<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Day two of RSA and booth number 1641 is bustling. In fact, the entire Expo Hall is awash with new product announcements, compelling demos, and striking amounts of swag. The CyberSaint team has been exploring the neighborhoods of Moscone Hall since things got kicked off on Monday and we’ve seen many trends emerge throughout the host of exhibitors -

Risk and compliance becomes embedded

CyberSaint Chief Product Officer, Padraic O’Reilly, noted the amount of compliance and risk features and functionality emerging in products regardless of where they sit in the network. This points to a larger trend within the enterprise context that non-technical stakeholders are increasingly relying on CISO’s to articulate the cyber risks facing the organization. As we’ve written about before, though, the challenge is defining and articulating these new forms of risk in the same context as existing risk forms (financial, operational, etc.). This groundswell of business leaders relying on digital risk managers and information security leaders has driven vendors to begin integrating more and more risk quantification into their products.

Almost, but not quite...

Seeing more and more solutions working to integrate risk features into their solutions has some vendors working to play catch up. We saw many presentations using phrases like “understand risk and roll up it up,” again pointing to the need for this information to transcend beyond technical stakeholders. However, the challenge here is not simply collecting the data and possibly visualizing it but translating it into a context that is of value to non-technical stakeholders.

Padraic noted “I saw a lot of tools that used terms like ‘management dashboards’ but these tools did not [in fact] roll up to something that delivered context to non-technical stakeholders.”

The greater issue that the cybersecurity industry as a whole is facing is the need to shift the perspective from simply working as a misunderstood technical unit to a business function that is more and more depended on for business strategy, execution, and growth.

What’s tempting for organizations launching risk quantification features is the idea of cooking up a secret sauce and protect it as intellectual property. However, as we’ve seen with open source cybersecurity frameworks link the NIST CSF, the power of open source platforms increases the rate of standardization, innovation and security. Furthermore, empowering a CISO to articulate how they came to their conclusions on their organization’s risks is a critical step for communicating that to the board. Black-box risk methodologies stifle the rate that CISO’s can standardize and learn from others in the process, as well as their ability to discuss cyber risk, which in turn stifles an organization’s ability to grow.

The precursors to consolidation

Talk to anyone in cyber and you’ll hear about how congested the space is. What is apparent at RSAC 2019 is the beginnings of a consolidation - we saw it in the compliance space with Rsam and ACL and will continue to see more and more similar players start to merge and acquire in order to survive.

Aside from larger steps, we’re also seeing an increasing number of integrations across platforms. As CyberSaint CEO, George Wrenn, put it - “everything is salt and pepper.” This further points to value for the customer - rather than having to stitch together a patchwork of solutions (and even worse having to source them all with little guidance) we’re seeing vendors start to anchor around each other to create a network solution for end customers. As this network becomes tighter, the rate of M&A will accelerate and culminate with holistic solutions rather than specific function based products.

Integrated risk management is more than better GRC

For many vendors and practitioners, the view of integrated risk management is that it is the next step for risk and compliance and rightly so, it is how Gartner coined the term. However, what we’re seeing at RSA is that IRM is more than simply looking beyond checkbox compliance and shifting to a risk focus over compliance. What we see happening is IRM is the means to unite these disparate solutions. True IRM solutions are the single pane of glass that gives management insight into the digital health of their organization and unites the many facets of a cyber program while transparently helping CISO’s articulate the cyber risk facing their organization.

As more and more legacy GRC products attempt to rebrand themselves as IRM, but the fundamental principles of IRM continue to take shape, the disparity between the marketing of legacy GRC and its actual abilities will become more and more apparent. All other trends, from salt and pepper to the embedding of risk, indicate that the industry needs (if it isn’t already demanding) a unified approach to compliance and risk that empowers managers to make decisions and collaborate rather than swinging spreadsheets or spending hours bouncing through a heavyweight solution with little to show for it. As we've said before, in the immediate future there is room for both IRM and GRC - the long term impact, we predict is a change in function for legacy GRC platforms with IRM sitting atop.

Stay up to date with all CyberSaint’s activity at RSA and follow us on LinkedIn and Twitter.

You may also like

October Product Update
on October 3, 2022

Hey, Jimmy - is it really always 5 o’clock somewhere? If not, it should be! With this release, we’re focusing on empowering our customers to work smarter, not harder. Whether ...

How Does FAIR Fit into ...
on September 26, 2022

The Factor Analysis of Information Risk (FAIR) methodology breaks down risk into elements that organizations can compute, understand, analyze and quantify cyber threats and their ...

All-in-One Cybersecurity Board ...
on September 19, 2022

CISOs and Board Members can no longer ignore the importance of cybersecurity. New cyber attacks and threats surface every week and threaten the security of business operations. ...

Rules for Effective Cyber Risk ...
on September 12, 2022

Cybersecurity threats are becoming more challenging for businesses. According to PurpleSec’s Cyber Security Trend Report in 2021, cybercrime surged by 600% during the pandemic, ...

A Pocket Guide to Factor Analysis ...
on September 14, 2022

FAIR, short for Factor Analysis of Information Risk, is a risk quantification methodology founded to help businesses evaluate information risks. FAIR is the only international ...

Your Guide to Cyber Risk ...
on August 30, 2022

During the pandemic, online businesses flourished as people turned to e-commerce stores to shop from the comfort and safety of their homes. This unprecedented expansion of ...