Analyst Chat #109: From IT GRC to Integrated Risk Management Platforms

Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Paul Fisher. He is a Senior Analyst for KuppingerCole, and he's working out of London.

Hi, Paul, good to see you. Hi, Matthias, just one small point. I'm actually a Lead Analyst now. :) OK. OK. Important detail, so I don't want to change any facts here, and talking about facts. You've just recently finalized a Market Compass on a market segment, which we have not yet covered before, especially not with that focus, you did a Market Compass on integrated risk management platforms. Correct. So what do I have to think of when I think of IRM platforms? What are they? What is the market segment? OK, so there's a little backstory, perhaps.

We have in the past covered IT GRC platforms, which were more... well, they were kind of the precursor to integrated risk management, so they covered IT risks which would might impact on your compliance. But the market has moved now into a more, I guess, more holistic, more joined up platform, hence the integrated risk management term, and hence the first time that we've we've covered this with the market compass. But it does mean that we were able to have another look at the market and there are three pillars really to integrated risk management and the platforms that cover it.

And so that includes IT risk, which is one pillar, then includes compliance risk. And finally, the third pillar, which is probably the most significant in today's organizations and businesses, which is third party risk management. So, the IT risk management, one part is really, I guess, carrying on where IT GRC left off. So these platforms are able to look into vulnerabilities and potential weaknesses in IT, which may then cause either a breach or data loss, et cetera.

I mean, that's a very simplistic way of looking at it, but obviously IT risk covers a huge area. But it can also, it's not just risks that are coming from the outside, as in, you know, criminal or hostile risk, but even things that happen quite often in most organizations. So human error, end-point misconfiguration, poor code in production or even web server collapse and even things like what you might call a natural disaster happening, such as a fire in a data center, those sort of things.

So part of that, part of IRM means to compile all those risks and then look at the risk, sorry, the probability of those things happening and what can be done about it. So it should give you a breakdown of the risks to your organization of IT things going wrong, then the compliance risk management part of that is obviously related really to IT risk and third party risk.

And again, it's an extension or a enhancement of IT GRC. And so these platforms can then look and see how compliant your organization is with things such as GDPR or other standards, such as ISO 27,001. Or as I believe, our colleague Mike told us the other day, I think 27,001 is about to be updated to 27,002. So that just shows you that businesses can't stand still when it comes to meeting compliance standards. Businesses operating in the health, financial services or retail are probably most at risk from things like compliance failure simply because of the kind of business they're in.

If you lose data on confidential data on patients, if you lose data on payments, et cetera, you're going to be in big trouble with the bodies that govern these industries. And then to go to the third pillar, third party risk management, which is, as I said, possibly the most interesting part of these platforms.

When we talk about third parties, that's the umbrella term for everyone or everything that doesn't work for the organization directly, but work perhaps outside of it, but in a supporting role so that can be, say, employees on a contract, short term employees, it can be suppliers throughout the supply chain and other vendors that the organization uses to basically on a daily business, on a daily basis to get their work done. And in recent years, IRM platforms have integrated stronger capabilities to assess, monitor and analyze third party risks.

And as we know, third parties are now becoming all part of the identity fabric that we talk about at KuppingerCole. And so when we talk about identities, we no longer just simply mean employees or applications or machines that are directly part of the organization's orbit but increasingly, those that come from outside it. And that can also include customers.

So the third party is really anybody or anything, increasingly, it can be machine identities that may have access to the networks or the infrastructure of the organization. So those three, IT risk management, compliance risk management and third party are really the cornerstones or the pillars of what integrated risk management platforms cover. And I think because, well, one reason why IRM has now become a exciting area is because to do all that.

Previously, even if we go back just a few years, a lot of that might have been involve some manual techniques, manual applications to actually literally write down what your risks are, assess what would happen if those risks were to happen and so on. But automation has played a big part now in making assessment of risks and discovery of risks a lot easier. And given that the type of risks of, you know, have tripled in terms of IT and compliance and third party, that's a good thing. So I hope that kind of explains, in a nutshell, what the Market Compass is all about. Yeah, absolutely.

And if I understand the market segment correctly, it's not about actionable results that prevent, detect cybersecurity issues or risks. It's more about monitoring, about understanding the overall landscape that's really about getting inside and doing risk assessments in general. So this is a specific functionality. Am I getting the use cases right? What would be typical use cases that I want to achieve with such a platform? Yeah, that's a very good question. So the use cases are risk assessments, risk monitoring as you suggested risk analytics, risk mitigation and an incident management.

So there are... the first three are sort of tracking and assessing functions or capabilities, but then equally, these platforms can help with risk mitigation, so they should then come up with a powerful recommendation or a workflow that you can put in place to reduce that risk. And finally, incident management, which is not across the board, but again, if something happens, this is what you should do to get out of it. So within that, we identified the capabilities that these platforms need to help with all those, and that is continuous monitoring, which seems an obvious thing.

But if these platforms are to work, they literally have to be always on, 24/7 and looking for what's happening, and also we need vendor risk capabilities. What we describe as a modern user experience, which I've said on this podcast before, is now, you know, cuts across all or parts of identity and access management and risk management. If you don't have a clear and easy to use experience for the admins or even the end users, then you're going to make life harder.

And it's all about speed of response, speed of access, et cetera. Automation, then, is another capability we look for, reporting, dashboarding, API support, integration, possibly with security incident and event management platforms, and also vulnerability management platforms. Again, those to dovetail quite nicely with IRM and also being cloud native.

