Security News

15 Top IT Risk Management Leaders: Gartner Magic Quadrant

Mark Haranas

Here are the IT risk management market leaders in Gartner’s new 2020 Magic Quadrant, including ServiceNow, MetricStream, IBM, LogicManager and RSA.


Gartner’s 2020 Magic Quadrant For IT Risk Management

The demand for IT risk management solutions is surging as businesses create new cybersecurity initiatives and the growing need around digital compliance obligations, according to Gartner new 2020 Magic Quadrant for IT Risk Management.

The technology market research firm said by 2025, 50 percent of midmarket and large enterprises will depend on risk management solutions to aggregate digital risks for their business, up from 10 percent in 2018. IT risk management software and services are expected to evolve to better support risk management capabilities surrounding cloud, the Internet of Things (IoT) and the social media environments of 80 percent of digital businesses.

Market solutions today are deployed to establish a central hub that facilitates business-related decision making and risk management in context of a businesses’ mission. Risks tracked can be the result of business continuity planning, digital and security operations, information management and IT security compliance, to name a few examples.

Here are the 15 market leading companies who made Gartner's Magic Quadrant For IT Risk Management, along with assessments of each company‘s strengths and weaknesses in the space.

Gartner’s IT Risk Management Methodology

In order to be included in Gartner’s 2020 Magic Quadrant for IT Risk Management, vendors need to offer products that include functionality for all critical capabilities such as risk remediation, digital asset discovery, risk analysis workflow design, compliance content mapping, executive and board reporting, as well as basic and advanced integrations.

Additionally, vendors needed to have annual revenue primarily from risk management solutions of at least $4 million, more than 30 paying customers and no less than 25,000 seats or end user deployed.

Gartner's Magic Quadrant ranks vendors on their ability to execute and completeness of vision and places them in four categories: Niche Players (low on vision and execution), Visionaries (good vision but low execution), Challengers (good execution but low vision) and Leaders (excelling in both vision and execution). For this particular Magic Quadrant, no companies were included in the ‘Visionaries’ category.

Leader: ServiceNow

ServiceNow GRC specializes in risk and control assessments, risk analytics, security risk management, compliance and is offered as Software-as-a-Service (SaaS). The Santa Clara, Calif.-based company is now focused on boosting its risk assessment capabilities, supporting more out of the box risk assessments types and automation of control monitoring. Last year, ServiceNow acquired Fairchild Resiliency Systems to enhance its business continuity management abilities. ServiceNow ranks third for execution and fifth for vision on the Magic Quadrant.

Strength: Customers select ServiceNow for its product performance and functionality with client feedback saying advanced integrations, digital asset discovery and near real-time assessments exceed expectations.

Weakness: Although ServiceNow does support on-premises implementations, it is rare.

Leader: MetricStream

MetricStream took home the gold medal for vision in Gartner’s Magic Quadrant, while ranking among the middle of the pack for execution. The Palo Alto, Calif.-based company’s M7 GRC Platform provides risk and control assessments, risk analytics, compliance tracking and risk management, offered as SaaS, hybrid of on-premise. This year, MetricStream’s roadmap is focused on cybersecurity risk management capabilities, cyber-risk quantification and use of machine learning to prioritize and deliver insights.

Strength: MetricStream’s R&D budget around machine learning and automation continues to evolve its platform. The company exceeds customers expectations in risk analysis, advanced integrations, digital asset discovery and near-real-time assessments.

Weakness: Gartner said select MetricStream customers reported a subpar experience in deployment due to misalignment success criteria.

Leader: IBM

IBM ranks No. 2 for vision on the Magic Quadrant and among the middle of the pack for execution. Armonk, N.Y.-based Big Blue provides OpenPages with Watson Version that focuses on risk and control assessments, compliance tracking, risk analytics and cybersecurity, which is offered as SaaS or on-premises. IBM continues to enhance Watson’s capabilities including investments to speed up deployment such as low-code workflow design and containerization via IBM Cloud Paks.

Strength: IBM complementary offerings such as Cognos Analytics, Watson, i2 Enterprise Insight Analysis and QRadar SIEM, while some customers also leverage Promontory Financial Group, an IBM company offering regulatory compliance consulting as a service.

Weakness: Customers report higher-than-average spending because IBM OpenPages is procured for use cases beyond risk management, including enterprise risk use cases.

