ITGRC: A Security Approach That's Not for Sale - Systems Management News On The Web

ITGRC: A Security Approach That's Not for Sale
By Alex Handy

May 13, 2008 — When Jonathan Penn, research director at Forrester, walked around April's RSA conference, he was appalled by what he saw. “The vendors are destroying what's a very useful approach by claiming for themselves. If you're not an ITGRC vendor, just shut up,” said Penn.

What angered him were the sheer number of products available at the security conference claiming to be tailor-made for Information Technology Governance, Risk and Compliance, or ITGRC. This approach to security, said Penn, cannot be bought in a box, though many vendors at RSA would have you believe otherwise.

“The message is just meaningless at this point,” said Penn of the marketing messages now seen around ITGRC. “They need to figure out how they fit into an ITGRC program, not just be an ITGRC product. The last thing security people need is to go worrying about products again. That's what got us into this mess in the first place. We end up with a lot of tools that are difficult to manage.”

Penn and his Forrester colleague Marc Othersen, senior analyst for security and risk management, have been working on a report about ITGRC in enterprises, and they've figured out a way to cut through all the marketing hype.

“The way we segment the market is, 'What, in essence, does the technology automate?' ” said Othersen, describing the pair's method for sorting the ITGRC wheat from the chaff.

“ITGRC is an incredibly valuable approach to security,” said Penn. “What I like about it is it's a good way to structure what IT does. But it's much more a practice than a product. The tools that manage things at a high level, those are the ITGRC products.”

An Immature Market
For Othersen, ITGRC products aren't even mature enough to be taking on the G in ITGRC. He said that ITGRC is still a young concept, and that the governance aspects of this approach to IT security are still far too new conceptually to have been effectively addressed in commercial products.

“The space itself has to define what it means to be an ITGRC product. We're going through that phase now. In fact, nobody is an ITGRC vendor (yet). There are some companies that have products in that space. Then you have these noise products,” said Othersen.

The solution for realizing ITGRC is all about metrics, said Othersen. Rather than running out and buying a product that claims to offer security governance, risk management and regulation compliance in one package, IT managers need to slow down and connect their issues to real business numbers, said Othersen.

“The way I found to be successful there is tying it back to business risk and into business value,” said Othersen. “IT, in general, is really there to support the business. You might have a business goal to increase revenues by 25 percent.”

Othersen used an example of a Web service as a system that needs to be measured and governed. If that Web service is a crucial part of the business infrastructure, it can then be attached to a direct consequence if the systems monitoring and controlling it fail.

“If these controls are failing,” said Othersen, “the higher the risk is that something's going to go wrong, and if I don't deliver this on time, they lose this much revenue. Being able to communicate it back to a business risk; that linkage is what gets you out of just being some security guy in the basement.”

Don't Buy Anything Yet
This, said Othersen, is what ITGRC is about. What it's not about, said Penn, is buying up dozens of smaller metrics programs and tying them together.

All this doom and gloom around ITGRC products, however, doesn't mean that there aren't software packages that can significantly help with risk management and regulation compliance. Governance, though, is still not ready for prime time, said Othersen.

Julian Waits, president and CEO of Brabeion Software, goes even further by contending that the R of ITGRC is still in its infancy as well.

“I would challenge the statement that risk management is mature. Governance and risk management have primarily been derived for the IT world from the financial world. Compare financial risk to IT risk, and it's night and day,” said Waits. “The discipline has only existed in the last three years. The market is a little scattered right now. We have finite solutions we try to provide. We focus very much on IT assets. Then we give the customer an IT framework.”

Waits' company offers one of the high-level ITGRC solutions referenced by Penn. Others are available from CA and Symantec, and both Penn and Othersen agree that, while these solutions aren't ITGRC in a box, they can offer a good platform from which to observe and control systems from on high.

“The problem with ITGRC is most people don't understand what it is, and what the value of it is, so they'll approach it piecemeal,” said Othersen. “They may do some risk management, but the chances are it'll be project-oriented risk management.”

At the end of the day, said Waits, ITGRC isn't about regulations, compliance and overarching governance structures. It's a means to an end. “What we would suggest as a first step before you look at anything, like tools or what have you, is to ask yourself, ‘What is it we really want to achieve by the end of the day?’ ” said Waits. “That has to be associated to a metric of your business.”

Related Search Term(s): Security

Share this link: http://www.sysmannews.com/link/32188