CyberCompare

Effective Tool-Supported Information Security Management

Background

The number of potentially dangerous scenarios (risk) is growing, the extent of regulation and the threat of fines (external requirements/compliance) are increasing, and management rules at many companies (internal requirements/governance) are tightening. In this situation, many companies can no longer manage their processes, strategies, and employees simultaneously in a way that makes sense.

To reduce risk, they need to build an information security management system (ISMS). An ISMS is a systematic approach with guidelines, procedures, and controls designed to achieve information security’s three objectives: confidentiality, availability, and integrity. The  steps to build the ISMS depend on the different security standards that apply and the different implementation approaches they require – but they will always involve technical, organizational, and personnel-related security measures.

The team under the Chief Information Security Officer (CISO), who has overall responsibility for information security at the organization, handles ISMS implementation. The team’s tasks include monitoring the infrastructure, continuously checking guidelines and controls, and laying out a plan for responding to security incidents.

Challenges

In addition to facing challenges when implementing their ISMS, two-thirds of companies struggle to find suitable cybersecurity staff. Just half of SMEs even have a CISO. What’s more, OT security is quite underrepresented – only 1 percent of certified cybersecurity experts are specialized in this area.

These many challenges leave the security team with more duties and responsibilities – and less capacity for activities such as systematically managing IT risks and information security. But implementing an ISMS as defined in ISO 27001 or meeting IEC 62443 standards for production (OT) can make it possible for them to sustainably manage and improve information security.

To help companies meet these challenges, our latest market study looks at solutions for managing processes, employees, and guidelines that can make a substantial contribution in areas like cybersecurity. We examined products from both established players and newcomers and reached an encouraging conclusion: a good, modern GRC/ITRM solution doesn’t have to cost a lot.

Our process

We structured our study in three steps: we identified providers, filtered the initial list, and then identified our recommended solutions.

The market for tool-supported GRC/TRM solutions is extensive and constantly growing. Our first step was therefore to get an overview of the current provider landscape by looking at a range of research reports, asking acknowledged experts, and of course talking with the CyberCompare network. In a rigorous expert-based filtering process, we narrowed down the resulting list of providers to eight companies for a closer look – a mix of specialized solution suppliers, innovative startups, and established global market leaders.

Using a CyberCompare analysis with seven assessment criteria, we asked the providers questions, looked at their demos, and talked with experts to analyze and evaluate their offerings. The first question for each company was the same: which regulations and standards do their platforms support out of the box? In most cases, it’s possible for customers or their IT consultants to customize the supported standards, but the additional costs involved are usually considerable. Once such “knockout” criteria were clarified, we could turn our attention to the tools‘ functionalities. 

The main differences here involve workflow functionalities, preconfigured management dashboards, and user-friendliness (UI and UX), as well as how easy it is to integrate and set up the system. Our comparison revealed relevant differences precisely for these “usability” factors.

Customers frequently named the references provided as a reason for buying a particular GRC/ITRM solution, saying that references helped them gauge whether the software was likely to work well at their own companies. While positive references can certainly be one criterion for choosing a solution, we primarily use them at CyberCompare to distinguish newer, less established solutions from more mature ones. (A company’s maturity does not necessarily correlate with the maturity of its solutions.) Finally, the last criterion we considered was good value for the money spent. Unfortunately, no definitive answer is possible on this topic because providers take such different approaches to pricing models (e.g., user-based vs. flat rate, annual subscription vs. one-time purchase). As a result, an individual assessment is required in each case.

Summary

GRC/ITRM solutions can help to greatly increase cybersecurity maturity, not only at large companies but at SMEs with limited cybersecurity resources, too. They can enable companies to take an efficient, structured approach to information security activities such as implementing road maps, delegating requirements to the IT and business sides, preparing for certification, and reporting top risks to the management team. The provider market is extensive and every company should check that offers meet their specific needs. If you need support, feel free to e-mail us (mail us) or call us (+49 711 811-91494). We will be happy to provide you with an analysis of our findings.