Risk & Compliance

Outlook
2 | Risk & Compliance Outlook 2011

Contents

EXeCUTIVe SUMMARY P| 03
CHALLeNGe:
Risk Management P| 05
CHALLeNGe:
Effective Patching P| 08
CHALLeNGe:
Compliance P| 10
CHALLeNGe:
Audit P| 14
RespONse:
The Risk and Compliance Market P| 16
CONCLUsION:
Emerging Trends P| 19
ReseARCH AppROACH P| 20

© 2011 Evalueserve, Inc. All Rights Reserved.

 1
McAfee retained Evalueserve to conduct an independent
Executive Summary

leverage information for corporate risk assessment and satisfy

assessment of the factors that consumers of Risk and
Compliance products face in 2011. This global study highlights
how IT decision-makers view the challenges of risk and
compliance management in a highly regulated and increasingly
complex global business environment. The research investigates
how organizations address both risk and compliance, which are
so inextricably interrelated.
The research is forward looking, revealing companies’ plans for
refining and automating their programs in 2011 and beyond.
They spent significant portions of their IT budgets on risk and
compliance management and are increasing spending in 2011.
This report also provides an overview of the state of the risk and
compliance market, and prospects for consolidation and growth.
Although the market is still fragmented, the scenario is likely to
change in the short term because of immediate customer needs
in the wake of changing regulatory requirements. In 2011, we
expect to see strong competition among numerous vendors.
Technologies that support comprehensive risk and compliance
programs as integral components of successful operational
processes and strategic business goals will mature soon. Vendors
will begin integrating risk assessment with business intelligence
and data governance technology, bringing compliance in sync
with the business. This will enable organizations to effectively
regulatory requirements. Solution subsets customized to specific
sectors such as financial services, health, government, and
manufacturing, will be introduced, and emerging mobile, social
and cloud technologies will find more applications in the market.
The focus on risk and compliance management comes at a
critical juncture as companies are under considerable pressure to
protect customer information and privacy, and sensitive business
information (business plans, intellectual property, etc.) against
threats from cyber criminals, competitors, and even hostile
governments. These pressures have intensified as national and
regional governments, industries, in some cases, business partners
require increasingly tight compliance in implementing and
enforcing IT policies, processes, and controls around key assets and
sensitive information. Most companies have to deal with multiple
regulations and no business sector is exempt
from this.
Forward-thinking companies have implemented or are in
the process of developing risk management and compliance
initiatives. They are avoiding check-box compliance and fire drill
responses to security incidents in favor of sustained, continuous,
and auditable risk management programs that address IT security
as a business risk.

© 2011 Evalueserve, Inc. All Rights Reserved.

4 | Risk & Compliance Outlook 2011
Key research findings
• Although companies are aware of
the factors, such as the correlation
of threats, vulnerabilities and asset
value to the business, that comprise IT
business risk assessment, they still find
it challenging to execute measures to
address them.
• Generally, IT decision-makers are
confident in their ability to patch
security flaws. However, they invest
heavy man-hours in the patching
process, and their operations are
significantly disrupted when they have
to deal with out-of-cycle patches.
© 2011 Evalueserve, Inc. All Rights Reserved.
• Keeping IT systems compliant is a
serious challenge for companies,
as is automating compliance, and
understanding and meeting the needs
of multiple regulations.
• Investment in compliance products
is strong – and will continue to grow
– particularly in the areas of change
assessment, file integrity monitoring
and database activity monitoring.
• When buying products in
2011, companies are expected
to accord highest priority to
organizational compliance
mandates on databases and
networks.
• Audit tracking is reasonably strong
around what changes occurred and
when. However, the companies fall
short in recording who made the
change, where and how.
• Companies want a more solution-
based approach when it comes
to selecting Risk and Compliance
products, rather than selecting vendors
that provide only one-off point
products.
 2
Visibility Means Security and Efficiency
Challenge:
Risk Management

With full visibility into their corporate networks, companies will,

for example, focus vulnerability and threat detection efforts on
Effective risk management hinges on accurate and high-value assets. Further, remediation action, such as patching,
comprehensive visibility into a company’s affairs, including: configuration correction and re-imaging will be prioritized, rather
• Detailed asset information: network devices, servers, than taking the costly “patch everything now” approach. As we
OS, services, applications will see later in this report, patching is a
• Asset value: Importance to the time-consuming and expensive process.
business based on the potential “Half the companies feel that From a security perspective, companies
impact of interruption of service, loss that lack visibility suffer serious and
of proprietary corporate data such they can save 6–10 hours per
persistent data compromises. The 2010
as intellectual property and business week if they have 100 percent Verizon Data Breach Investigation
plans, or exposure of personally visibility into the risk posture of Report, for example, cites “unknowns”
identifiable information (customer their businesses.” in nearly half the cases that were
information, credit card numbers, investigated. These include the
patient records, etc.) following:
• Vulnerabilities and • Assets that were unknown or unclaimed by the organization
configuration errors: OS or application exploitable flaws (or business group affected)
or mis-configurations that leave critical assets open to attack
• Data that the organization did not know existed on a
• Change control processes: Determining whether strong particular asset
change and remediation procedures are in place and are
• Assets that had unknown network connections or
being adhered to; also, confirming that all critical assets are
accessibility
included in these processes
• Assets that had unknown user accounts or privileges
• Network dependencies: Visibility includes not only the
potential target assets, but also the devices along the network
paths that might be compromised and open up the more
valuable corporate data and business functions to attack

© 2011 Evalueserve, Inc. All Rights Reserved.

