Risk management, privacy and compliance challenges are increasing and diverse. They continue to be a great breeding ground for Cool Vendors. While there are certainly enterprise applications for managing some areas of risk management and compliance, the variety of new challenges requires specialized offerings as well.

• Compliance with regulatory requirements and technical guidelines is no longer merely a matter of documentation, workflow and reporting.

• Sophisticated tools are necessary to manage vendors, monitor virtualized environments, locate stores of sensitive information, understand large amounts of regulatory knowledge and control your online reputation.

• Virtualization and cloud, privacy and regulatory changes, information governance, and vendor management continue to be challenges for most organizations in 2011.

• Automation for risk and compliance management in these areas is not yet mature. Innovative vendors address these gaps quickly and gain mind and market share before incumbent vendors capitalize on this.

• Establish the context of the problem to be solved first when considering solutions for risk management, privacy and compliance.

• Make the vendor's domain expertise a key selection criterion, and do not focus on technological functionality alone when evaluating risk management, privacy and compliance solutions — including those from Gartner's 2011 Cool Vendors.

• Ensure IT representatives are familiar with business objectives to align technical aspects with business needs. Involve domain experts (in the case of these Cool Vendors from information governance, vendor management, privacy, virtualization and public relations) in the procurement process.

This research does not constitute an exhaustive list of vendors in any given technology area, but rather is designed to highlight interesting, new and innovative vendors, products and services. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

As diverse as the Cool Vendors in this research are, they all have one business objective in common: to improve transparency to control risk. In a virtualized environment, policy compliance provided by the underlying platform is often not sufficient, and access control is not granular enough. HyTrust offers consistent administrative access control and logging and auditing beyond the built-in capabilities. In information governance, Jordan Lawrence improves transparency, because its service enables the inventory of information and the development of a records retention schedule. Hiperos helps to manage third-party risks. Nymity improves visibility into privacy laws and regulations and makes them relevant to a specific enterprise context. Reputation.com helps executives to understand the level of reputation risk they are exposed to and offers some remediation for negative outliers. This selection is just a fraction of the vendors in the IT and enterprise risk and compliance space. Additional contenders can be found in "Hype Cycle for Governance, Risk and Compliance Technologies, 2010" and "Hype Cycle for Legal and Regulatory Information Governance, 2010."

Southborough, Massachusetts (www.hiperos.com)

Analysis by French Caldwell

Why Cool: Hiperos is cool because it provides a focused solution for the vexing problem of managing third-party risks: a solution that enables coordination among the many different business units in the enterprise and the vendors, and that can be rapidly implemented for a relatively low cost. Hiperos is delivered as a true multitenant software as a service (SaaS) solution; however, for better control, security and recoverability, data is segregated by customer and not virtualized.

Hiperos provides a rapidly deployable SaaS vendor risk management solution to track vendor compliance to pressing regulatory requirements and enterprise exposure to third-party risks. Vendor risk management (VRM) is emerging as a distinct initiative for a number of organizations, due to regulatory requirements and to have a complete picture of enterprise exposure to third-party risks as an element of the enterprise risk management program. Regulations that focus on privacy, anti-fraud, anti-bribery and anti-corruption are the most pressing concerns.

Getting started at VRM means, first, knowing who your vendors are and, then, understanding which ones carry the most compliance and/or business risks. To begin with, many companies have multiple and overlapping vendor records in multiple procurement, supply base management, and ERP financial applications, but no system of record for vendor profiles. Hiperos enables a single set of vendor profiles, thus providing a starting point for vendor risk management. Starting from the vendor profiles, Hiperos enables procurement, IT, risk management, legal and compliance organizations to: (1) coordinate and collect risk information in one place; (2) survey vendors and vendor managers; (3) conduct the risk assessment and risk-tier the vendors; (4) monitor changes in vendor risk exposure; and (5) generate reports for auditors, regulators and internal parties responsible for risk and compliance oversight.

