Top 3 conclusions about IT Risk Management we like hearing

I read a nice summary of a recent Symantec 40 page survey on IT Risk Management and felt compelled to share the links and highlights that jump out. Symantec was recently noted as a leader in IT-GRC per this Gartner report.

The summary I read was posted by John Edwards over at ITSecurity.com.

Here are the conclusions that grabbed our eye:

• Businesses would be far better served if they viewed security as an IT risk management element that can be addressed alongside other critical elements, such as availability, performance and compliance.
• Technology alone can't mitigate IT risk. While technology plays a critical role in IT risk mitigation, balanced controls and frameworks are also necessary in order to provide complete risk management capabilities.
• Management should consider implementing a continuous risk assessment process.

PCI Compliance not going away - 42% not compliant

My inbox, like yours, is filled with numerous advertisements and spam on a daily basis, but this one actually grabbed my attention! It started out by saying;

"according to VISA, 42% of large and medium-sized US merchants did not reach their respective PCI compliance deadlines. The penalty of non-compliance is merchants incur monthly fines (up to $25,000) until they meet and sustain data security compliance requirements."

Now that is some attention grabbing marketing and I plan to be on that virtual seminar.

Almost half (and that's not a stacked number including small US merchants) is a very surprising number. I looked around trying to find information behind the survey results but to no avail, so I'll be listening on the call for some details and facts to back it up. Being that our IT GRC solution helps ensure that an enterprise is completely compliant with any regulation, I would like to hear what the top 2 or 3 reasons are they aren't yet compliant to see if they map up to what we are hearing.

Gartner IT GRC Predictions

I just had a chance to take a look at some recent research put out by Gartner on the IT Governance, Risk & Compliance Management space (IT-GRC).

They do an artful job laying out the customer desired capabilities and scoping the size of the market opportunity.

A couple key points to soak in:

• IT GRCM products provide functions that address needs expressed by 75% of the Gartner client base.
• Gartner estimates that software license revenue for vendors...was $73million for 2007, and we project a growth rate of 70% for 2008.
  

This reinforces previous posts with hard numbers that 2008 is indeed the year of IT Risk Managment. Here are links to those previous posts...

• 2008 - The Year of IT Risk Management
• 2008 - The Year of IT Risk Management, Part 2 - Rise of IT GRC
• 2008 - The Year of IT Risk Management, Part 3 - More and more GRC oriented predictions

I highly recommend heading up to Gartner's website and reading each report;

• MarketScope for IT Governance, Risk and Compliance Management, 2008
• Critical Capabilities for IT GRCM Tools

Then come take a look at how Securityworks can help solve your IT-GRC needs by accomplishing those defined needs and capabilities.

What is GRC vs. IT GRC - How does it help IT Security mature to the next level?

AMR Research shows that total GRC spending approached $30B last year. The technology portion (e.g., software, hardware & integration services) of that spending is around a third of it (approximately $10B).

GRC is a very broadly defined space - very broad! To gain a better understanding and appreciation for that, here is a newly released map that identifies various areas and their relationships.

Another AMR Research note talks about the current maturity point of Enterprises implementing GRC.

So where does Securityworks play in this "GRC Ecosystem?" We are coming at it through the eyes of an IT Security Executive.

Our goal - How can we make the IT audit process more efficient and less frustrating for the IT security organization? When you look back at the model above we fit in the area called "IT GRC" which leverages/compliments current IT security management investments (e.g., vulnerability scanning, configuration policy management, SIEM) to accomplish this. If your enterprise already leverages these products then its ready for the next step in the maturity curve, which is IT GRC. Just to get an idea of some the unique capabilities that extend your current IT Security investments please check out our newly posted product demos. Live product in action, no sign-up requirements, etc. Just pure knowledge.