered separately from IT GRC technologies.
Gartner experience on client and reference calls has indicated that IT GRC needs fall roughly in two areas. The first supports oversight and governance functions that typically bridge IT information to support IT and business leadership for reporting and decision making. This is present in use cases such as vendor risk management, policy management, integrated risk reporting and risk assessment. The second supports information security operations requirements through the centralization of security technology data. This is present in use cases such as vulnerability management, continuous monitoring and the management of technology-centric compliance requirements such as Payment Card Industry Data Security Standard (PCI DSS).
Consider a metaphor where a horizontal line is used to separate IT from non-IT business needs (see figure below). The first area can be described as "above the line," and the second area can be described as "below the line"
Using patch management as an example, the operations functions that monitor patch states, prioritize and guide remediation are all within the first line of defense. They are considered below the line and not within the definition of IT GRC. The governance functions that use patch information to rate business units on patching effectiveness to guide risk-related decision making are part of the second line of defense. They are above the line and considered to be a part of core IT GRC activity.
IT GRC technologies and providers for above-the-line use cases will be published in the latest MarketScope for IT GRC. Below-the-line requirements will be addressed, in part, as an extension of vulnerability management. There is no hard definition for below-the-line use cases that have been excluded from IT GRC because this is an evolving set of solutions that include traditional IT GRC vendors and vulnerability management vendors.
Our new definition of IT-GRC
IT GRC technologies are used primarily to bridge IT-related data in support of senior IT and non-IT decision making. This is composed of functions for mapping controls into control objectives, survey capabilities, workflow to support non-IT decision making, and non-IT executive reporting.
The use cases for security operations will no longer be referenced as IT GRC at Gartner and will be considered an extension of vulnerability management research for the benefit of IT operations. This is composed of functions for the import of technical data from third-party products, workflow to support prioritization and IT remediation activities, and an IT asset database supporting IT decision making.
IT GRC is composed of functions to support non-IT decision making and non-IT executive reporting:
- Controls and policy mapping.
- Survey capabilities.
- GRC asset repository.
- IT risk evaluation and dashboards.
The functions supporting data import from third-party security tools, such as vulnerability assessment and security configuration management, remain a part of IT GRC. However, these functions are primarily used in support of the below-the-line security technology use cases.
These changes seem to have everyone in a tizzy. But here’s the bottom line: Security operations is security operations. Gartner is not going to call that IT GRC. So there.