Commercial enterprises are increasingly turning to an integrated risk management (IRM) approach to security, rather than simply trying to meet governance, risk management and compliance (GRC) standards. The shift is reflected in projected growth of nearly 50% in the size of the IRM market over the next three years.
These developments were predicted by Gartner Inc. analysts at their 2018 Security and Risk Management Summit in early June. Using data gathered during an in-depth survey of security professionals as well as from individual discussions with numerous end-users, Gartner discerned a clear evolution in corporate budgeting and procurement priorities toward IRM.
“Every day I’ll hear that… GRC is outdated and broken,” said Gartner Research Director John Wheeler, with end-users “typically painted into a corner.” He noted that GRC architectures are costly to maintain, purposely closed and proprietary and very compliance-driven in content. Their design is technical and control-focused and their features and functions are rigid and hard to change. Moreover most GRC use cases are driven by internal IT department buyers and the users are mostly technical.
Wheeler said, “Circumstances change, business is changing… and regulation and compliance are changing.” As a result, he added, GRC approaches need to be reconfigured, upgraded or replaced.
In an evolving digital environment where new forms of geopolitical and digital risk are emerging with increasing regularity, Wheeler noted that business leaders see the need for greater agility and investment, and “they recognize that integrated risk management is critically important to their success moving forward.”
In contrast to GRC, IRM fully encompasses operational aspects such as people, processes, technology and external events, but also spans organizational, financial and reputational risk. Moreover, IRM’s focus is on holistic enterprise-wide risk, which includes not only trying to understand the risk profiles of individuals within the enterprise but also outside factors like supply chain and vendor risk.
IRM solutions are characterized by open and integrated architectures whose content is risk-focused. Designed to be business-oriented and process-based, these solutions have flexible (i.e., configurable) features and functions. And because they are ecosystem-driven and intended to be used across business units as well as with partners and suppliers, the IRM champions and buyers tend to be business leaders, Wheeler said.
Key resilience use cases Wheeler described as benefitting from an IRM approach include digital risk management, vendor risk management and business continuity management. From a compliance perspective the primary IRM use cases are audit management, corporate compliance and oversight and enterprise legal management. “All that needs to be well understood in broader context and properly assessed, so that the exposure is well known.”
Haystax Technology has long advocated for an integrated approach to security risk management. Such an approach requires buy-in from all corporate stakeholders — not just an IT department wrestling with cybersecurity incidents in isolation or a legal counsel focused purely on regulatory compliance or the theft of intellectual property — and of course from top leadership as well.
Integrated risk management is the single largest (and most profitable) sector within the security and risk management software market covered by Gartner. It predicts that the IRM solutions market will grow from $5.3 billion in 2017 to $8 billion in 2021, with a compound annual growth rate of 11.8%. The growth is being driven in large measure by an emerging corporate focus on making better decisions in response to burgeoning digital risks.
Within three years, Gartner projects, 50% of large enterprises will be using IRM solutions, up from 30% in 2017. However much of the near-term growth will be attributable to small and medium-sized business buying IRM solutions in the form of software as a service, or SaaS. This is due to the fact that SMBs have neither the budgets nor the infrastructure to deploy and maintain a dedicated on-premises solution, while at the same time they need a solution to be deployed rapidly.