EMC’s RSA Security division has announced a new release (6.0) of its Archer Goverance, Risk and Compliance (GRC) Platform at this week’s RSA Conference Abu Dhabi, intended to inspire ‘everyone to own risk within the enterprise’. This market is hot, and depending upon the source, is only going to get hotter, but it is not without some major challenges.
“Risk is no longer just the responsibility of executives,” said Grant Geyer, Senior Vice President of Products, RSA, in a prepared statement. “To keep up with the uncertainty and complexity triggered by rapid changes in business today, organizations are decentralizing risk management to put it as close as possible to the risk itself. As front line employees are being asked to contribute more towards risk management, we have focused heavily on usability in the new RSA Archer 6.0 platform.”
New Archer features, which will be available only for new, on-premises installations on November 10, include:
-an enhanced user experience with a simpler but more powerful user interface and advanced workflow capabilities; and,
-enhancements to Archer Operational Risk Management to help streamline how organizations identify, assess, respond, and monitor existing and emerging risks.
GRC is about the practice, not the technology, said Marshall Toburen, GRC Strategist, Enterprise Risk Management, RSA. He told IT Trends & Analysis “I couldn’t agree with that more”, when asked to comment on this quote: ‘Organizations do not buy GRC, they do GRC. (GRC 20/20 Research)’ “What this release does is acknowledge that fact.”
Whatever organizations are doing about GRC, they’re also buying GRC. The GRC market is expected to reach $2.592 billion this year, driven by the need for a federated architecture approach to handle the GRC ‘data tsunami’. “The idea of a single GRC platform to meet all of an institution’s needs is a myth,” Shagun Bali, TABB technology analyst and author of The Data Tsunami: Combating the Overwhelming Supply of GRC Data. “But no single IT tool has all the answers, which is why firms need to create cohesive business processes to manage various functions and technologies in sync.”
Another report values this year’s GRC market more than four times higher, at $11.89 billion – and that’s excluding the professional services component. The enterprise segment represents about 10% of this figure.
A third report estimates the market is even bigger: the global enterprise governance, risk, and compliance market will grow from $15.98 billion in 2015 to $31.77 billion by 2020, at a CAGR of 14.7%. North America is expected to be the largest market in terms of market size, while Europe and Asia-Pacific (APAC) are expected to experience increased market traction during the forecast period.
Despite this spending surge – or perhaps to explain why – companies are woefully unprepared to deal with the increasingly challenging risk and compliance environment, as ‘corporate mistakes keep getting worse’. According to Forrester Research, “In 2015 we will see more of the same, and with even greater financial impact.”
The research company states that there will be ‘even greater corporate blunders, stricter regulatory enforcement, and executives who will continue to fail to address their most important customer-facing risks.’ It also believes that the GRC technology market is ‘ripe for disruption,’ which will have implications for how organizations select and implement GRC platforms and take advantage of services to monitor public risk and compliance data.
In addition to EMC/RSA, the leading GRC vendors include CMO, IBM, MetricStream, and NASDAQ. Other notable IT vendors include Oracle, SAP, and SAS Institute.
“A lot has been made about how important it is to having a good risk culture in your organization,” said Toburen. RSA’s commitment is to make it easier for people to interact with the system, and its GRC tools help in that effect. Enough so, he added, that RSA is the biggest GRC vendor.
Beyond GRC, there’s the question of what Dell’s proposed acquisition of EMC means for RSA. Jon Oltsik, Senior Principal Analyst, and the founder of the Enterprise Strategy Group’s cybersecurity service, noted recently that while RSA is a marquee $1b+ brand-name company, ‘it really is small potatoes as part of this mega-deal [$67 billion] in the IT space.’
He offered three possible scenarios: Dell/EMC create a big cybersecurity division including SecureWorks and RSA; Dell/EMC build a cybersecurity products division led by RSA; and Silver Lake Partners goes for a cybersecurity financial bazaar – ‘SecureWorks is poised for a lucrative IPO already so Silver Lake may want to follow this by selling off a number of RSA assets for quick dough.’ Oltsik believes there is real value in RSA’s products and services but cautions that ‘creating a unified Dell/EMC/RSA cybersecurity division represents a quantum leap in complexity that executives may not want to undertake.’