Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started
Request Demo

Integrated Risk Management Magic Quadrant 2019 - In Review

down-arrow

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk Management MQ has finally been released. The purpose of integrated risk management (IRM) is to enable organizations to simplify, accelerate, and communicate risk and compliance seamlessly up and down the chain of command, and across business functions whether technical or otherwise. A strong IRM strategy supports organizations in making better business decisions that help lower existing, new, and unforeseen risks in our new, digital world.

It’s been a big year for the risk and compliance industry and, as we’ve seen, there are significant shifts in the way that enterprises approach cybersecurity risk management. As a result, the tools they use have shifted as well, and new players outside the quadrant are starting to replace or augment market leaders, amongst other trends.

A Shift In Use Cases

In analyst John Wheeler’s benchmarking post introducing integrated risk management as the future of risk and compliance, he illustrated the new approach using seven core functions: corporate compliance and oversight, audit management, digital risk management, operational risk management, vendor or supply-chain risk management, business continuity management and planning, enterprise legal management. Six of those seven (with operational risk management at its core) served as the use cases that Gartner used to analyze members of the 2018 Magic Quadrant for Integrated Risk Management.

This year, we’ve seen a change. With Jie Zhang at the helm of this year’s report, rather than broken down by function, she has brought a new lens to the table. We now directly link risk and compliance management to business outcomes. There are three use cases based on the lens through which the platforms help customers see their cybersecurity risk and compliance: business-outcome-centric, operation-centric, and compliance-centric. These centricities illustrate how respective users can view the overall risk and compliance data gathered within a central platform:

  1. Business-outcome bridges the gap between technical and business-side stakeholders
  2. Operation-centric focuses on quantifying, managing, and mitigating risk
  3. Compliance-centric ensures that requirements are met to continue business operations

Simplifying these six use cases down to three indicates how enterprises are viewing risk, and more importantly, the shift that is occurring within cybersecurity organizations. Businesses are recognizing the need for a more integrated approach across all of Wheeler’s six areas. What the 2019 MQ use cases indicate is that these three use cases are the lenses that the market needs to be able to view their cybersecurity posture through.

Critical Capabilities

Where the IRM use uses saw a remarkable consolidation from six to three, the critical capabilities for integrated risk management solutions remained mostly unchanged. The primary focus on risk management over checkbox compliance remains a foundational theme in the Gartner literature and for good reason - Checkbox compliance should be the starting place for organizations, and risk and compliance management should be treated as a core business function. Compliance alone can’t be the primary focus for staying secure as digitization intensifies.

Shifts in IRM MQ Vendors Listed

The integrated risk management market saw many shifts itself since the release of the 2018 MQ. From the ACL acquisition of RSAM and the subsequent rebrand to Galvanize to the Reuters spinout of Refinitiv, the changes to the IRM market have come fast. The most significant shifts came from the Challenger and Visionary sections of the quadrant - from both mergers and acquisitions, specifically ACL/RSAM and the Nasdaq sale of BWise to SAI global. As the report notes, both of these shifts specifically indicate changes ahead for existing products and how the rest of the market will react.

Takeaways

This year we have the data points to see trends and shifts in the IRM market. From changes in use cases, to competitors, to shifts in assessment criteria, it indicates fundamental truth: cybersecurity compliance and risk management can no longer be a siloed function that exists in a vacuum, it must be seen as a business function and managed enterprise-wide. As we’ve spoken about before, it will be up to the IRM vendors to fundamentally change their modular, static approach to integrated risk management to meet market needs. We anticipate that these shifts are only the beginning, and are excited to be built on the integrated risk management vision from the beginning at CyberSaint.

You may also like

April Product Update
on April 18, 2024

The CyberSaint team is dedicated to providing new features to CyberStrong and advancing the CyberStrong cyber risk management platform to address all your cybersecurity needs. ...

Bridging the Gap: Mastering ...
on April 22, 2024

In today's digital landscape, cybersecurity has become essential to corporate governance. With the increasing frequency and sophistication of cyber threats, the SEC has set forth ...

March Product Update
on March 21, 2024

The CyberSaint team is dedicated to advancing the CyberStrong platform to meet your cyber risk management needs. These latest updates will empower you to benchmark your ...

Empowering Cyber Risk Modeling ...
on March 20, 2024

The practice of cyber risk management is cyclical. You start by assessing your cyber risk environment. That step includes identifying risks and classifying them in buckets. Then, ...

Leveraging the Executive Dashboard ...
on March 27, 2024

In the fast-paced business world, CISOs and C-suite executives constantly juggle multiple responsibilities, from budgeting to strategic planning. However, in today's digital ...

NIST CSF 2.0 Updates in CyberStrong
on April 4, 2024

The National Institute of Standards and Technology’s Cybersecurity Framework (CSF) is known in cybersecurity as the gold standard framework for cybersecurity and risk guidance; it ...