Recently, we had the opportunity to discuss the current state of affairs in the ITGRC space with industry veteran Pete DiStefano. Pete has spent the past few years working for the Compliance business unit of Symantec and we are happy that he took the time to answer a few of our questions about where he thinks this space is headed.
Brandon Dunlap [BSD]-We’ve had a lot of “boogeymen” in the past that have fueled security spending. Hackers, Russian mobsters, clueless employees, the list goes on. For the past few years, it seems as though Auditors and Regulators have been the enemy de jour. Do you think they will still be the driving force as the economy continues to slow and organizations look for ways to trim costs while adding additional protection?
Peter DiStafano [PJD]-I do believe highly regulated public companies will still, to some extent, sustain security and compliance market spending. I do believe that the enterprise segment will try to leverage what they’ve already spent to secure the infrastructure, but to do this well security and compliance management are required and I believe will continue to grow. I don’t think the enterprise segment is going to spend dollars on security and compliance due to FUD in the market. There will be more regulations, but they are all off- shoots of existing regulations, more detailed, less detailed, etc. I believe that there will be more companies that will spend the time to evaluate the costs of a breach or some type of data loss vs. the cost of preventing them and make a dollars and cents business decision on whether it is worth the investment. I believe that smaller companies that are emerging as tomorrows enterprises are not as sophisticated from a security perspective, and will be one of the key segments that will fuel growth in security spending, along with the most sophisticated, most knowledgeable, large enterprises. The difference is the largest most sophisticated enterprises require different solutions, more in line with implementing a single global IT GRC program.
BSD-After BindView was purchased by Symantec, we watched their product line sales triple within the first 12-18 months. Obviously, Symantec’s legions of salespeople had an impact on this by providing reach that BindView couldn’t match as a standalone company. Do you think the IT GRC market will continue to support this kind of growth and if so, what do you think the smaller players can do to gain market awareness in the face of juggernauts like CA, Symantec, and others?
PJD-The IT GRC market is growing fast, but starting from a very small base. My experience has been that only the largest and most sophisticated enterprises know enough about their security environment, what their goals are, and where they have gaps. My belief is that the upfront assessment of your security and compliance posture, mapped against company goals is the most important step in implementing IT GRC. Smaller players are at a disadvantage to the juggernauts, as you mentioned above, however having key consulting services, experts who understand security, compliance, and IT GRC can be the difference maker. Software alone will not get it done. I think a smaller player that has these skills can grow, are growing in this space, fast or faster than the larger companies. It is when those juggernauts get their consulting skills in order that the challenge will be a much more daunting task.
BSD-There has been a lot of talk about the convergence of physical and information security over the years and we are starting to see some interesting products come to market in attempts to bridge the gaps between the two sides of operations. Do think that the incumbent IT GRC players are going to be able to catch this wave and push it forward or do think it will continue to be a niche play supported by smaller/start-up companies?
PJD-This is an interesting question. Today this convergence is, as you’ve mentioned, just a niche play, but the big companies are looking at this opportunity just as smaller companies are. I believe this convergence makes sense, just as there is a convergence between compliance and security management is taking place today. I think the rate of adoption will be gated on the cost/ROI, and the benefit derived from such convergence or integration. I think a couple of big partnerships between physical security and information security vendors might also accelerate the adoption of the convergence.
BSD-Knowing what the various products in this market have to offer, where do you think the channel can add the most value and differentiate them from the pack and add the most comprehensive solutions for their clients?
PJD-I believe, after my previous answers to these questions, it should have become obvious how I will answer this one; up front consulting services. Companies need help figuring out what they have, where the gaps are, and how to create a cost effective roadmap to build out a strong security and compliance program. The focus should be on the company’s objectives, inclusive of external mandates. There is significant money to be saved, and consulting can show companies, up front, the value of these implementations. If you are a key resource to a project on the front end or the assessment phase, you should be as valuable through the entire implementation which will drag software and hardware.
In summary, don’t go in solving a SOX or PCI compliance problems, help them to define their objectives, inventory their environment, and then recommend a course of action. My belief is that taking a PCI or Regulatory approach to have a discussion is OK, but if you are really going to add value, you need to show a company how the work you do to support a specific regulatory mandate, if done as a consolidated, singular effort, can be applied to the entire enterprise saving significant expenditures over time.
BSD-Based upon what you have learned over the past few years, if could start from scratch, what angle would you take with the IT GRC space regarding a go-to-market strategy?
PJD-I would have put together a tiger team of 8-10 highly skilled consulting resources and driven a go-to-market strategy that communicated three critical messages.
-
Reduce current costs for security and compliance. I know this seems boring but this element has got to be there and you have to be specific in where and when those savings will be realized.
-
I would aggressively communicate the expertise that we bring to the table at every phase, and develop a true consultative partnership with companies. I would leverage this tiger team and put them in front of these prospects, face to face, leveraging technology, thought leadership events, etc. I would avoid the focus on selling boxes of software.
-
I would drive a message that all companies are not the same. IT GRC should be implemented in steps based on where a company is on a maturity scale. I would message our capability to bring them along over time based on meeting corporate objectives. One company’s full blown IT GRC implementation might not look the same as another, but the one thing they will have in common is that they will have an IT GRC program built based on the corporation’s goals and objectives.
BSD-Thank you Peter for your time and insights. We are looking forward to what the market has to say about this space in the coming year.
No related articles.