Leader: Galvanize

Galvanize’s HighBond governance, risk compliance software and Rsam Version 10 focus on risk analytics, risk and control assessments, control monitoring as well as senior executive and board reporting. Galvanize ranks fourth for both vision and execution in Gartner’s the Magic Quadrant. The Vancouver, Canada-based company is obtaining a DISA SRG IL 5 certification, making it possible for U.S. government customers to hold classified information in the procured instance via HighBond.

Strength: Galvanize owns a “authority to operate” in government cloud environments within the U.S., fulfilling a criterion in cloud services procurement decisions for state and federal agencies.

Weakness: Some customers with complex implementations report six- to 12-month deployments or longer, while the average market deployment time is three to six months.

Leader: RSA

RSA, which was sold by Dell this year to a group of investors led by STG Partners, ranks third for vision and fifth for execution in Gartner’s Magic Quadrant. The Bedford, Mass.-based company’s Archer Version 6.7 provides compliance tracking, risk assessments and cybersecurity risk management. The solution can be deployed no-premises, SaaS or in hosted environments, while RSA Archer SaaS can be fully deployed on AWS. The company continues to invest in boost integration through RSA Archer Exchange.

Strength: RSA Archer is the preferred solution for on-premises only implementations, especially within the public sector and with financial organizations.

Weakness: Some deployment times exceed 12 months due to specific customer needs, enterprise size, cost, consulting and project-management related challenges.

Leader: Navex Global 

Last year, Navex Global acquired Lockpath that it currently sells as its risk management solution. The Lockpath platform offers risk and control assessments, risk analytics, compliance tracking, cybersecurity risk management, and can be deployed via SaaS and on-premises model. Navex Global ranks amongst the top of the pack for both vision and execution on the Magic Quadrant. More than 50 percent of the Portland, Ore.-based company’s install base are customers in healthcare, technology and financial services.

Strength: Customer enjoy Navex Global’s three months or less implementation time. The company plans to integrate its Lockpath, EthicsPoint and RiskRate offerings.

Weakness: Although Navex Global plans to expand support coverage, technical support is limited to Monday through Friday 7 a.m. to 7 p.m. U.S. Central Standard Time.

Challenger: LogicManager

LogicManager won the gold medal for execution on the Magic Quadrant, while ranking among the middle of the pack for vision. The Boston-based company’s legacy software is focused on enterprise risk management for midsize enterprises. LogicManager’s solution set is offered exclusively as a SaaS platform, with continuous delivery of release updates. Banking, credit unions and other financial services make up about 50 percent of its client base.

Strength: Customers can consult LogicManager’s advisory analysts without time restrictions or professional fees. Clients also tout the company’s simple pricing strategy and total cost of ownership.

Weakness: Although LogicManager is in multiple geographies, it’s focused primarily is on North America.

Challenger: Reciprocity 

A newcomer to Gartner’s Magic Quadrant, Reciprocity ranks No. 2 for vision and among the middle of the pack for vision. The San Francisco-based company’s ZenGRC risk, compliance and workflow management platform with the ZenConnect integration ecosystem serves midmarket and enterprise companies. Reciprocity recently brought its Hybrid Cloud offering to market which enables data isolation, region locking, file management, managed support, access logging and migration services leveraging partnerships with cloud hosting and storage providers.

Strength: Reciprocity’s big market differentiation is addressing needs for an intuitive workflow design and offering a straightforward solution for risk and compliance obligations.

Weakness: Although offerings a range of off-the-self content, Reciprocity is not as expansive as many of its competitors.

Challenger: SAI Global 

SAI Global’s SAI360 product suite provides risk and control assessments, compliance tracking and continuous controls monitoring, with SaaS, on-premises and hosted deliver options. SAI Global ranks among the middle of the pack for both execution and vision on the Magic Quadrant. The Chicago-based company supports secure transitioning to Office 365 and Dropbox. It recently added an new pricing option aimed at customers starting with fewer users and scaling over time.

Strength: SAI Global differentiates itself by offering presence and support in Southern Europe, the Middle East and Africa, Southeast Asia, and Australia/New Zealand – regions which are not directly supported by most vendors.

Weakness: Customers in healthcare, financial services, insurance, manufacturing and retail will find it tough to predict total cost of ownership because pricing is scaled and tiered according to industry.

