DOCSLIB.ORG

Competitive Landscape: Integrated Risk Management

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Competitive Landscape: Integrated Risk Management Competitive Landscape: Integrated Risk Management Published: 18 December 2019 ID: G00450383 Analyst(s): Elizabeth Kim The integrated risk management landscape has been rapidly evolving. This has created greater urgency for technology and service providers to reevaluate how they are strategically positioned in the market and how to uniquely position themselves for the future. Key Findings ■ Technology provider consolidation has accelerated over the past year. Risk management technology providers will continue to expand their capabilities through acquisitions to support the integrated risk management (IRM) mindset. ■ Risk management technology providers are adopting a more modular approach to IRM implementation by offering scalable product packaging and pricing that allows customers to gradually expand functionalities. The modular approach supports different customers in their respective risk management journeys. ■ For cybersecurity, delivering support for risk quantification models that are traditionally used for communicating operations risk is a short-term opportunity. Growing scrutiny on cyberexposures will drive demand for security-related business risk quantification beyond the banking, financial services and insurance (BFSI) vertical as means for chief information security officers (CISOs) to improve risk communication in the mid to long term. ■ Risk management technology providers focused on providing visibility and assessment of risks in information security, privacy, resilience and new technology are emerging. Recommendations Technology and service providers in the risk management marketplace should: ■ Identify potential partnerships and integrations with technology providers that offer little or no overlap in capabilities, risk domain or the primary buyers of your solution. ■ Align product messaging around the customer’s risk management maturity and the compliance- centric, operation-centric and business-outcome-centric use cases. Additionally, take a modular approach to product pricing and packaging to accommodate the different use cases. ■ Assess your offering against the critical capabilities (including risk quantification and analytics capabilities) and the IRM vision of providing a set of capabilities supporting the integration of strategic, operational and tactical risk to align your product roadmap accordingly. ■ Evaluate current IRM solution in helping customers integrate and utilize data, such as tactical security vulnerability/threat assessment data, more effectively. Table of Contents Strategic Planning Assumption...............................................................................................................3 Analysis..................................................................................................................................................3 Competitive Situation and Trends..................................................................................................... 7 The IRM Market Will Continue to Consolidate as Technology Providers Seek to Provide Support for Multiple Objectives and Risk Domains................................................................................... 7 More IRM Technology Providers Are Adopting a Modular Approach to Support Varying Levels of Customer’s Risk Maturity............................................................................................................9 Risk Quantification Analysis Is a Growing Interest, but the Opportunity Outside the Financial Services Vertical Is More Mid to Long Term.................................................................................9 IRM Vendor Landscape Will Be Impacted by Organizations’ Need for Improved Visibility and Assessment of Emerging Risks.................................................................................................10 Competitive Profiles........................................................................................................................10 CyberSaint................................................................................................................................11 Galvanize..................................................................................................................................11 NAVEX Global...........................................................................................................................12 RiskLens...................................................................................................................................13 SAI Global................................................................................................................................ 14 ServiceNow.............................................................................................................................. 15 SureCloud................................................................................................................................ 16 References and Methodology......................................................................................................... 17 Gartner Recommended Reading.......................................................................................................... 17 List of Figures Figure 1. IRM Objectives and Risk Domains........................................................................................... 4 Figure 2. Magic Quadrant and Critical Capabilities for IRM Solutions, 2019............................................ 