It is always nice when trends an analyst has predicted become reality. I’ve been talking and blogging a pretty long time about the need for an integrated GRC approach, especially beyond the isolated “Enterprise GRC” with little automation. Yesterday, IBM announced that they agreed to acquire OpenPages, one of the most prominent vendors in the Enterprise GRC space. That isn’t really a surprise, given that IBM is investing in the GRC market for quite a while. The really interesting parts in the presentation given by IBM on this acquisition yesterday are the parts where the Enterprise GRC layer of OpenPages becomes integrated with the IT GRC tools of IBM, as well Business Analytics as many Tivoli tools. With other words: It is about integrating different layers of GRC to provide a more complete and current (through automation) view on the controls.

That fits well into our expectations as well as to the KuppingerCole GRC Reference Architecture. Successful GRC is based on a mix of manual and automated controls. I remember a conversation with the OpenPages executives where they in fact denied the need for such an integration. Right now, becoming a part of IBM, that seems to change fundamental, because the IBM strategy is about this integration, with a strong layer on top for the executive view.

While some vendors like MetricStream are pushing this approach and others like RSA/EMC with their Archer acquisition in January 2010 have the same potential, it will be very interesting to observe how other “Enterprise GRC” vendors (I still believe that this is an arrogant term as long as these solutions ignore most parts of the enterprise and are mainly a high-level solution focused on manual controls with little integration into the different other GRC layers) will react. With the IBM acquisition of OpenPages, the time where a vendor can ignore the integration of GRC at all levels are past. Thus, this acquisition will heavily influence the overall GRC market and some of the more prominent “Enterprise GRC” players might end up at the loser’s streak.

Do you remember the term BAM? BAM is an acronym for Business Activity Monitoring. It was a hype topic in the early 2000′s. And then we didn’t hear that much anymore about this topic. Yes, there are several vendors out there, providing different types of solutions. And like always, there are several vendors who claim to be the leaders in the category of BAM.

When BAM became a hot topic some 10 years ago, the implementations were nothing else than a little advanced analytics. That was, at that point of time, far away from my expectations which were around intelligent, automated, real-time and ex-post analysis of relevant activities in business systems and the identification of critical changes which require intervention. For sure automated reactions as well as alerting should be part of this.

The term BAM came to my attention again when talking with MetricStream recently. MetricStream is one of the leading-edge vendors in the GRC market. They are one of the “Enterprise GRC” vendors (Business GRC would be the better term). But in contrast to many others, they allow for a tight integration with IT systems and IT controls. Based on that, they are able to use automated controls of virtually any type and map this into their system. That in fact allows to integrate what I had expected from BAM years before with a holistic GRC approach. By the way: MetricStream has a pretty high rank on my list of GRC vendors…

When looking at the BAM market I have to admit that there has been evolution since the early years of BAM. There is much more automation than pure analytics, there are several interesting solutions out there. However, MetricStream is somewhat unique with enabling this (without talking about BAM) in the context of Business GRC and thus allowing to add this as a generic approach into what every organization has to do today: Building a GRC infrastructure, with manual and automated controls – where automated controls should provide what BAM has been promising.

I assume that several of you have another opinion – so I’m looking forward for your comments.

There is a constant pressure not only on IT but all areas of organizations to reduce costs. However, that frequently ends up with higher risks and potentially higher costs due to these risks. The problem is: Most organizations, especially in controlling and management, think much more about cost than risk. But cost savings (which are not necessarily negative) without a risk view are a risk – somewhat of a tautology, I know…

That is why Risk Management should be a standard and central element in management, as well for business as IT.

Read the rest of this entry »

There is no doubt: We are in economic turmoils. And no one really knows when things will become better again. It is definitely interesting to observe what is happening from a risk management perspective (Why didn’t governments have pre-defined actions prepared? Why didn’t financial institutions understand the risks or, if they understood them, why were they willing to take them? What happened with all the positive cash-flow of many organizations which are now in trouble – too much dividends?). But that isn’t my topic here. The topic is why organizations should invest in IAM and GRC – especially in these days. From my perspective, there are good reasons. And, from what I hear from vendors, especially the GRC market is still very strong, as well as at least many segments of the IAM market.