Challenges: Hiperos' biggest challenge is competition from supply base management and governance, risk and compliance (GRC) vendors who are not specialized in VRM but are promoting VRM capabilities. To overcome this challenge, Hiperos will need to offer more domain-specific content and services, and prove that its vendor risk analyses and reports are consumable in other supply base management and GRC solutions, or that it can address a broader set of GRC requirements. Another challenge is market reticence to adopt SaaS solutions for critical applications from a small vendor. To address this issue, Hiperos must prove its reliability and security, plus provide assurance that its customers will not suffer a loss of data or sudden unplanned loss of service should Hiperos go out of business. For assurance purposes, Hiperos is able to provide a SAS 70 for its data center provider and is planning to go through the SAS 70 process itself later this year.

Who Should Care: Procurement, contract management, vendor management, sourcing, IT, supply chain, legal, compliance, privacy and risk management professionals who have responsibility for vendor assessment, performance, compliance and risk management, as well as executives and managers who must understand the overall risk exposure to their businesses, should consider Hiperos.

Mountain View, California (www.hytrust.com)

Analysis by Neil MacDonald

Why Cool: HyTrust provides a software-appliance-based policy compliance management and access control solution for virtual infrastructures. While other administrator privilege management tools may work within VMware hosts, many do not support management of the VMware management tools. Only HyTrust supports all methods of access to all management functionality and tools: native console, browser, secure shell (for both direct to ESX/ESXi and vCenter) and application programming interface-based access. HyTrust's original offering that became available in 2009 focused on a transparent proxy-based model for enforcing consistent administrative access control within a VMware environment across native console and administrative tools providing granular access controls, logging and auditing beyond the built-in capabilities of VMware (for example, including controls for the Cisco Nexus 1000V distributed virtual switch). In 2010, HyTrust expanded its portfolio of capabilities to include the ability to identify and tag virtual machines (VMs) in a persistent way with policy metadata and enforce this policy as VMs are managed throughout their life cycle. This tag-based model helps enable customers to enforce multitenant policies for computer, network and virtual infrastructure segmentation as well as per-tenant audit logging. HyTrust has also added VMware security configuration management and measurement. Since Cisco is an investor in HyTrust, we expect HyTrust will expand its configuration and access management capabilities to Cisco's UCS converged server infrastructure as well as to solutions from the Virtual Computing Environment Company (VCE — a joint company formed by Cisco and EMC with investments from VMware and Intel), including storage controls.

Challenges: HyTrust faces several challenges. Many organizations are satisfied with VMware's built-in "good enough" administrative and configuration control capabilities or are content to wait on VMware to fill the gaps that HyTrust addresses. HyTrust has also focused on addressing the needs for compliance and access management in VMware-centric environments and hasn't yet provided similar capabilities on alternative virtualization platforms such as Xen or Hyper-V or brought these capabilities to physical infrastructure (other than UCS). Most organizations will have hybrid physical/virtual infrastructures for years to come and will require visibility and compliance solutions that span both. Finally, HyTrust faces competition from similar messaging from other startup virtualization security vendors, including Catbird and Reflex Systems, as well as system administrator privilege management tools that may expand to address these virtualization platform compliance needs.

Who Should Care: HyTrust's solutions appeal to compliance officers, security professionals and virtualization architects in industries that have placed high importance on compliance and auditing in virtualized environments such as financial services. As legal and regulatory frameworks evolve to address and acknowledge virtualization (such as the Payment Card Industry Data Security Standard), we expect that more organizations will look for compliance solutions capable of addressing the needs specific to virtualized environments.

Chesterfield, Missouri (www.jordanlawrence.com)

Analysis by Kenneth Chin

Why Cool: Jordan Lawrence provides a set of services and tools to capture, classify and develop an information map of enterprise content to help an organization address information governance and data privacy. Its core service is the Assessment for Records Risks, a combination of professional services and technology that allows organizations to inventory their information and develop a records retention schedule using an industry database and benchmarking tool, consisting of thousands of data points from business representatives and subject matter experts. This service can substantially speed up the typical process of inventorying all the information, while reducing the typical costs of such a project. The results are an inventory of the types of records, the information and its related processes, which can then be used to support information governance and privacy initiatives. It details privacy, retention, and reference and regulatory value of information, along with information movement and custodial and media details (e-mail, paper, unstructured content and applications). The data is centrally organized and displayed with dozens of maps, reports and dashboard views. The database is then used to support information retention management initiatives, enforce corporate policies, conduct privacy impact assessments and facilitate compliance reporting.