6 | Risk & Compliance Outlook 2011
Other data in the report reflected the
security impact of lack of visibility. Three
of five attacks were discovered by third
parties; 96 percent of the breaches were
avoidable through simple or intermediate
controls; a quarter of the breaches were
not discovered for weeks; and more than
a third went undiscovered for months.
It is no surprise, then, that companies
participating in this survey said that they
take risk management very seriously.
Overall, 74 percent of the participating
companies agreed that visibility into the
risk posture of their IT environment is
important. More than 80 percent of the
companies in the UK and North America
agreed that it is important to have
visibility into their IT environment’s risk
posture; however, companies in Germany
and France were less likely to consider
such visibility important.
A higher proportion of McAfee users (77
percent) agreed that this is important, as
compared to the non-users of McAfee
products (70 percent), reflecting their
commitment to investing in automated
technology to support their risk
management and compliance efforts.
This visibility translates directly into more
efficient operations. Half the companies
estimate that they save from six to ten
hours per week if they have 100 percent
visibility into the risk posture of their
businesses. Meanwhile, at least a quarter
of the companies in the UK and North
America estimated that they will save ten
to twenty hours per week if they have
100 percent visibility.
Consider that slightly less than half the
companies surveyed spend six to ten
man-hours per month on assessment of
threats to their business. The figure is a
bit higher among companies in North
© 2011 Evalueserve, Inc. All Rights Reserved.
America, France, and APAC, where just
over 50 percent report spending six to ten
man-hours per month assessing threats.
In contrast, one-third of the companies in
the UK and Germany spend just two to six
hours per month on threat assessments,
possibly because of the impact of
automation. As an aside, only 26 percent
of McAfee users spend ten to twenty
man-hours per month compared with 31
percent of non-users of McAfee products,
which again indicates the benefits of
automation.
“Four of ten respondents
admitted that either they are
unaware of all information
security risks or they are not fully
protected against information
security risks”
Companies also identified the key factors
that go into their IT risk assessment
process and the challenges they face in
carrying through an effective and efficient
risk management. To put those responses
in context, let us first examine the
essentials of such a practice.
The Risk Management
Lifecycle
Companies operate in a dangerous
world, fraught with threats from external
attackers and malicious insiders. Leading
organizations have well-defined risk
management lifecycle programs that
address IT vulnerability in a business risk
context, and therefore, address these
issues more efficiently. This lifecycle
commonly comprises the following:
• Asset discovery: Asset
management programs are only as
good as the information supplied
to them. Discovery tools provide a
complete picture of the devices on
corporate networks, and the operating
systems, services, and applications
running on them, as well as rogue
devices (Do you have wireless access
points on your network? – No? – How
do you know that?)
• Vulnerability detection: Using
scanning tools to discover not only
network-based flaws, but application
vulnerabilities, database issues and
configuration errors.
• Risk assessment: This is a critical
step that many organizations are not
yet prepared to take, but it pays off
in reduced investment in resources.
Business risk can be established
by weighing: the severity of the
vulnerability; the likelihood of it being
exploited (Are there known exploits?
Is the asset well-protected by network
firewall, IPS, web application firewall,
etc.?); the criticality of the asset and
the business impact if the vulnerability
is exploited; and the resources required
for mitigation and remediation.
• Remediation: This is not simply a
scan-and-patch process. Remediation
should be applied within the company’s
change control process, leveraging
ticketing systems or whatever change
mechanisms are in place.
• Verification: Rescan or other
technical validation that the
remediation was successful.
• Audit/Report: Documented evidence
that the vulnerability was discovered,
assessed and remediated, and who
is accountable.
 Risk & Compliance Outlook 2011 | 7

