Defining GRC tools and the GRC market is tricky as the line between eGRC and IT GRC blurs Most analysts break the market down into two broad categories: IT GRC and Enterprise GRC (eGRC). The vendors generally don’t make it any easier for potential enterprise customers, as the IT GRC players often claim they do eGRC, and all the eGRC vendors saying they encompass IT as well.To a degree, they’re both right. RSA Archer, for example, generally regarded as something of a hybrid leaning more to the IT side, has had some success in the eGRC market.Special Report on GRCIT GRC dos and don’tsIT GRC tools: Control your environmentSee more in and “They’re not mutually exclusive, and that’s why it gets fuzzy,” said Paul Proctor, Gartner vice president of security and risk management. “Each says they do the other, and, to some degree, they are all correct. They are separated because some are clearly better at the eGRC top-down look at everything, and some that are clearly from an IT background and better at IT.” Michael Rasmussen, , president of Corporate Integrity, doesn’t even think IT GRC is an accurate term, preferring “IT Risk and Compliance.” Labels aside, he says the two can be differentiated in two areas:The first is content. In enterprise GRC implementations, the customer supplies all the content, or control libraries. On the other hand, IT GRC is pre-populated with a lot of content, such as sample IT policies and controls libraries. This makes sense, because IT is a very specific domain, with IT-specific content. eGRC content can be almost anything.“Enterprise GRC content is much more all over the map: financial controls, labor standards and compliance issues, import and export laws, health and safety, and so on,” said Rasmussen. “The compliance domains for enterprise GRC are so broad.The second, which speaks to the focused nature of IT content, is the ability to connect with other IT and IT security systems and applications, such as vulnerability and configuration management and change management. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe