Recently, we had the opportunity to discuss the current state of affairs in the ITGRC space with industry veteran Pete DiStefano. Pete has spent the past few years working for the Compliance business unit of Symantec and we are happy that he took the time to answer a few of our questions about where he thinks this space is headed.
Analysis and Commentary, Funding
A River Runs Through Mazu
Riverbed Technology (NASDAQ: RVBD) annouced their acqusition of privately held Mazu Networks today. It seems like yesterday that Mazu was struggling with market acceptance around their behavior-based technology trying to use it to fight off "zero day" threats before repositioning themselves to jump into the SIM fray. Well, at least they faired a little better than HighTower. According to the official release, Massachusetts bassed Mazu will become another business unit of Riverbed. The best part about seeing deals involving public companies is the amount of disclosure. In this case, Riverbed will pay $25 million in cash at closing, with an additional $22 million possible if the new business unit hits $35 million in bookings for the 12 month period after closing. A tall order, but this is still a bargain considering the $47 million plowed into Mazu so far from Greylock, Matrix Partners and Benchmark Capital in 2000, Symantec dropped $12 million on them back in 2004 (possibly hoping for another Brightmail), and on up through StarVest Partners and PilotHouse Ventures in 2006.
Analysis and Commentary, Funding
eIQnetworks Takes Down $10million A Round
Proving that there is plenty of life left in the GRC space, eIQnetworks secured their first round of institutional financing this week led by Venrock. Venrock brings a significant amount of security space experience to the table having funded Vontu, IMLogic, Pedestal, and Whole Security, all of which eventually found there way into Symantec's hungry belly. Authentica, picked up by EMC, and Haystack Labs, acquired by McAfee round out the security trifecta. With CipherMax, Imperva, Red Seal, and CoreTrace still out in open water. Venrock partner, Mike Tyrrell, joins eIQ's board as part of the transaction.
Rest assured, with a track record of liquidity events around security products, and Tyrrell's past expereince on deals ending at SYMC (IM Logic and Pedestal), Venrock is one to watch. In the meantime, we're keeping tabs on eIQ.
More GRC Silliness
CFO magazine has an online article titled "A Defining Moment" that caught my attention because it talks about how vendors of governance, risk, and compliance (GRC) solutions are smarting from charges that they allowed their customers to be blindsided by the risks that have resulted in their businesses failing. In the article they quote someone from Forrester Research as saying, "Some blame vendors for skimping on risk and governance software in favor of more easily salable compliance tools. The risk function is something software vendors didn't build out very well…" Later on we see another statement: "But the biggest question of all remains whether and to what degree software can automate and augment the many business processes that lie at the heart of governance, risk, and compliance." What really gets me is how both of these seem to show a basic misunderstanding of risk. Risk management (like governance) is a human-driven activity that no software solution can provide; software can only facilitate risk management activities. After all, who is ultimately responsible for risk management? The vendor? Of course not! It's management. Every organization, using the tools at its disposal, is obligated to identify risks to the company and then decide whether to accept, avoid, control, or transfer those risks based on the company's risk tolerance. In other words, management owns the risk management process. It cannot be outsourced, nor can it be performed by a vendor.
I also want to address the statement about how vendors are focusing on selling compliance solutions simply because they are an easier sell. Note to Forrester: they're easier precisely because that's where automation is the most appropriate! Any auditor will tell you that it's preferable to automate as many controls as possible (and where it makes sense), which falls under the Compliance "leg" of GRC. However it's a different thing entirely to say the same for Governance or Risk. These cannot be automated in the same way that Compliance can. I would like to know how the folks at Forrester would suggest that vendors do this though. It's really easy for someone at Forrester or Gartner to slam somebody for not doing this or that, yet when it comes to discussing alternatives they either offer vague ideas or simply remain silent, expecting the rest of us "unwashed masses" to take their word for it and wait for their next pontification.
Regarding the second statement, it answers its own supposed question about whether software can automate and augment the many business processes that lie at the heart of governance, risk, and compliance. Note to John Edwards, the author of the article: this is exactly what software is supposed to do! Software tools automate and augment the business processes. The process owners and other stakeholders then use the tools to manage enterprise risk and compliance, which in turn supports the overall state of governance.
Finally, the fact that no one has really defined what exactly "GRC" means doesn't help matters much either, so how about we start with that? It should be fun to watch.
© 2009 Brightfly, Inc.
Powered by You, the Community.