Factors Used to
Determine Risk
Vulnerabilities (79 percent) and threats
(78 percent) are the topmost factors
that companies take into account while
determining IT risk. These are closely
followed by the value of the asset (71
percent) and countermeasures that
companies take to thwart threats
(60 percent). Seen in line with a risk
management lifecycle, we see that IT
leaders take the correlation of critical
risk factors seriously. The responses are
similar across countries, and among both
users and non-users of McAfee products.
However, ideally, organizations prefer to
reduce their efforts while reducing risk,
indicating a stronger need for automation
of the IT risk management process.
Multiple factors are considered while
determining business impact: 70 percent
of the companies cite loss of revenue and
two-thirds consider loss of man-hours as
critical factors for determining business risk.
This is very closely followed by potential
loss of customer faith and the impact on
the company’s brand. Of those surveyed
in North America, 71 percent cited loss of
man-hours as the least important factor.
Loss of revenue is considered the least
important by companies in APAC, the UK
and Germany.
Risk Management
Challenges
Respondents said the biggest challenge
that their companies face is identifying
threats, followed by discovering
vulnerabilities in their systems (see Figure
1). Being able to know which systems are
adequately protected from threats is the
third biggest challenge. These challenges
are greater for those companies that have
low awareness of or partial protection
against information security risks. Note
that quantifying the impact of threats
on the business falls right in the middle
among their challenges, indicating
recognition that this is a key element
in focusing their efforts (vulnerability
detection and remediation) on their most
valuable assets. Since the respondents
rated focusing their effort on their most
valuable assets and applications as the
least critical of their challenges, it is clear
they are aware of the importance of
prioritizing their efforts and therefore, use
limited resources to best effect.
Notwithstanding the positive findings, a
large number of respondents said they still
had work to do: four of ten respondents
admitted that either they are unaware of
all information security risks or they are
not fully protected against information
security risks. While the observations are
similar across most countries, half the
companies in Germany say they are not
aware of all their security risks or are not
fully protected.

Figure 1: With 1 being the biggest challenge and so on, please rank your 5 biggest challenges in risk
management

Discovering threats Rank 1 2.77

Discovering vulnerabilities Rank 2 2.74

Knowing which systems are adequately protected

Rank 3 2.15
from threats
Quantifying the impact of threats on our
Rank 4 2.02
environment

Matching vulnerabilities to threats Rank 5 1.89

Remediation Rank 6 1.72

Focusing efforts on the most valuable

Rank 7 1.71
assets/applications

Source: Evalueserve Primary Research

© 2011 Evalueserve, Inc. All Rights Reserved.

 3
Companies are Confident, but
Challenge:
Effective Patching

by strictly adhering to a well-defined risk management and

compliance lifecycle. Asset discovery, vulnerability detection,
Heavily Burdened and risk assessment will help them determine which systems
Security patching remains the core remediation function in actually need to be remediated; prioritize patching, and avoid
the risk management lifecycle (others or at least delay non-critical patches. Risk
include activities such as correcting management and compliance products
configuration errors and fixing coding “An average of 12 man-hours help organizations streamline their patch
flaws in applications). Almost two-thirds management programs by automating
can be saved per week if the the discovery of vulnerable systems;
of the surveyed companies say that
they are fully confident of being able to frequency of patching is reduced remediation and verification of patch
precisely patch assets. Interestingly, about from weekly to monthly.” operations, and auditing/reporting.
three-quarters of the companies in the UK
and North America claim to be confident Reducing Patching
about precisely being able to patch assets, accurately translate IT Frequency
risks into business risks, or deploy products as countermeasures
against threats. Companies in Germany are the least confident An overwhelming majority of companies patch their systems
of being able to precisely perform any of these tasks, followed at regular cycles. Of the companies surveyed, 45 percent patch
by France. Only about 40 percent companies in Germany and 55 their systems weekly, and the same number patch their systems
percent of the companies in France are confident of performing monthly. Half the companies surveyed in the UK patch their
these tasks accurately. systems monthly. The patching frequency is higher in France,
where six in ten companies patch weekly. That’s the good news.
Whatever the confidence level, patching remains a major The bad news is that as the economy recovers from the global
challenge. As we will see in this section, patching is time- recession, companies are still struggling to find their feet and
consuming and labor-intensive process. Organizations will spending time patching takes IT pros from other, high
mitigate the negative impact of their patching programs priority projects.

© 2011 Evalueserve, Inc. All Rights Reserved.