Challenges: Jordan Lawrence has enhanced the scalability of its services business model through the deployment of technology for automating the collection and analysis of the data inventory of information and records. Jordan Lawrence is a specialty firm that primarily services North America, and so its ability to grow its business is currently limited. It does work with some multinational companies but does not have an international presence. Jordan Lawrence also faces competition from larger professional service firms with a broader set of product and service offerings.

Who Should Care: General counsel, record managers, compliance officers, privacy officers and security officers who need to be faster and more efficient in inventorying enterprise information should consider Jordan Lawrence.

Toronto, Canada (www.nymity.com)

Analysis by Carsten Casper

Why Cool: Nymity operates a comprehensive privacy compliance and accountability solution. It offers access to a large number of privacy laws worldwide, as well as case law, regulatory action, and any development in privacy that could cause concern or provide guidance to privacy managers. This includes a legal perspective (breach response, data retention, discovery and disclosures), but also describes the impact on sales and marketing, human resources, IT security, and data transfers. Every information item is summarized, and the relevance and authority of its source, the risk guidance, and the control guidance of the information are rated. This reduces the burden on the reader, who immediately sees which information is important, but with the ability to drill deeper when necessary. The relevance of the content is enhanced by various tools, such as privacy dashboards (showing regulatory trends and interdependencies), compliance alerts and video briefs (presented by Nymity's own research team with about a dozen privacy lawyers and former privacy officers). Nymity partners with the Unified Compliance Framework (UCF), the International Association of Privacy Professionals (IAPP) and Jordan Lawrence (see the previously mentioned Cool Vendor in this research). Jordan Lawrence assists user organizations in inventorying personal information storage locations, while Nymity assists them in understanding the legal requirements and privacy management best practices.

Challenges: Nymity offers privacy information from the U.S., Canada, Europe and the Asia/Pacific countries, and more recently, from Latin America. South Africa, Israel and Russia are on the road map. As Nymity expands into new markets, it has to deal with additional languages. Case law, guidance and often national privacy laws are not available in English (at least not in its latest version), putting the burden of translation on Nymity and its partners. When possible, Nymity hires or contracts local language researchers or translators. Moreover, offering information from a region and marketing to a region are not the same thing. Nymity now also puts a marketing focus on Europe. Nymity's offering is information-centric and does not replace a privacy officer or legal counseling.

Who Should Care: Privacy professionals, compliance and legal officers will be able to utilize the knowledgebase's content, especially those from North American, European and global corporations.

Redwood City, California (www.reputation.com)

Analysis by Carsten Casper

Why Cool: Reputation.com (formerly ReputationDefender) is a company that helps professionals (in addition to consumers) to correct and shape their online reputation and their privacy posture. First, the company does an ongoing search of the Web and social networks for any mention of an individual's (such as a CxO's) name and associated content. Second, it helps remove private information from people search databases that sell personal information (Reputation.com has contracts with several of them) and will get individuals off mailing lists. It also assists in preventing advertising networks from tracking online activities. Third, it allows individuals to build, manage and influence their online reputation. It uses its own technology along with professional writers who craft biographical content, which is often promoted on third-party websites. It will not erase all negative information (for example, unfavorable blog posts), but it can help to create or promote positive information, putting an offending entry into context, and help to polish information on that all-important first page of search results on major search engines.

Challenges: Reputation.com resonates best with the U.S., because privacy laws in Europe are stronger, giving individuals there a higher baseline of privacy protection. The service requires writing in the native language of the customer, and it is most mature in English. Reputation.com also has German and French professional writers on staff, but expanding the service to more languages will require additional investments. Reputation.com's main target group is individuals, and it can be challenging for an enterprise to manage the reputation of dozens of executives and top-level management.

Who Should Care: Public relations managers, marketing departments and privacy officers of companies whose brand name depends to a large degree on key individuals' reputations should consider Reputation.com.