In the opening shot in a debate, that could develop into a row, US-based security analytics and Information Risk Intelligence specialist, Bay Dynamics, has taken public issue with leading US technology and market analyst firm, Gartner, over its portrayal of the security operations sector of Governance, Risk and Compliance (GRC) management .
Bay Dynamics believes its Risk Fabric technology is breaking new ground and helping define the emerging Information Risk Intelligence space. Up until as recently as June 2013, software and processes that security teams would utilise to identify and prioritise areas of risk and exposure, for the purpose of managing and improving the security posture of an organisation, were considered by many as a function of IT Governance, Risk, and Compliance Management.
Bay Dynamics however, believes that Information Risk Intelligence has been rapidly evolving into a broad category of its own that is now a standalone market, which is separate but adjacent to IT GRC.
The Gartner position was set out by Gartner VP Distinguished Analyst Paul E. Proctor in his June 7, 2013 Gartner MarketScope for IT Governance, Risk and Compliance Management research.
`Gartner is explicitly excluding security operations use cases, such as consolidating security data for prioritization, remediation and reporting, from our use of the term ‘IT GRC’. The management, measurement, and monitoring of IT and security operations are evolving into a standalone market of solutions to benefit operations staff. Gartner recommends that organisations seeking IT GRC solutions separate their above-the-line and below-the-line functions. Security operations requirements are likely to be met by a wide range of maturing traditional security solutions, and clients should extend their search beyond the IT GRC tools.’
The report also noted: `However, above-the-line, IT-centric GRC requirements are still best addressed by the vendors in this MarketScope. Vendors seeking to address both markets are expected to be challenged by the demands of addressing both, as the market for security-operations-centric GRC requirements heats up and more options surface…’
Bay Dynamics’ contention is that this approach no longer goes far enough to provide an overall view of the broad risk position of a business. It suggests that security operations teams and organisations now need very specific capabilities.
First, they need to conduct forensic analysis on top of their security data. Companies today are collecting this data in great volume, velocity, and variety from their own siloed information security and IT repositories, as well as relevant external data sources. Second, they need a continuous and pervasive risk monitoring capability that leverages collective intelligence.
Given the nature of cloud-delivered services, with often complex interactions in operation not only between different applications and services within one company but also across business partners, suppliers and customers, the ability to provide continuous monitoring across all aspects of such environments would now seem to be an increasingly essential requirement.
“CIOs and CISOs who have a strong grasp as to the importance of consolidated enterprise-wide visibility deeply understand the need for a new lens that can enable them to extract actionable risk intelligence from their data,” said Feris Rifai, CEO of Bay Dynamics. “This collective intelligence that leverages context for situational awareness and subsequently calls out meaningful deviations from the norm allows CIOs and CISOs to protect their organisation, as well as maximise the value of its information assets.”
The company defines this emerging below the line categoryas Information Risk Intelligence, and sees it providing the means to allow organisations to understand, pinpoint, and take action against areas where they are exposed.
It also sees the definition of ‘risk’ as one of the key distinctions in this evolving standalone market. It defines above-the-line risks as being focused on automation of GRC processes with the end goal of compliance, supporting oversight and governance functions that bridge IT information to support IT and non-IT leadership for reporting and decision making.
By contrast, in Information Risk Intelligence risk is defined as ‘a threat or an opportunity for exploitation’. It is certainly fair to suggest that, in a cloud environment the real-time, continuous monitoring for such threats, and the opportunities they make available, is a key element of overall security policy.