Cost continues to remain one of the
biggest challenges. Valuable man-hours
that could be redirected to activities that
are closer to core business needs are spent
on routine vulnerability patching.
CIOs and their senior management
representatives say that they will save
valuable man-hours by reducing patching
frequency. They estimate an average of
12 man-hours will be saved per week if
the frequency of patching is reduced from
weekly to monthly. North America stands
out with the highest estimated savings of
18 man-hours per week.
Accurate detection is critical. However,
not all companies are able to pinpoint
threats or vulnerabilities, with just a little
above half of respondents saying they
are able to do so. As a result, 44 percent
said that they over-protect and patch
everything they can. “When in doubt,
patch” is clearly not the way to reduce
patching man-hours. On the positive side,
61 percent of the surveyed companies in
APAC try to focus on the most important
assets during threat/vulnerability
detection. On the other hand, only one-
third of the companies in France take this
approach, while more than half try to
patch everything they can.
Organizations clearly need to make
effective use of automated risk
management tools for accurate and
comprehensive vulnerability detection
coupled with detailed asset profiling and
risk assessment based on business impact.
Impact of Out-of-Cycle
Patches and Patch Tuesday
Out-of-cycle patches throw corporate
IT processes and resources off track,
disrupting operations, escalating
unanticipated (and unbudgeted cost).
The survey shows that 82 percent of
respondents feel that there is an impact
due to out-of-cycle patches. In France,
a quarter of the companies surveyed
reporting that out-of-cycle patches have a
major impact on operations.
Disruptive out-of-cycle patches result in:
• Data loss
• System crashes
• Service interruptions
“82 percent respondents feel
that out-of-cycle patches
have an impact on their IT
processes.”
• Productivity loss
• Remote endpoints affected
• Disruption of planned activities
• Increase in IT management and
security costs
Respondents report that they spend
an average of 15 hours in a week
Risk & Compliance Outlook 2011 | 9
patching when an out-of-cycle patch
is released, with McAfee product users
spending fewer hours than non-users,
demonstrating a positive impact of
automation technology.
“Companies spent an average
of 15 hours in a week when
an out-of-cycle patch was
released.”
The reaction to “Patch Tuesdays” is similar
to dealing with out-of-cycle patches.
Nearly two-thirds of the companies
surveyed said that they are somewhat
concerned about vulnerabilities and
remediation during Patch Tuesdays.
Companies in APAC (73 percent) and
North America (69 percent) in particular
expressed concerns around this
monthly burden.
Even with fully automating risk and
compliance management, 73 percent
companies said that they would review
vulnerabilities whenever possible,
whereas, just 15 percent would forget
about dealing with Patch Tuesday as a
special case. France stood out among
all the countries, with 28 percent of the
companies saying that they plan around
Patch Tuesday on the same day.
© 2011 Evalueserve, Inc. All Rights Reserved.
 4
The Complex Compliance Environment
Today, corporations need to work with large volumes of
sensitive information, which is typically a target of malicious
attacks. These companies also need to comply with a number
of regulatory mandates. Apart from
stipulating the minimum levels of security
to protect databases from theft or illegal
“25 percent of the time,
manipulation, these regulations also
govern the disclosure of the company’s compliance is the main driver for to health care providers that convert their
financial and operational data to improve initiating an information security
organizational transparency. project.”
Compliance remains a critical driver
of information security projects in
companies. Respondents estimate that 25 percent of the time,
compliance is the main reason behind initiating an information
security project—in North America, the figure is 31 percent.
The recent growth in the risk and compliance market was
spurred primarily by stricter compliance requirements put in
place by industry and governments. After the recent economic
downturn, which resulted from financial mismanagement,
companies now face an aggressive regulatory environment and
skyrocketing penalties in case of violation of mandates.
© 2011 Evalueserve, Inc. All Rights Reserved.
Challenge:
Compliance
IT Compliance obligations are expected to continue to grow. In
addition to well-established regulations, such as Sarbanes-Oxley
and PCI DSS, we’ve seen, for example:
• After years of non-enforcement, the Health Insurance
Portability Account Act (HIPAA) got some teeth when the
HITECH Act was passed as part of the
Obama administration’s economic
recovery legislation. It provides incentives
health records to the electronic form and
secure them; forces disclosure of patient
information breaches; extends HIPAA
security requirements to health care
providers’ partner organizations; and gives
individual states the right to cite violations and
impose penalties.
• NERC-CIP mandates tight, standards-based information
security controls for the utilities industry (Stuxnet will only
serve to spur that along).
• Basel II (and now Basel III) implementations mean financial
institutions have to demonstrate to the auditors’ satisfaction
that they have strong controls in place to monitor areas of
operational risk, such as access to and exposure of
financial information.

