What’s Changed: 2021 Gartner Magic Quadrant for IT Risk Management
The editors at Solutions Review highlight what’s changed since the last iteration of Gartner’s Magic Quadrant for IT Risk Management and provide an analysis of the new report.
Analyst house Gartner, Inc. has released its 2021 Magic Quadrant for IT Risk Management. The researcher defines IT risk management (ITRM) products as “software and services that operationalize the risk management life cycle of cyber and IT risks in the context of an organization’s mission.” These tools are implemented in order to establish a centralized hub that simplifies and facilitates business-related risk management. ITRM platforms help security and risk management (SRM) professionals manage cyber and IT risks for four common use cases, namely, IT risk and control assessment; regulatory, industry, and policy compliance; cyber risk management; and integrated into enterprise risk management.
Though ITRM tools are primarily used for the aforementioned use cases, U.S. Federal organizations often use ITRM products to meet the current and future U.S. Federal compliance regulations for the assessment and authorization of systems. Additionally, the key capabilities of ITRM solutions include workflow management; data integrations and connectors; information and asset discovery and inventory; user access; risk analysis; risk treatment life cycle; board/senior executive reporting; near-real-time IT risk profiling; regulatory and policy content management; threat and vulnerability management integrations; and incident management integrations.
The market for ITRM products is expanding, with a high level of interest in stand-alone ITRM products or ITRM use cases within integrated risk management (IRM) platforms or governance, risk, and compliance (GRC) platforms, according to Gartner. The continually increasing focus on cybersecurity has led to a growing interest in ITRM features specific to cyber risk. Additionally, interest in ITRM initiatives is projected to continue because of cybersecurity and privacy mandates, as well as a digitally enabled, remote, or hybrid business operating environment.
Gartner predicts that by 2023, 80 percent of organizations with formal risk management programs will use an ITRM product to manage their cyber and IT risks, up from 45 percent today. Additionally, the recent introduction of new vendors has disrupted the market, causing a shift towards cloud-first deployments of ITRM. Because of this, many ITRM providers have slowly moved to a SaaS-first offering. In the future, Gartner expects that ITRM vendors will embed machine learning capabilities into their products on a larger scale, including natural language processing, embedded chatbots, and evidence suggestions based on previously given evidence.
In this Magic Quadrant, Gartner evaluated the strengths and weaknesses of 14 providers that it considers most significant in the marketplace and provides readers with a graph (the Magic Quadrant) plotting the vendors based on their Ability to Execute and their Completeness of Vision. The graph is divided into four quadrants: niche players, challengers, visionaries, and leaders. At Solutions Review, we read the report, available here, and pulled out the key takeaways.
Gartner adjusts its evaluation and inclusion criteria for Magic Quadrants as software markets evolve. While no vendors were added or dropped, three vendors changed names from past iterations of this report. Archer was rebranded from RSA Archer to Archer, SAI360 was rebranded from SAI Global to SAI360, and Diligent acquired Galvanize. Gartner also occasionally lists honorable mentions that did not meet the inclusion criteria, but are of interest to their clients due to their open-source approach and market momentum. This year’s honorable mentions are Camms, CyberSaint, and eramba.
Representative vendors in this year’s Magic Quadrant include Allgress, Archer, Diligent, IBM, LogicManager, MetricStream, NAVEX Global, OneTrust, Reciprocity, Riskonnect, SAI360, ServiceNow, SureCloud, and TechDemocracy.
The leader quadrant is the most densely populated this year, containing ServiceNow, Diligent, Archer, MetricStream, IBM, NAVEX Global, and SAI360. ServiceNow is placed highest with regard to the ability to execute. This status could be attributed to the provider having one of the highest R&D budgets among the vendors assessed in this report. ServiceNow’s closest competitor in this quadrant is Diligent, which is one of only two providers included in this Magic quadrant with an authority-to-operate (ATO) for its platform. This fulfills a primary qualifying criterion in cloud services procurement decisions for state and federal agencies.
Archer, MetricStream, and IBM are all grouped closely in the leader quadrant. Archer differentiates itself through its workflow process designer capability, which offers ease of use in zero to low-code workflow design, a modern user interface, and flexible actions or workflow nodes. MetricStream’s strength is its ability to adapt and consistently improve its roadmap in response to customer feedback and demand, as shown by its investment in improving user experience. Conversely, IBM touts the widest geographical presence in this report and also has a strong product vision for machine learning and artificial intelligence-driven risk and compliance management augmentation.
Rounding out the leaders are SAI360 and NAVEX Global. SAI360 is located closest to the Y-axis. This placement could be due to the provider’s predefined solution tailored to smaller organizations’ needs in both IT risk and cybersecurity program management. NAVEX Global was placed closest to the X-axis. The vendor will focus on enhancing UX by making UI improvements, evolving automated workflow, and adding in-line record editing capabilities.
This year’s challengers are all located close to the Y-axis of the graph, with OneTrust being placed directly on the axis itself. The location of OneTrust could be attributed to its robust in-house knowledge capital, product design, and experience. LogicManager earned the highest ability to execute among the challengers. The vendor provides each customer with a team of advisory analysts, based on their industry, who work with the end-user to implement the solution aligning to business needs.
The remaining challengers in this year’s report are Reciprocity and SureCloud. In 2021 and 2022, it’s expected that Reciprocity will continue expanding its benchmarking capabilities and its platform in order to support third-party risk. SureCloud, which is offered exclusively via SaaS, is looking to rearchitect its platform to optimize performance and flexibility.
There are no visionaries listed this year, leaving only the niche players. Allgress is located closest to both the X and Y-axis in this quadrant. Its solution is targeted mainly at SMBs in finance, healthcare, technology, state, or the federal government. Allgress also offers a range of deployment options. TechDemocracy, also a niche player, likely earned its status because it is one of the few products that focuses solely on cyber risk management as a stand-alone product. Finally, Riskonnect offers RK GoLive!, which introduces two implementation options to facilitate deployment by focusing on best-practice configuration or customer configuration.