While governance, risk and compliance tools over-promise, organizations need to streamline and break away from their siloed approaches.

One of the most hyped terms today is GRC or governance, risk and compliance. It is being used as a catch-all phrase for most information security strategies and tagged onto various products, adding even more confusion in the market as to what it truly means or promises to corporations.

First and foremost, GRC, or GRC "tools," is not a new market or technology category a la IPS or SIM or IAM. Unfortunately today there are technology solutions that claim to be turnkey GRC solutions with others taking existing technology and positioning them as a GRC fix. Not surprisingly the products' capabilities don't truly deliver on helping an organization create and track its GRC strategy.

Rather, GRC is a process that includes three distinct (IT governance, risk management and compliance) but related activities intended to solve different problems for different stakeholders within an organization. Today vendors will sell the tool that may automate manual tests or provide good reporting, but will fail to link IT risk to business risk. And they don't really address governance.

Governance is the big-picture strategy and needs to be led from