• The US Congress continues to wrangle
over federal cyber security legislations,
which will have a profound impact
on both the federal government and
business IT security.
In addition, auditors are honing their
interpretations of requirements as they
gain experience and are more likely to
hold corporate feet to the fire.
Apart from regulatory reasons, companies
are also turning to risk and compliance
products because of the following factors:
• Multiple compliance
regulations: The global reach
of modern companies is making it
difficult for them to address multiple
compliance regulations, which vary
from country to country, as well as
multiple regulations within each
national jurisdiction. A company needs
to cater to each regulation, which
may set very different compliance
requirements, without disrupting the
normal flow of information across
the organization.
• Risk and compliance products
help organizations apply
controls using recognized
standards (ISO, COBIT, NIST, etc.)
and map them to applicable
regulations: This enables
organizations to apply a uniform set of
sound security controls and issue audit
reports on an as-needed basis. While
half the companies participating in
the survey usually have to comply with
fewer than 10 regulations worldwide
(no small number!), around 20 percent
have to comply with up to
20 regulations.
• Integrating various parts of the
organization: Risk and compliance
platforms need to establish a seamless
and transparent flow of data across
the organization. This is a difficult
task, especially when the various
factions of a large company may
have their own vulnerabilities and
regulatory requirements. This requires
management support for a uniform
risk and compliance policy and process
across the organization, and tools that
scale risk management and compliance
on a large company level.
• Increasing complexity of
malicious attacks: Corporations
around the world are facing threats
that are growing increasingly
sophisticated and targeted. In addition
to theft by cyber criminals, attacks are
increasingly motivated by corporate
competition and nations seeking
cutting-edge intellectual property and/
or state secrets. In order to keep up
with these ever-changing attacks,
security systems need to be constantly
upgraded. Apart from external threats,
corporations today also face the
prospect of insider sabotage, identity
fraud, and unauthorized access to
systems and networks.
Challenges in Achieving
Compliance
Companies face many challenges to
achieve compliance (see Figure 2). The
Risk & Compliance Outlook 2011 | 11
greatest of these challenges, for CIOs
and their teams, is to keep their systems
compliant. The second biggest challenge
is to completely automate IT controls, and
understanding complex regulations is the
third biggest hurdle. The answer to these
challenges is automation and integration.
While it does not eliminate the need for
human participation, it allows skilled
professionals to focus on informed
decision making rather than on slow and
error-prone manual information gathering
for tasks such as risk assessment and
audit response. Automated change
control monitoring, enforcement, and
reporting are key elements in achieving
compliance and security. Moreover, in
large organizations, it is almost impossible
to keep systems compliant, which was
the respondents’ number one challenge,
without automation.
“The greatest challenge for
CIOs and their teams is to keep
their systems compliant.”
Risk and compliance tools enable
understanding regulations and managing
each regulation off a common set of
processes and data (assuming they do an
inadequate job of mapping controls to
each regulation and producing regulation-
specific audit reports that can be tailored
to the companies’ specific policies
and requirements).
© 2011 Evalueserve, Inc. All Rights Reserved.
12 | Risk & Compliance Outlook 2011
“Companies find it most
challenging to comply with
regulatory mandates around
databases, which ranked number
one in the survey.”
The survey revealed that companies
find it most challenging to comply with
regulatory mandates around databases
(see Figure 3). This observation explains
the high current deployment and
expected deployment of database
activity monitoring tools that will bring
the technology into 93 percent of the
organizations surveyed. Database security
has come under increased regulatory
scrutiny, focused largely on privileged
insider usage, with heavy emphasis
on privileged user account and access
control, activity monitoring against
established “normal” usage baselines,
Figure 3: Which of the following is the most challenging in terms of
complying with regulatory mandates?
Rank 2
Rank 3 Applications
Rank 4 Storage Systems
Rank 5 Operating System (OS)
Source: Evalueserve Primary Research
© 2011 Evalueserve, Inc. All Rights Reserved.
Figure 2: Please prioritize your biggest challenges in demonstrating
compliance and remaining compliant.
Rank 1 Keeping systems complaint
Rank 2 Automating IT controls
Rank 3 Understanding regulations
Rank 4 Managing regulations one by one
Rank 5 Compliance drift
Rank 6 Reporting
Rank 7 Audit fire drills
Source: Evalueserve Primary Research
and separation of duties. Database
scanning capabilities are now included in
a number of vulnerability
management tools.
Network mandates are ranked number
two followed by applications. After
long neglect – despite the proliferation
of application-layer vulnerabilities
Rank 1 Databases
and attacks – application vulnerability
detection and remediation is merging as
Network
a security priority. This is especially true
as web-based applications represent
the tip of the spear for attacks. It is also
becoming an implicit and in some cases,
such as PCI DSS, explicit compliance
requirement for both existing production
applications and software development.
Storage systems are ranked fourth and
operating systems comes last, most
likely because this is a well understood
and addressed area of risk, taking into
account the higher inherent security in
Unix and Linux installations; the long and
deep experience with Windows flaws and
patches; and Microsoft’s security initiatives
in recent years (“secure by design, secure
by default…”).
 Risk & Compliance Outlook 2011 | 13

Current and Planned
Deployment to Achieve
Compliance
As we’ve indicated previously, primarily in
regard to vulnerability and configuration
remediation, strong change control
policies, processes and the use of
automated tools are essential to
effectively implement and maintain a risk
management and compliance program on
an enterprise scale.
There’s good cause, not only from a
security and compliance perspective,
but in terms of the business impact on
operations. Consider that companies
surveyed estimate that 14 percent of
downtime in a year is to the result of
unauthorized changes.
“Companies that were surveyed
estimated that 14 percent of the
downtime in a year is the result
of unauthorized changes.”
Small wonder that 75 percent companies
currently deploy configuration assessment
tools (see Figure 4). This is followed
closely by file integrity monitoring (68
percent) and database activity monitoring
(68 percent) products.
The UK has a significantly higher
(63 percent vs. overall 54 percent)
adoption of audit reporting technology,
and Germany is lowest, with just a third
using it currently.
Deployment will continue to grow sharply,
so it is expected that the overwhelming
majority of companies will implement all
of these compliance technologies by the
end of 2011.

Figure 4: Which of the following IT controls do you currently use/deploy to achieve compliance, and which
ones do you plan to implement in 2011?

Configuration Assessment 75% 19% 6%

File Integrity Monitoring 68% 27% 5%

Database Activity Monitoring 68% 25% 7%

Monitoring Configuration Changes 62% 31% 7%

Preventing Configuration Changes 56% 32% 12%

Audit Reporting 54% 35% 12%

Integrate with IT Change Management Processes 53% 32% 14%

Currently deployed Not currently deployed but planned for future

Neither planned nor currently deployed

Source: Evalueserve Primary Research

© 2011 Evalueserve, Inc. All Rights Reserved.