5 Page 2 of 19 Gartner, Inc. | G00450383 Figure 3. IRM Software and Consulting Implementation Service Forecast............................................... 6 Figure 4. IRM Global Forecast by Region................................................................................................7 Figure 5. IRM Technology Provider Consolidation, 2019......................................................................... 8 Strategic Planning Assumption By 2021, 50% of large organizations will have two or more IRM use cases that leverage automated workflows through IRM vendors, up from 30% in 2017. Analysis To understand and manage the full scope of risk, organizations require a comprehensive view across business units and risk and compliance functions as well as key business partners, suppliers and outsourced entities. As a result, new technology solutions are emerging to increase the collaborative nature of risk management, inside and outside an organization. Gartner defines IRM as practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks. A key distinction in Gartner’s definition of IRM is the integration with enterprise risk management (ERM) relating to strategic risks impacting operational and IT risk management objectives. IRM excludes the broader management of risks beyond operational and IT. Figure 1 shows the current primary IRM objectives and risk domains. As IRM technology providers look to enhance their coverage of these objectives and risk domains, opportunities for consolidation and strategic partnerships continue to emerge (see “Top Use Cases and Capabilities for Integrated Risk Management”). Gartner, Inc. | G00450383 Page 3 of 19 Figure 1. IRM Objectives and Risk Domains Figure 2 shows the IRM scope, critical capabilities and the use cases evaluated by Gartner in 2019 (see “Magic Quadrant for Integrated Risk Management Solutions” and “Critical Capabilities for Integrated Risk Management Solutions”). Page 4 of 19 Gartner, Inc. | G00450383 Figure 2. Magic Quadrant and Critical Capabilities for IRM Solutions, 2019 Gartner forecasts the IRM software market to grow at an 8% compound annual growth rate (CAGR) through 2023 to reach $6.3 billion (see “Forecast: Information Security and Risk Management, Worldwide, 2017-2023, 2Q19 Update”). Additionally, the total IRM solution spending, including consulting services and implementation services, is expected to reach $9.3 billion by 2023, representing a 9% CAGR. Figure 3 shows the IRM spending forecast. While a significant portion of the current IRM spending is coming from North America, the IRM market is ripe for growth in other regions. Figure 4 depicts the current IRM spending and the projected growth by regions. Gartner, Inc. | G00450383 Page 5 of 19 Figure 3. IRM Software and Consulting Implementation Service Forecast Page 6 of 19 Gartner, Inc. | G00450383 Figure 4. IRM Global Forecast by Region The impact of the growing adoption of IRM on the competitive landscape is threefold: 1. Net new technology providers entering the IRM market 2. Consolidation and expansion of IRM providers 3. Technology providers traditionally from outside IRM (and in niche areas such as security rating or privacy management) adopting an IRM use case and approach Risk management technology providers need to closely analyze their existing competitor’s strategic movements and better identify new competitors. Competitive Situation and Trends The IRM Market Will Continue to Consolidate as Technology Providers Seek to Provide Support for Multiple Objectives and Risk Domains Risk management technology providers will continue to expand their capabilities to support IRM, and they will achieve this either organically or through acquisitions. Gartner has already observed Gartner, Inc. | G00450383 Page 7 of 19 technology vendors aggressively acquiring or partnering. This trend has accelerated especially in the past year,
Load more

Recommended publications
  • The Technology Sector with Keylight®
    The Technology Sector with Keylight® that handle customer data have standards and even customer and audit requirements, records ® ® The Lockpath Keylight Platform the responsibility of protecting vendor contracts. management protocols, and it, and are often times subject security controls must be aligned, enables technology firms to efficiently manage to the same regulations as The platform can map an frequently reviewed and visible their customers. For example, a organization’s compliance across the organization. And the organizational and information security risks, technology firm offering products documents to internal controls, larger a firm grows, the more and services to clients in the regulatory requirements and audits it becomes accountable for. conduct and respond to audits, healthcare field must now adhere citations. The platform can be and demonstrate regulatory compliance. to HIPAA regulations regarding IT configured to manage risk based Traditionally within technology security. Also, many technology on policy specific workflows that companies, the audit team is providers choose to implement incorporate IT data, risk data, small and resources are limited. data security standards and best incident data and other correlated The team needs a solution that The technology sector finds Manage risk controls and business practices like ISO 27001 . data, and workflows that start is efficient and flexible to quickly itself at the epicenter of cyber How do you increase the visibility continuity plans, which and effectively respond to their security and IT risk management. of the risks your company faces increases visibility into the exponentially growing workload. Customers of technology firms when data is siloed? How do potential impact on the expect them to know and employ you communicate the complex organization.