Challenger: SureCloud

SureCloud’s products focus on risk workflow automation and risk intelligence provided via a SaaS-only implementation. New to Gartner’s Magic Quadrant, SureCloud ranks among the middle of the pack for both execution and vision. The Dallas, Texas-based company is investing in native connectors to Jira, ServiceNow, MS Teams and RiskRecon, as well as machine learning capabilities to offer predictive reporting and event-driven suggestions.

Strength: SureCloud differentiates via its fixed-fee implementation services with Accelerate to get the solution running to meet the majority of buyer requirements, while Operate provides ongoing platform configuration and administration.

Weakness: Risk management buyers should look elsewhere if they need on-premises installations.

Challenger: Allgress 

Allgress offers Insight Risk Management Suite v.7 which focuses on providing risk and control assessments, and continuous controls monitoring that is available via all delivery options. The Livermore, Calif.-based company offers Oracle Cloud Services and will facilitate automated compliance checks using Tanium and native Oracle services. Allgress ranks among the middle of the pack for execution on the Magic Quadrant and near the bottom of the pack for vision.

Strength:  Allgress offers a multitenant private cloud where customers can opt for a designated virtual private cloud as well. It supports workloads in AWS and Oracle Cloud Services, and services regulatory mapping and continuous risk assessment for cloud services providers.

Weakness: Prospects prefer competitors when seeking interconnected and layered risk management workflows and federated organization structures.

Niche Player: OneTrust

OneTrust entered the risk management market in 2019 with its GRC and DataGuidance products focus on cybersecurity, risk management and risk intelligence. The solutions are provided via multitenant, dedicated SaaS, private cloud and on-premises implementations. OneTrust  ranks among the middle of the pack for both execution and vision in Gartner’s Magic Quadrant. This year, the Atlanta-based company launched Athena, an automation and machline learning engine aimed at maintaining robust privacy compliance programs.

Strength: The company differentiates through its expertise in product design and experience around information-mapping capabilities. Athena interprets regulatory datasets against an organization’s risk profile.

Weakness: Gartner said it did not observe non-privacy-compliance-linked risk management implementations in the market.

Niche Player: Riskonnect

Riskonnect’s solutions focuses on risk analysis and risk intelligence delivered via SaaS. The Kennesaw, Ga.-based company acquired Xactium this year to broaden its risk management capabilities, offering new use cases through its predictive modeling capabilities. New to Gartner’s Magic Quadrant, Riskonnect ranks among the middle of the pack for vision and near the bottom for execution.

Strength: Riskonnect is differentiated by offering an explicit risk relationship visualization of exposures to all related elements. This design of the product evidences understanding of market needs and fulfillment of challenges related to cross-referencing and simplifying what-if scenario analysis.

Weakness: Riskonnect is new to the market without many detailed proof-of-concepts or customer references available to Gartner.

Niche Player: Resolver

Resolver’s offering is focused on risk and control assessments, risk analytics, compliance tracking, and cybersecurity risk management deployed as SaaS-only. The vulnerability management application within the offering is focused on multi-attribute threat and risk scoring and has on-premises and hosted deployments exclusively. Resolver ranks near the bottom of the pack for both execution and vision on Gartner’s Magic Quadrant. The Toronto-based company this year launched near real-time and historical access to risk data.

Strength: Resolver R&D focuses on vertical-specific incident and risk category prioritization and tracking anonymized loss analysis.

Weakness: Customers find it difficult to estimate cost if there is lack of consensus on number of users, assets, vendors and data sources.

Niche Player: TechDemocracy

New to Gartner’s Magic Quadrant, TechDemocracy ranks last for both vision and execution. The Piscataway, N.J.-based company focuses on risk and compliance management delivered via on-premises, SaaS and hybrid implementations. Private clouds are supported by TechDemocracy as well. The company is currently investing in breach prediction capabilities in partnership with MicroFocus’ Vertica analytics platform.

Strength: TechDemocracy’s dashboard enables browser-like searches to identify risk posture of business units or change in compliance and trend of vulnerabilities for a specific business-critical application and its associated assets.

Weakness: English is the only supported language by TechDemocracy, with are no plans to extend multilingual capabilities or offer plug-ins into a translation application.


Mark Haranas

Mark Haranas is an assistant news editor and longtime journalist now covering cloud, multicloud, software, SaaS and channel partners at CRN. He speaks with world-renown CEOs and IT experts as well as covering breaking news and live events while also managing several CRN reporters. He can be reached at

Sponsored Post