 5
Audits are where the rubber meets the How Organizations Handle
Challenge:
Audit

road. Auditors’ requests for additional “Four out of ten companies

evidence result in an enormous
expenditure of time and effort producing
logs and reports in a repeating cycle of
redundant effort for each audit. Worse,
companies often can’t prove their
case because they cannot produce the
evidence. They may even find that they
are non-compliant after all, because they
can’t effectively monitor their controls
and processes.
Risk and compliance tools help companies
execute successful audits because they
support IT security controls through
automated analysis, monitoring,
enforcement and verification, centralized
management and on-demand reporting.
The ability to quickly produce forensic
evidence from common data sets to
meet various regulatory requirements
and internal policies greatly reduces the
resources committed to
compliance efforts.
Regulatory Audits
When there is a regulatory audit coming
up, four of ten companies reported
they jump into a firefighting mode with
all ‘hands on deck.’ Such an approach
prevents CIOs and their teams from
taking up strategic tasks that otherwise
would help them meet their companies’
business goals.
In fact, only a quarter of the companies
surveyed claimed that they do not worry
about the audit, indicating they feel they
are not only compliant, but well-prepared
when it comes time to prove it. The trend
was consistent across countries, except in
Germany, where 41 percent of IT teams
feel they have things under control during
an audit.
Significantly, while around six of ten
companies track the type of change that
took place and the time of change in their
reported they jump into a
firefighting mode with an ‘all
hands on deck’ approach when
approaching an audit.”
audit trails, less than half of them also
track the individual who made the change
as well as the location of the change (see
Figure 5). The failure to track individuals
leaves a significant gap in accountability,
either for failure to perform their duties
properly or, in the worst case, making it
more difficult to track down a malicious
insider. Automated tools provide complete
audit trail information that is nearly
impossible to obtain with
manual processes.

© 2011 Evalueserve, Inc. All Rights Reserved.


Figure 5: If you maintain audit trails of changes to your servers, which of the following control informa-
tion is included in your current audit trails?
What change occurred
When the change occurred
Who (user) made the change
Where (what file system, directory, database)
the change occurred
How the change occurred
(set of events or commands)
I don’t track changes on my servers
(no audit trails)
Source: Evalueserve Primary Research
Impact of Regulatory Audits
Sixty-four percent companies are
confident of having their internal audit
reports accepted as proof of compliance
by external auditors.
External audits don’t always go so well the
first time, but 43 percent of companies
said that they cleared a follow-up audit
after they failed the initial audit. However,
31%
5%
“43 percent of the companies
said that they cleared a follow-up
audit after they failed the initial
audit.”
another nine percent ended up paying
a fine because they did not meet a
government or industry regulation.
Risk & Compliance Outlook 2011 | 15
69%
63%
48%
47%
Even without fines, external audits are
expensive. Around one-third of the
companies spend between $50,000 and
$250,000 on external audits, reflecting,
perhaps, the burden of complying with
multiple regulations. A higher proportion
of companies in North America and the
UK spend in this range, while, on the
other hand, just over half the companies
in APAC and France spend less than
$50,000 on external audits.
© 2011 Evalueserve, Inc. All Rights Reserved.
 6
Response:
The Risk and
Compliance Market
Diversity and Fragmentation
Managing different processes within the organization while
simultaneously maintaining strict levels of compliance and
security is a time-consuming and error-prone task for most
companies. Using integrated risk and compliance products,
organizations can coordinate and automate the entire security
and compliance process, freeing them to focus on their
core business.
The risk and compliance market (encompassing all policy,
compliance, risk and vulnerability assessment products), is highly
fragmented and saturated with a large number of small players.
Many of them offer products clearly defined across niche lines
such as compliance offerings, risk management, and vulnerability
assessment. Several large players, with backgrounds as diverse
as ERP, business intelligence, and security software, put further
pressure on an already crowded market. The market has seen a
few mergers and acquisitions in recent times, but the frequent
entry of new players makes market consolidation difficult.
According to the survey, McAfee has the highest deployment
among risk and compliance vendors—60 percent of the
respondent companies using its products and services. The UK
(70 percent) and North America (67 percent) have the highest
deployment of McAfee’s risk and compliance portfolio.
McAfee is followed by Symantec (54 percent) and IBM (48
percent). Symantec has the highest deployment (61 percent)
in APAC. Germany (44 percent) and France (38 percent) report
© 2011 Evalueserve, Inc. All Rights Reserved.
the lowest Symantec usage. These figures also indicate that
companies are using multiple vendors for single or
multiple locations.
Market Size and Growth
According to IDC, in 2009, the worldwide risk and compliance
market grew by a modest 6 percent y-o-y, from $2.6 billion to
$2.8 billion, primarily because of a sluggish world economy and
a decline in overall IT spending. However, stricter compliance
mandates and a growing body of data disclosure laws toward
the end of 2009 increased the market growth expectations. IDC
now estimates the market to grow at a CAGR of 12.1 percent
over 2009–2013, to reach around $4.4 billion in 2013
(see Figure 6).
Of the companies surveyed, nine of ten plan to deploying risk
and compliance products through software; appliances were the
second most popular deployment model, with two-thirds of the
respondents. While these are conventional methods, new modes
of deployment are expected to gain preference. One-third of the
companies surveyed plan to deploy risk and compliance through
hosted SaaS or virtual machines. The UK emerges as an early
adopter, with 50 percent currently deploying risk and compliance
solutions through SaaS and 61 percent deploying the technology
as virtual machines.
The IDC findings show that risk and compliance technology
delivered on the SaaS platform is expected to witness strong
growth of 30.5 percent CAGR from 2009 to 2013.
 Risk & Compliance Outlook 2011 | 17

