There are the so called "Enterprise GRC" vendors like Mega, OpenPages, or Bwise. But even between these there are significant differences. There are vendors working more at the level of CCM (Continuous Controls Monitoring), including companies like Approva. There are IAM-GRC vendors like Aveksa, BHOLD, Engiweb, Sailpoint, and several others. There are IAM solutions with added GRC capabilities - in the meanthime most of them. There is GRC support in BSM (Business Service Management) applications. And, and, and... I don't want to unveil to much from the upcoming reports which you will find at our website but like to focus on another aspect:
Which GRC approach to choose?
First of all, I believe that we have to use the potential of GRC for better interfacing Business and IT. There are business controls, there are IT controls. These have to be mapped. Thus, we should end with solutions which support as well the business as the IT requirements. That will never ever be a single solution, but a combination of some. High level controls and dashboards, CCM approaches and more specific solutions for different groups of IT controls. It should as well be an approach which isn't only "detective" or, more correct, "reactive" but finds the balance between proactive/preventive and reactive/detective.
The big picture is relatively easy to describe, like we have done in our reference architecture.
The way towards that is much more difficult. There are many influencing factors like the industry and size of the organization, the current organizational structure (especially around the responsibility for GRC issues), the process maturity of the organization, the maturity of IT management approaches, and so on. Thus there can be different (and more than one) starting points. But in any case, there should be a well agreed (but coarsely described) "big picture", as the guideline for building a GRC roadmap.
I personally believe that three factors are most important:
- Providing quick wins
- Providing a business view which, from the beginning, starts in integrating with IT - only manual controls are't sufficient, it is always about the appropriate mix of manual and automated controls
- Closing the loop - don't focus only on the reactive part (like with pure "access certification") but start acting on the results, for example by integrating provisioning to fix the detected problems
These are some of the most important criteria to choose solutions in the GRC space.
Have a look at our event website for upcoming events and webinars around GRC.
And, for sure, don't hesitate to ask for our advice on building your GRC "big picture".
Created: 01.10.09, modified: 01.10.09