    [Show full text]
  • Information Assurance 101
    BUILT FOR SECURITY Information Assurance 101 Barbara Wert, Regulatory Compliance Specialist FoxGuard Solutions, Inc. “The value of an organization lies within its information – its security is critical for business operations, as well as retaining credibility and earning the trust of clients.” – Margaret Rouse, TechTarget Barbara Wert Regulatory Compliance Specialist September 2017 FoxGuard Solutions, Inc. Executive Summary What is Information Assurance, and why should we care? Headlines over the past 24 months have cited security breaches in Anthem, the Philippines’ Commission on Elections (COMELEC), Wendy’s, LinkedIn, the Red Cross, Cisco, Yahoo, financial institutions around the world, and even the U.S. Department of Justice. As well, statistics show that 43% of cyberattacks target small businesses. Earlier this year, a high school server system in Illinois was infiltrated and the perpetrator attempted to extort the district for $37,000 in order to restore their access to the information on the servers. (1) Information Assurance programs provide a comprehensive approach to addressing the urgent need to protect sensitive data and the systems that house the information for organizations of any size and industry. This white paper will: • Look at some key definitions in the scope of information assurance • Discuss the basic factors of information assurance found in the CIA Triad • Consider the role of risk management in an information assurance program • Explore framework options Contents Executive Summary ......................................................................................................................................
    [Show full text]
  • Minimum Security Requirements for Federal Information and Information Systems
    FIPS PUB 200 _______________________________________________________________ FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems _______________________________________________________________ Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 March 2006 U.S. DEPARTMENT OF COMMERCE Carlos M. Gutierrez, Secretary NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY William Jeffrey, Director FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems ________________________________________________________________________________________________ FOREWORD The Federal Information Processing Standards (FIPS) Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federal Information Security Management Act (FISMA) of 2002. Comments concerning FIPS publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900. -- CITA M. FURLANI, ACTING DIRECTOR INFORMATION TECHNOLOGY LABORATORY ii FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems ________________________________________________________________________________________________
    [Show full text]
  • Guide for Assessing the Security Controls in Federal
    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-53A Title: Guide for Assessing the Security Controls in Federal Information Systems : Building Effective Security Assessment Plans Publication Date(s): July 2008 Withdrawal Date: June 29, 2011 Withdrawal Note: SP 800-53A is superseded in its entirety by the publication of SP 800-53A Revision 1 (June 2010). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-53A Revision 1 Title: Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans Author(s): Joint Task Force Transformation Initiative Publication Date(s): June 2010 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-53Ar1 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-53A Revision 4 (as of July 14, 2015) attached publication: Related information: http://csrc.nist.gov/groups/SMA/fisma/ Withdrawal N/A announcement (link): Date updated: JuůLJϭϰ, 2015 NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems Building Effective Security Assessment Plans Ron Ross Arnold Johnson Stu Katzke Patricia Toth Gary Stoneburner George Rogers I N F O R M A T I O N S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 July 2008 U.S.
    [Show full text]
  • Tr 103 305-1 V3.1.1 (2018-09)
    ETSI TR 103 305-1 V3.1.1 (2018-09) TECHNICAL REPORT CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls 2 ETSI TR 103 305-1 V3.1.1 (2018-09) Reference RTR/CYBER-0034-1 Keywords cyber security, cyber-defence, information assurance ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • Risk Management Guide for Information Technology Systems
    Special Publication 800-30 Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology Gary Stoneburner, Alice Goguen, and Alexis Feringa NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems Recommendations of the National Institute of Standards and Technology Gary Stoneburner, Alice Goguen1, and Alexis Feringa1 C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 1Booz Allen Hamilton Inc. 3190 Fairview Park Drive Falls Church, VA 22042 July 2002 U.S. DEPARTMENT OF COMMERCE Donald L. Evans, Secretary TECHNOLOGY ADMINISTRATION Phillip J. Bond, Under Secretary for Technology NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Arden L. Bement, Jr., Director SP 800-30 Page ii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of- concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. The Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-30 Natl.