Again, that's something that will be applicable to many other sorts of applications or platforms, but it's one that we see increasingly important for integrated risk management. So that's basically the main use cases and then the capabilities that matter to it. Which again, you can see the values that we've attached to each one of those capabilities to the use case, how important, for example, is reporting to instant management, etc. So when you have a look at the report on our website, you can see in more detail what that means. You've mentioned cloud native.

So are these services that are typically delivered from the cloud or are they hosted on-prem? So this also defines a bit, I think the vendors behind that. Are the cloud native, are they more relying on traditional infrastructure? How does the market look like? Well, at the moment, it's a bit of a mix. So perhaps some of the more... the vendors that perhaps have been in this in this space longer, so perhaps Archer is a good one to mention, will provide on premises and cloud based platforms. But some of the new ones are purely cloud, and they may be also delivered as a service.

So the whole thing runs in the cloud on your behalf and you get IRM reports, et cetera, delivered to you. So I think the market is going, like in other areas, it's going towards cloud native preference, but there are still people that want to run things on-premise.

So again, if you look at the report, you can see which vendors offer which type of deployment. Right. And you've just mentioned that it's actually the continuation of the research that where we covered IT GRC platforms. And while you were looking at this Market Compass, can you see the market still evolving? Is it moving in a specific direction with maybe IRM platforms being one step in an evolution? Where is the market moving? I think it's moving more to cloud based, so that's one thing.

I think, we will see just as other areas, for example, privileged access management and the cloud infrastructure entitlement managements are emerging because of the growth of hybrid cloud and multi-cloud environments.

And I think that these platforms, integrated risk management platforms, will also have to become more agile so that they can measure the risk that the accelerated dynamic access that other platforms are giving in the whole IT infrastructure, so if you have cloud infrastructure, entitlement management giving users or machines just in time access to high value assets or valuable or secrets, then integrated risk management is going to have to have the same speed and level of efficacy to keep up with that so that they can as soon as an access point is opened up by one of the access platforms or entitlement management platforms, then that's got to be somehow highlighted on a dashboard of integrated risk management.

So I think again, some of these ones that we reviewed are probably closer to that than others. Some, for example, like ServiceNow, also have an element of integrating sort of onboarding and offboarding and ticketing and the IT service management space.

So, the addition, say of an extra person or a contract employee in one department would then also be added into the IRM mix so that I think like everything, the increasing prevalence of cloud and cloud infrastructures and the need to have access to those and for identity to become like, I think identity is now at the center of IT and not the architecture or even the applications, but it's basically identities are doing stuff and they need access to stuff to do it. So. That will also have an impact, I think, on identity.

Sorry, integrated risk management. OK, fully understood. So it's really a converging set of architecture components that reflect our changing infrastructure and deployment models of what we are using. So for those of our audience who are interested in this risk management aspect, and it's much more interesting than it sounds in the first way because of course, if you think of risk management that sounds a bit like boring and preventing things.

But but dealing with risks, managing them, understanding them and finding the right mitigating measures and always being capable of saying, This is my risk posture as of now, I think this is really much more interesting than it sounds like, right? Yeah, I mean, actually integrated risk management is a discipline, it goes back, you know, decades. But it was all... derives from, you know, financial products and for banks and financial industries to work out how much risk they're exposed to.

But that really is a bit misleading because that is a very complicated and scientific discipline, which involves lots of equations that some of our colleagues would understand better than I do. So, the key to IRM in this sense is dashboards, it's about clear information, it's about buttons and things that tell you where you are, what your risk position is at any given time. So it's funny, you should say it's more interesting because that's exactly how I felt when I was doing the report, it is actually, I think, one of the most interesting areas in IT.

And we also have a number of, in our Market Compass, we always have vendors to watch. And a number of these, for example, Enablon is one vendor called which has a platform called Vision. And it does a lot of the things that we've been talking about, but it also is compatible with Android, iOS and even things, devices such as Apple Watch, which is also quite exciting and interesting so that they can actually monitor access from a device as edgy, if you want to use that term, as an Apple Watch.

And some of the others' fusion is heavily automating the tasks within its platform, which is something that others are going to have to do to keep up and so on. So yeah, it's nine vendors in the main part and then nine vendors in the vendors to watch.

So, I would recommend that people also don't just ignore the vendors to watch, it's not just there as a kind of also rans. The vendors to watch are to watch because they show great promise for the future. And they just at the moment perhaps don't have all the capabilities that we're looking for in the main main section. So the report has been published already, so it's available.

So for those who are watching or listening to this podcast episode, you can go to the website of KuppingerCole.com and register for a 30 day trial or use your existing license and download the Market Compass on integrated risk management platforms. And I would highly recommend that. And as you've mentioned, this is much more interesting and if you are acting, if you are working in that market segment as a risk manager, as somebody who is required to get insight into an organization's risks, I think it's a good starting point to learn what has happened recently in that market. Yeah, yeah.

Let me just there's just one more, Riskonnect. They drill down to risks that show which are insurable, which are not. So that's a, you know, another very useful feature to have particularly, you know, when one of the major risks, as you know, is ransomware.

So yeah, it's online. It's available and it's a great read. Yeah, absolutely. It's difficult for you to recommend it for me to recommend it, so it's highly recommended. Paul Fisher's new Market Compass on integrated risk management platforms. So thank you very much, Paul, for sharing your insights here and for telling us about this updated market segment. Thank you very much. Thank you, Matthias. And bye bye. See you next time.