From an enterprise perspective, investments in these days should be even more focused on business value than in good days – maybe a little bit more on short-term values than before. Regarding IAM and GRC, there are – for sure – the negative inhibitors. Auditors might mandate some investments especially for SoD management, PAM (Privileged Account Management), and defined, auditable Identity/Access/Role Lifecycle Management.

But there are as well positive aspects. To name just a few:

• Using clearly defined role concepts reduces the amount of single entitlements which have to be managed, thus reducing the overall administrative workload.
• Management by risk is sort of “management by exceptions”, focusing on the aspects which are really at risk. That’s more efficient, for sure.
• Any initiative in the area of IT risks supports Operational Risk Management. Any IT risk is, in fact, tied to an operational risk. On the other hand, virtually any operational risk is related to IT risks because IT systems are used to run the business. Very easy: Why do we talk about SoDs? Because of IT? No – because of business.
• IAM and GRC are key to the flexibility of IT and to support changing business requirements, especially in industries which have to react fast on changing customer demands (and who hasn’t)? Changing business processes requires a flexible security and identity infrastructures as well as flexible controls – that’s what IAM and GRC are providing. Some BPM and non-IAM-aware SOA approaches aren’t sufficient.

I’ve blogged also several times about the CIO agenda. It is obvious that from the things which are top at the CIO agenda, many are tightly related to IAM and GRC. Any initiative towards cloud computing requires a strong IAM and GRC backing, because IAM and GRC will become much more complex when using as well internal services as cloud services.

These are just some few reasons. IAM and GRC are an important foundation for any enterprise IT. And you shouldn’t build your IT on sand.

We will have some webinars around these topics. The first one will be in German language, naming 10 good reasons to invest in IAM and GRC. You can register now. We will do the same webinar in English some weeks later and additional webinars on how to do lean, focused IAM and GRC projekts as well. Another interesting place to learn about these topics is, for sure, the 3rd European Identity Conference held in Munich May 5th to 8th. The place to be!

The topic of IT-Business Alignment isn’t really new. It is discussed for years right now. And several software vendors, mainly in the area of “Business Service Management” claim to solve the threats in that area. But, honestly: I believe that we are, in most cases, far from a real IT-Business Alignment. I have blogged several times around this, topic (here, here, here, and here).

But let’s start with my definition of what IT-Business Alignment is: IT does what the business requires – not more, not less. That includes aspects like the ability to efficiently respond on new business requests, the ability to report on and enforce business controls (including all the GRC requirements), and the efficiency of IT itself in the sense of a streamlined, lean IT organization.

There are, from my view, two main steps to go:

1. Reorganize IT
2. Implement a consistent control layer between Business and IT

From my perspective, the lessons we’ve learned from outsourcing and outtasking are a good basis for IT reorganization. Strategy has to be in-house – that is the core part of the IT department. Other parts might be done inhouse as well, but organized in own “centers” with clearly defined SLAs. An IT organization which consists of a strategy/architecture department for guidelines, a GRC department which focuses on all relevant controls, and some decentralized IT knowledge in business organizations (define the requirements for applications and other IT services) might be the lean approach. That requires the competency for guidelines and strategies, including a strong influence on sourcing decisions. But IT itself would be pretty small. The “doing”, e.g. running systems can be done inhouse – there is no need to outsource this. But in that case, these are seperate departments which act, like described above, like external entities (or like the internal facility management or corporate security or any of these internal service providers).

The layer between IT and Business is, from my perspective, an GRC layer which goes well beyond Identity and Access Management related GRC approaches and well beyond BSM/ITSM, providing a consistent framework for business controls for IT.

For sure we can’t change an organization immediately. There are several prerequisites:

1. The CIO role has to change, clearly focusing on that IT-Business Alignment, with the responsibility for GRC as main task.
2. You will need architects and strategists for the central department.
3. You will need persons with a good IT understanding in the business departments.
4. You will need managers which can really manage the IT “centers” as business managers.
5. GRC tools have to go beyond just IAM or BSM support, moving towards real platforms.

Thus it is a long way to go. But I strongly believe that we have to go that path, for more efficient organizations and to reach the target of IT-Business alignment.