Figure 6: Global Risk and Compliance Market

5,000

4,500 540

4,000 411
176
3,500 309
116 659
238 69 547
3,000 186
155 52 443
26 36 360
2,500 314
287
2,000

1,500 2,805 3,018

2,399 2,612
1,000 2,166 2,244

500

0
2008 2009 2010 2011 2012 2013
Software Hardware Virtualized SaaS

Source: IDC Worldwide Security and Vulnerability Management Forecast (2009–2013)

Current and Planned database activity monitoring was the

Deployment
The survey shows that database activity
monitoring, network vulnerability, and
risk management products were the
most widely implemented in 2010.
While database activity monitoring will
continue to be a priority in 2011, security
information and event management
(SIEM) is expected to be highest gainer for
2011 by moving to second spot from the
eighth position. In 2011, the UK seems to
be more focused on higher-level product
deployment such as SIEM (expected 49
percent) and GRC (expected 46 percent).
In 2010 and 2011, risk management
stands out as the number one priority
for McAfee users; for non-users,
most implemented risk and compliance “Ability to provide a best-fit
technology in 2010 and is expected to be solution is the number one
the most commonly deployed in 2011.
selection factor, indicating a
Selection Criteria strong need to offer a more
Companies have observed a change
solutions-based approach and
in the purchasing criteria for risk and reduced price point.”
compliance products. Respondents ranked
the ability to provide a best-fit solution
Customization moved up from the fifth
as the number one selection factor (see
position to fourth this year. Interestingly,
Figure 7), indicating a strong need to
lower capital costs fell five places from the
offer a more solutions-based approach
second position to seventh.
and reduced price point. This factor has
moved from the fourth position last year
to the first position this year, pushing total
cost of ownership to the second position.
Lower operational cost ranked third.

© 2011 Evalueserve, Inc. All Rights Reserved.

18 | Risk & Compliance Outlook 2011

Figure 7: Factors to be considered when purchasing risk and compliance products

Non-
Overall North McAfee
APAC UK Germany France McAfee
Rank America Users
Users

Ability to best address your

business problem/Best-fit solution 1 2 1 1 3 2 1 2

Total cost of ownership 2 1 2 1 1 2 1

Low operational costs 3 3 3

Customization to organizations
needs/specifications 3 2 3

Proof of concept 2

Impact on application performance 3

Low capital costs 3

Source: Evalueserve Primary Research

Market Outlook
On an average, companies are spending
15 percent of their IT budgets on risk
and compliance management and 22
percent of their IT budgets on information
security. Companies in Germany are
the lowest spenders, with more than
half spending less than 10 percent of
their IT budgets on risk and compliance
management. German companies
surveyed are also the lowest information
security spenders at 18 percent of their
IT budgets.
In 2011, the outlook risk and compliance
spend is robust, with nine out of ten
companies estimating similar or higher
IT spending levels. On an average,
companies are expecting to spend 21
percent more on risk and compliance
management in 2011. The UK is expected
to be the highest spender, with an
estimated increase of 24 percent on risk
and compliance management, and APAC
is expected to be the lowest, with an
average increase of 15 percent.
More than half the users of McAfee
products are expected to spend more
on risk and compliance management in
2011. McAfee users are also spending
heavily on information security and risk
and compliance management when
compared with non-users.
“In 2011, the outlook on risk
and compliance spend is robust,
with nine out of ten companies
estimating similar or higher IT
spending levels.”

© 2011 Evalueserve, Inc. All Rights Reserved.