    [Show full text]
  • Catalog of Control Systems Security: Recommendations for Standards Developers 1
    DISCLAIMER This report was prepared as an account of work sponsored by an agency of the U.S. Government. Neither the U.S. Government nor any agency thereof, nor any employee, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party’s use, or the results of such use, or any information, apparatus, product, or process disclosed in this publication, or represents that its use by such third party would not infringe privately owned rights. ACKNOWLEDGMENT This document was developed by the U.S. Department of Homeland Security to help facilitate the development of control systems cybersecurity industry standards. The original author team consisted of representatives from the Department of Homeland Security Control Systems Security Program (CSSP), National Institute of Standards and Technology (NIST), Argonne National Laboratory (ANL), Idaho National Laboratory (INL), Oak Ridge National Laboratory (ORNL), Pacific Northwest National Laboratory (PNNL), and Sandia National Laboratories (SNL). For additional information or comments, please send inquires to the Control Systems Security Program at [email protected] with the word “Catalog” in the subject line. iii iv EXECUTIVE SUMMARY This catalog presents a compilation of practices that various industry bodies have recommended to increase the security of control systems from both physical and cyber attacks. The recommendations in this catalog are grouped into 19 families, or categories, that have similar emphasis. The recommendations within each family are displayed with a summary statement of the recommendation, supplemental guidance or clarification, and a requirement enhancements statement providing augmentation for the recommendation under special situations. This catalog is not limited for use by a specific industry sector.
    [Show full text]
  • The CIS Critical Security Controls for Effective Cyber Defense
    The CIS Critical Security Controls for Effective Cyber Defense Version 6.1 The Center for Internet Security Critical Security Controls for Effective Cyber Defense Version 6.1 August 31, 2016 This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc- nd/4.0/legalcode To further clarify the Creative Commons license related to the CIS Critical Security Controls content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Critical Security Controls, you may not distribute the modified materials. Users of the CIS Critical Security Controls framework are also required to refer to (http://www.cisecurity.org/critical-controls.cfm) when referring to the CIS Critical Security Controls in order to ensure that users are employing the most up to date guidance. Commercial use of the CIS Critical Security Controls is subject to the prior approval of The Center for Internet Security. i The CIS Critical Security Controls for Effective Cyber Defense Introduction 1 CSC 1: Inventory of Authorized and Unauthorized Devices 6 CSC 2: Inventory of Authorized and Unauthorized Software 10 CSC 3: Secure Configurations for Hardware and Software on Mobile
    [Show full text]
  • NIST 800-30, Revision 1, “Guide for Conducting Risk Assessments
    NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments JOINT TASK FORCE TRANSFORMATION INITIATIVE I N F O R M A T I O N S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2012 U.S. Department of Commerce Rebecca M. Blank, Acting Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary for Standards and Technology and Director Special Publication 800-30 Guide for Conducting Risk Assessments ________________________________________________________________________________________________ Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government,
    [Show full text]
  • Assessing Cybersecurity Risk Roles of the Three Lines of Defense
    Assessing Cybersecurity Risk Roles of the Three Lines of Defense GTAG / Assessing Cybersecurity Risk Table of Contents Executive Summary ................................................................................................................... 3 Introduction and Business Significance ..................................................................................... 4 Key Risks and Threats Related to Cybersecurity ...................................................................... 5 Three Lines of Defense: Roles and Responsibilities ................................................................. 5 Owners and Key Activities of the First Line of Defense.......................................................... 6 Common Cyber Threat Controls ......................................................................................... 8 Owners and Key Activities of the Second Line of Defense .................................................... 9 Pitfalls of the First and Second Lines of Defense ............................................................. 10 Role of the Internal Audit Activity as the Third Line of Defense ........................................... 11 Internal Audit Scope and Collaboration ............................................................................ 15 An Approach for Assessing Cybersecurity Risks and Controls ................................................ 17 Cybersecurity Risk Assessment Framework ........................................................................ 17 Component 1: Cybersecurity
    [Show full text]
  • An Introduction to Information Security
    NIST Special Publication 800-12 Revision 1 An Introduction to Information Security Michael Nieles Kelley Dempsey Victoria Yan Pillitteri This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-12r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-12 Revision 1 An Introduction to Information Security Michael Nieles Kelley Dempsey Victoria Yan Pillitteri Computer Security Division Information Technology Laboratory This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-12r1 June 2017 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Kent Rochford, Acting NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
    [Show full text]