GRC (Governance, Risk Management, Compliance) is frequently reduced to IAM (Identity and Access Management) or, in best case, to a more business-centric layer on top of IAM infrastructures. In our research and publications around GRC we’ve pointed out that GRC platforms will have to go well beyond IAM – SIEM, BSM (with aspects like business continuity), and other areas will have to be covered.

If you ask the question the other way round, that becomes more obvious: What are the controls that business requires from IT?

That question is, from my perspective, the core question for the selection as well as the conception of any GRC platform. There are GRC aspects outside of IT but even these have to be managed in a consistent way, thus such a platform has to support them. Within these controls, risk controls are amongst the most important ones. I’ve recently blogged about the need for an integrated Risk Management. Risk controls cover many aspects, including the fulfillment of compliance regulations and business continuity.

The breadth of a GRC platform becomes visible if you take (still IT-driven) for example ISO 27001. ISO 27001 includes a huge number of controls, with many which are neither IAM-related nor can any IT system automatically provide the status information. Even more, to provide the current status for these controls, many different IT systems have to deliver – IAM, SIEM, and many more. GRC platforms will have to support any type of control. They will have to support the ability to report manually as well as automated. And they will have to support interfaces to many lower-level systems.

The controls, on the other hand, will have to be multi-layered, supporting at least a business view (“Are the core security requirements met?”) as an IT view (“Are we in compliance with all the controls described in ISO 27001?”). The business layer is sort of an abstraction of the IT view.

There are several lessons we should learn about GRC platforms:

• We should understand them as the overall interface for business control (thus being bi-directional) of IT
• We should position them in that way, looking at them from the business perspective and the questions business likes to get answered
• We should understand that this includes many different technologies, well beyond IAM (but with IAM and the “access control” part of it being highly important)
• We should work on standards which support the interaction with existing and new IT systems

It is still a long way from today’s different approaches in the field of GRC to such GRC platforms. But the outline for the future of these platforms is set – and it will be filled more and more. By the way: When we add the accounting capabilities to this picture, we end up with the “ERP for IT“…

During the last month’s research I frequently ended up with thinking about IT organizations – as well the organization of IT itself as the IT as part of the overall organizational structure, including the role of the CIO. There is, from my perspective, no doubt that fundamental changes are required.

Let’s start with the IT organization. Early in 2008, we’ve done a survey and report on the topic of “SOA Governance” together with Ernst & Young (the German subsidiary) which we first time presented at EIC 2008 (by the way: EIC 2009 will be again in Munich, May 2009 5th to 8th, hope to meet you there). The most important result was that the main problem of SOA Governance and, as part of it, SOA Security are the missing application security infrastructures, e.g. standardized approaches for securing applications. The reason for that is as well very obvious: Siloed IT organizations. Read the rest of this entry »

This morning, I had two conversations on the question about who should be in charge of IAM in an organization. Afterwards, I run through my records and did some analysis. The main question: Which role do the IAM and GRC responsibles have in their organizations? I for sure only did a sample and asked myself the question how I’d rate what they were doing.

First of all: There are many good IAM implementations driven by IT administration or IT infrastructure. But, interestingly, the most advanced implementations, with a scope beyond administrative IAM, are usually driven by others – Compliance officers and GRC departments, CIO offices, CISOs, and others. Anyhow, an administrative project might have as well a strong strategic background if done correctly.

What is much more important is that there are approaches which are likely to lead to solutions with a too limited scope, especially in these days of increasing GRC requirements. Amongst these are

• Projects with a strong IT service focus: IAM and GRC go well beyond IT operations and the automation of service desk requests. Business control, the implementation of business roles and rules, and new business models which integrate external users and make use for example out of the technologies of user-centric Identity Management might not be considered in a sufficient way. Not to talk about application security concepts.
• Projects with a strong security focus: Yes, IAM and GRC can improve security. But they are not only about security, but as well about business control and, in general, Business/IT alignment.

My expectation is that GRC platforms will become the business control layer for IAM, like mentioned in our new reports “IAM and GRC roadmap 2009″ and “Trend report IAM & GRC 2009″, both available at http://www.kuppingercole.com/reports.