 7 Conclusion:
Emerging Trends
Moving forward, the dynamic nature of the risk and compliance
market necessitates that products adapt rapidly to changing
requirements and regulations placed on companies worldwide.
The likely trends to emerge in the market are:
• Risk and compliance practices are not expected
to mature in the short term: Continuous changes in
the industry and new regulations will impede the maturation
of risk and compliance practices. For some time, innovation
in risk and compliance products is expected to be driven
primarily by the corporations’ need to react to short-term
changes in compliance requirements.
• Increasing vendor competition: Strong market growth,
coupled with a constant requirement for newer technologies
and products, is expected to bring several new vendors
into the risk and compliance playing field. This fragmented
industry, however, is expected to undergo some consolidation
in the following years.
• Vertical specialization among risk and compliance
vendors: Vendors are expected to start differentiating
themselves by developing products that serve only particular
verticals. In the long term, larger vendors will be able to
capture larger and more profitable verticals, charging higher
prices in the process. This is expected to improve their
profitability and cause a shift in revenues toward
these vendors.
• Integrating risk assessment with business
intelligence and data governance technology: The
trend toward integrating compliance and regulations within
the core business structure is expected to pick up in the near
future. Data aggregation and analytics will play increasingly
crucial roles in helping businesses understand the information
from the perspective of both compliance requirements as
well as self-regulatory risk assessment. Technologies such as
vulnerability management, presently used to assess network
vulnerabilities, are expected to be gradually absorbed into risk
management and remediation.
• Emerging technologies are expected to add value
to risk and compliance industry: Risk and compliance
professionals are expected to start using emerging mobile,
social, and cloud technologies. This will not only have an
impact on the products at the functional level, but will also
affect the way they are marketed and sold.
The risk and compliance market, therefore, is expected to follow
on its dynamic path of rapidly changing requirements and
their solutions in the short term. However, risk and compliance
solutions of the future will be based on a variety of platforms,
and come integrated with other technologies such as business
intelligence. These products will allow companies to not only
achieve basic regulatory requirements, but will also allow
them to use the vast store of risk and compliance information
to streamline their organizations and strengthen any internal
weaknesses. This will drive the overall maturation of this market
in the long term.
© 2011 Evalueserve, Inc. All Rights Reserved.
 8
In December 2010, a survey was conducted
Research Approach

by Evalueserve. The survey includes

responses from 353 IT decision makers,
consultants, and security analysts involved Figure 8: Distribution of Companies by Number of Employees
in the evaluation, selection, day-to-day
management, and maintenance of security
products. These respondents were from
companies that have more than 500
employees worldwide. 16%
24%
Around 41 percent of the respondents are
final decision makers for security software
for their organizations. The remaining
either influence decision making or
manage the security products.
17% 43%
The responses were gathered from a
wide spectrum of industries such as
professional services, manufacturing,
business and financial services, software
development, logistics, healthcare, retail,
and telecom.
The survey was conducted across five 500 – 900 1,000 – 4,999 5,000 – 9,999 10,000 or more
regions—North America (the USA and
Canada), the UK, Germany, France, and APAC
(Australia, Singapore, and New Zealand).

© 2011 Evalueserve, Inc. All Rights Reserved.

 Risk & Compliance Outlook 2011 | 21

Figure 9: Regional break-up of interviews

North Germany
UK N = 70 (20%)
America
N = 70 (20%)
N = 72 (20%)

France
N = 71 (20%)

APAC
N = 70 (20%)

The margin of error on a sample size of 353 is ± 5.2 percent,
with a confidence level of 95 percent—i.e., overall the findings
have a 95 percent chance of lying between ± 5.2 percent. The
percentages on questions where respondents could select only
one answer may not sum to 100 due to rounding.
The sample size for some questions is lower than 353. This is
because not all respondents qualified to answer these questions
based on their response to previous question(s).

© 2011 Evalueserve, Inc. All Rights Reserved.

About Evalueserve
Evalueserve provides knowledge services to a global client base of Fortune 5000 companies, including Investment, Commercial and
Retail Banks; Insurance Companies; Private Equity Firms; Corporates; Consulting and Research Firms; Law Firms; and Intellectual
Property Firms. Evalueserve’s expertise covers areas such as Financial and Investment Research, Business Research, Market Research,
Intellectual Property, Data Analytics, and Knowledge Technology Services. Besides, we provide access to over 25,000 experts through
our Circle of Experts.
We currently have more than 2,000 professionals in our research centers in India (Delhi-Gurgaon), China (Shanghai), Chile
(Santiago-Valparaiso), and Romania (Cluj-Napoca). In addition, we have 60 client engagement managers located in all major business
centers and regions around the world. We have sales offices in the Americas, Europe, Asia-Pacific, and the Middle East.
For more details, please visit: www.evalueserve.com or write to ITResearch@evalueserve.com

Copyright notice and disclaimers

Although the information contained in this article has been obtained from sources believed to be reliable, the author and Evalueserve disclaim all warranties as to the accuracy,
completeness or adequacy of such information. Evalueserve shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations
thereof. The contents and organization of the expression of ideas that form the documents found on this page are subject to national and international copyright protection.
You may download the documents found here for your internal use only and may not reproduce, create a derivative work from or use any portion of the white papers for any
commercial purpose without the prior written consent of Evalueserve. If you wish to request copyright permission, you must clearly indicate the contents you intend to use or
provide a complete explanation of your intended use and include your name and organizational details. Evalueserve will endeavor to provide its response within 48 hours of
receiving your request. Credit for any part of the material protected by copyright must state clearly in a prominent position sufficiently away from the text of the document that the
sole owner of copyright is Evalueserve and use of the protected material is by permission only.