<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk Management MQ has finally been released. The purpose of integrated risk management (IRM) is to enable organizations to simplify, accelerate, and communicate risk and compliance seamlessly up and down the chain of command, and across business functions whether technical or otherwise. A strong IRM strategy supports organizations in making better business decisions that help lower existing, new, and unforeseen risks in our new, digital world.

It’s been a big year for the risk and compliance industry and, as we’ve seen, there are significant shifts in the way that enterprises approach cybersecurity risk management. As a result, the tools they use have shifted as well, and new players outside the quadrant are starting to replace or augment market leaders, amongst other trends.

A Shift In Use Cases

In analyst John Wheeler’s benchmarking post introducing integrated risk management as the future of risk and compliance, he illustrated the new approach using seven core functions: corporate compliance and oversight, audit management, digital risk management, operational risk management, vendor or supply-chain risk management, business continuity management and planning, enterprise legal management. Six of those seven (with operational risk management at its core) served as the use cases that Gartner used to analyze members of the 2018 Magic Quadrant for Integrated Risk Management.

This year, we’ve seen a change. With Jie Zhang at the helm of this year’s report, rather than broken down by function, she has brought a new lens to the table. We now directly link risk and compliance management to business outcomes. There are three use cases based on the lens through which the platforms help customers see their cybersecurity risk and compliance: business-outcome-centric, operation-centric, and compliance-centric. These centricities illustrate how respective users can view the overall risk and compliance data gathered within a central platform:

  • Business-outcome bridges the gap between technical and business-side stakeholders
  • Operation-centric focuses on quantifying, managing, and mitigating risk
  • Compliance-centric ensures that requirements are met to continue business operations

Simplifying these six use cases down to three indicates how enterprises are viewing risk, and more importantly, the shift that is occurring within cybersecurity organizations. Businesses are recognizing the need for a more integrated approach across all of Wheeler’s six areas. What the 2019 MQ use cases indicate is that these three use cases are the lenses that the market needs to be able to view their cybersecurity posture through.

Critical Capabilities

Where the IRM use uses saw a remarkable consolidation from six to three, the critical capabilities for integrated risk management solutions remained mostly unchanged. The primary focus on risk management over checkbox compliance remains a foundational theme in the Gartner literature and for good reason - Checkbox compliance should be the starting place for organizations, and risk and compliance management should be treated as a core business function. Compliance alone can’t be the primary focus for staying secure as digitization intensifies.

Shifts in IRM MQ Vendors Listed

The integrated risk management market saw many shifts itself since the release of the 2018 MQ. From the ACL acquisition of RSAM and the subsequent rebrand to Galvanize to the Reuters spinout of Refinitiv, the changes to the IRM market have come fast. The most significant shifts came from the Challenger and Visionary sections of the quadrant - from both mergers and acquisitions, specifically ACL/RSAM and the Nasdaq sale of BWise to SAI global. As the report notes, both of these shifts specifically indicate changes ahead for existing products and how the rest of the market will react.

Takeaways

This year we have the data points to see trends and shifts in the IRM market. From changes in use cases, to competitors, to shifts in assessment criteria, it indicates fundamental truth: cybersecurity compliance and risk management can no longer be a siloed function that exists in a vacuum, it must be seen as a business function and managed enterprise-wide. As we’ve spoken about before, it will be up to the IRM vendors to fundamentally change their modular, static approach to integrated risk management to meet market needs. We anticipate that these shifts are only the beginning, and are excited to be built on the integrated risk management vision from the beginning at CyberSaint.

You may also like

Why You Need CIS Controls for ...
on June 17, 2022

The Center for Internet Security (CIS) is a non-profit organization that helps public sectors and private sectors improve their cybersecurity. The organization aims to help small, ...

Small Business Cybersecurity ...
on June 15, 2022

To achieve peace of mind in the modern threat landscape, small business owners must have a solid security strategy and budget in place. VIPRE’s SMB Security Trends report state ...

Do Small Businesses and Startups ...
on June 10, 2022

Did you know that about 60% of small businesses shut down within 6 months by falling victim to a data breach or cyber-attack, where the average global breach cost hovers at $3.62 ...

A Pocket Guide to ISO 27001
on June 9, 2022

Let’s begin with the complete title of what’s referred to as ISO 27001. It is officially known as “ISO/IEC 27001." If you're looking to have your company certified, you'll need to ...

Benefits Of An Automated Security ...
on June 6, 2022

Proactive recognition, remediation, and mitigation of security threats are rising challenges for global businesses today. Security risk assessment is an integral part of this ...

Kyndall Elliott
The Top 5 Automated Risk ...
on June 1, 2022

Automated risk assessment tools help you assess information security risks and related metrics in real-time based on the available data internally and externally. Connecting the ...