In that context, the responsibility for at least the IAM strategy has to be at a level with a holistic view, e.g. the GRC responsibles like a Chief Risk/Compliance Officer or the CIO. The execution of different parts, in alignment with that overall strategy, will than be for example at the IT operations department. But, if the question is “who should be in charge of IAM?”, the answer clearly is that it has to be someone who has a broader view on IT. IAM is tightly connected to BSM. It is tightly coupled to GRC. And there are no secure applications and business processes if the relation between application architectures and IAM isn’t fully understood.

The “cloud” – a pretty cloudy term, by the way – is becoming more and more important. Software as a Service and other forms of managed services, distributed computing, outsourcing, application virtualization and many other current evolvements are leading into a direction where IT becomes more and more distributed. IT will as well become more complex, because the management of distributed services together with existing internal services for users, which are as well internally as externally, which are increasingly mobile and which work with a growing number of different devices is much more heteregeneous than the “ancient” internal networks for internal users with their PC.

It is no surprise that Microsoft will address these changes as well. There are at least two good reasons for this:

• If there is money to be earnt, Microsoft isn’t far away (even while they are usually not amongst the first in emerging markets)
• In a distributed world, an operating system originally built for PCs won’t fit the requirements any more – and Microsoft will do everything to dominate the future OS market as well

Some weeks ago, the first details about the “Midori” project became public. Midori is the code name for a Microsoft project which deals with the current and upcoming changes for IT infrastructures. It looks like Midori will be a low level platform for running virtual machines. Some of them will be Windows machines or act like Windows. Others might be optimized for other scenarios. That is no surprise, if you have a look at Hyper-V – a layer below the classical operating system.

The interesting point are the consequences that might have. The dominant role of any of today’s operating systems might shrink. It is obvious that it is more efficient to run games in a specific game OS. Technical applications might require other operating systems. That might end up with virtual machines which are in fact applications with integrated minimized operating systems, using services provided by a lower level – like “Midori” could be.

There are good reasons for a fundamental change in the world of today’s operating systems. But that is not the only area where change should occur. The other open question is how to efficiently work with multiple devices in a mobile and distributed environment. That is not only about having one eMail system regardless of the device, but as well about having one configuration and management and so on – online and offline. This issue isn’t solved today. And approaches like Google Apps are far from really providing the solution.

I expect “Midori” not to be the predecessor of Windows but a part of many “incubator initiatives” Microsoft is working on. The reason is simple: It is not only about virtualization and the way operating systems will work in the future but as well about managing these infrastructures – from a user and an enterprise perspective.

Today, the first step has to be to accept that we will observe fundamental changes and that IT will change. The next step for every CIO is to cluster the “cloud” initiatives and trends and to build his roadmap to deal with these changes – integrating the best of the existing technologies and of cloud services today and over the next years.

Today I’ve seen a blog entry which claimed that GRC is dead. That reminded me about the closing keynote of our European Identity Conference 2009 where I had a discussion with Paul Heiden of BHOLD Company about GRC. Paul claimed that GRC is just dealing with FUD (fear, uncertainty, doubt) and that there is no real business value in this.

So – is the market for GRC solutions (Governance, Risk Management, Compliance) dead before it really blossomed?

Yes, if GRC is limited to auditing, with focus on some dashboards and some information extraction for auditors.

No, if GRC is understood as something which goes well beyond this and isn’t limited to a narrow one-way-road. And that is how we understand the GRC market and how we have defined this market segment in our GRC Market Report 2008.

There are some real value propositions for GRC solutions, beyond “avoiding penalties” as the classical negative inhibitor:

• On the lowest level, one standardized approach to GRC issues tends to be more efficient than many point solutions.
• Much more important is the ability to not only audit but control – Enterprise Authorization Management (or Entitlement Management) is one of the key elements of GRC solutions, providing business control for the access to IT resources.
• This is, by the way, much more efficient than the granular, isolated management of access controls on lower levels. A relatively small number of business roles and rules usually covers a significant part of all access controls on lower levels in the infrastructure, down to the system level. These lower level controls can be derived, with some added exceptions.
• The probably most important aspect is that GRC done right enables a more efficient management, focused on exceptions. Defining and measuring risks provides this ability.

From our view, GRC has to be understood as an initiative which is at the core of Business-IT alignment. GRC has the potential to fulfill these (today in most cases unfulfilled) promises of building a link between business and IT.