File Integrity Monitoring gives analysts a problem. While they all wholeheartedly endorse this critical security control, none can agree where it should reside in terms of the already-defined technology sectors.
So where has the Magic Quadrant for FIM gone?
There are market sectors for SIEM, Vulnerability Scanning, and for Configuration Management, and a case can be made for bundling FIM within any or all of these technology groups. Indeed, there are plenty of manufacturers with products within these markets that include integrity monitoring features (although typically in these instances, FIM is only really an afterthought, an add-on to beef up the marketing-brochure features checklist)
In the era of 'influencer marketing', where reviews, followers and likes count, analyst opinion still carries weight in the Enterprise IT industry. However, in terms of giving a clear assessment of file integrity monitoring vendors, there is no dedicated analyzed market, and that means there is no magic quadrant. In fact, there are no quadrants at all?
On the face of it, this seems to be a paradox: if you drew a Venn diagram showing organizations subscribing to analyst services, and organizations subject to regular audits of their security controls, they would align exactly.
Equally, all the facets of FIM as a security control feature heavily in all the governance/regulatory standards. NIST 800, PCI DSS, SOX, NERC CIP and HIPAA all call for configuration hardening and change control, with most explicitly mandating the need for integrity monitoring and change detection.
In other words, the very organizations forming the market for the analysts are the ones with greatest need for awareness and understanding of the FIM market. And yet...
NNT have made the case to the analyst community that the market wants an Integrity Management sector, but while there remains insufficient demand from analyst subscribers to warrant a change, we are left with the current mismatch where FIM is always a bit-player in multiple sectors without ever getting a starring role in its own.
So if you have ended up here while looking for the FIM Magic Quadrant, help yourself to our reference materials below and afterward, please tell your analyst contacts that an Integrity Monitoring market sector and quadrant is long overdue.
Putting the I into FIM (animation)
FIM and Security Best Practices