What GRC buyers are looking for in 2016
More than a decade since the industry was identified, the demand for governance, risk, and compliance (GRC) management technology is growing about 10 percent a year and 600 solutions are competing for a market that is expected to reach $32 billion by the year 2020.
In the last several years, the need for technology to manage GRC tasks has become apparent to organizations of all sizes in nearly every industry.
Several trends have driven industry growth and will continue to stimulate not only overall demand for GRC technology, but also for specific GRC solutions, including:
The need to more effectively and efficiently manage IT assets and IT risk
The overwhelming number of data breaches and other IT security incidents last year are well documented and it’s likely the volume and sophistication of attacks will only grow in 2016. At the same time, organizations expose themselves to more IT risk by expanding their infrastructures: More assets mean more potential vulnerabilities.
According to Gartner’s 2015 CIO Survey, 89 percent of surveyed CIOs believe digitalization is creating new types of risk, while 69 percent said investments in risk management are not keeping pace.
IT data company BDNA identified top 10 trends in enterprise IT this year, many of which are directed related to the need for GRC technology, particularly:
Bring Your Own Device Management. BDNA says the challenge of managing BYOD policies enterprise-wide will get worse before it gets better. “With Gartner predicting that half of employers globally will require employees to bring their own device for work purposes by 2017, the enterprise will need to prepare for formatting inconsistencies, security holes and the potential for software audits,” the report said.
BYOD management can incorporate a GRC solution to:
- Maintain a list of assets that have network access
- Provide a mechanism to report incidents related to personal devices and automatically launch workflows to remedy the incident
- Implement security awareness training to help staff members understand policies related to using their own devices.
Software security and asset management. Software security and asset management were listed as separate trends in the BDNA report, but they both require GRC platforms to track vulnerabilities, correlate threats to specific IT assets and prioritize remediation.
According to the BDNA report, “As the annual number of data breaches continues to grow, companies will look for new solutions to take proactive measures to protect themselves. Many corporations are using software that is past its end-of-life support date, putting them at increased risk of a hack.”
At the same time companies are taking these proactive measures, they are migrating more of their operations to the cloud. But as BDNA indicated, “Enterprises cannot do everything in the cloud, and must maintain their on-premise practices even while migrating more and more processes to the cloud. In 2016, asset management will marry the two worlds to give enterprises better ways to manage their hybrid systems.”
The right GRC solution can not only provide an accessible list of IT assets, it allows users to easily import vulnerability and other security technology data, as well as configuration and SIEM data. Instead of sorting through raw data from scanners, GRC platforms with connectors to the leading third-party data providers can correlate this data to help identify its priority to the business and which policies it might be affecting, and combine scan data from across the technology enterprise to create a true asset management database. The right GRC tool also makes it easy to create workflows to remediate any vulnerabilities detected.
The need for speed and agility
Companies in the market for GRC technology needed it implemented the day before they bought it. Yet the industry continues to be plagued by slow and costly deployment. Blue Hill Research, in a report titled “How to Avoid the Worst Case GRC Implementation,” analyzed 21 GRC deployments and found that the median timeframe of implementation was 10.5 months. The top deployments took three to four months while the worst ones required 11 to 16 months.
Furthermore, the median implementation cost for these projects ranged from $75,000 to $700,000, with a median of $485,000. Blue Hill observed that reported costs tended to cluster at the high and low end of these ranges, with few organizations near the median.
The intended benefits of implementing a GRC solution include saving time, money and effort on the arduous tasks of risk management and compliance. Because of the negative experiences of some GRC buyers, organizations in the market for GRC technology are conducting more research, working with consultants and analysts and testing more platforms before making a purchase decision. Specifically, they are looking for solutions that:
- Can be implemented within weeks instead of months
- Can be rapidly configured to align with your current processes without writing a single line of code
- Allow users to create customer reports and non-linear workflows in minutes, not hours
- Can import and edit large data sets
- Can effortlessly scale as the organization grows and expands
- Carries minimal cost of ownership – such as ongoing professional services
The need for correlated data and real-time reporting
The level and severity of data breaches, the onslaught of new regulations and the impact both have on a company’s reputation and financial bottom line have forced management to take a more active role in governance, risk management and compliance.
This means GRC technology must have advanced capabilities to provide analytics, dashboards and visual reporting tools to provide management with visibility into the organization’s risk and compliance posture.
Companies seeking GRC solutions will prioritize the ability to optimize risk reporting for better dialogue with executive management. This requires software that CIOs and CISOs can configure without costly professional services and expending resources on writing code. Today’s GRC buyers want technology that allows them to:
- Match corporate standards for reporting.
- Focus on business objectives, not a comprehensive review of performance.
- Provide clear, simple overviews, but be prepared to provide drill-down on request.
- Connect risk to business operations and financial impact.
The need for flexible solutions with specific functionality
According to GRC Pundit Michael Rasmussen, founder of GRC 20/20 Research, IT departments are slowly realizing they not only need a 360-degree contextual awareness of security in IT, but they also need contextual awareness of IT governance, IT risk management, and IT compliance management.
A recent survey by TechTarget echoes this trend; 34 percent of respondents said IT risk management took up most of their time, while 25 percent said regulatory compliance did.
This is spurring IT professionals to invest in IT GRC technology instead of settling for just IT security solutions.This is also reflected in another trend cited by Rasmussen: The fastest growing segment of the GRC market is third-party management.
Third parties are extensions of an organization and their actions can have a direct impact on compliance efforts and brand reputation. Regulators are increasing their focus on potential third-party risks. To comply, organizations must identify third-party risks, verify that business partners and their employees are compliant, monitor for changes that might create new risks, and manage the investigation and remediation of incidents. This requires companies to survey, assess, and follow-up with dozens, hundreds or even thousands of third parties, and take action against those not in compliance, tasks that are problematic if not impossible with GRC technology.
As the GRC software industry has evolved, so too have the needs of its clients. Whereas early adopters of GRC technology had little choice but to work with platforms that were difficult to implement and required large teams to manage, today’s buyers insist on easy-to-use software that is flexible and scalable to serve ever-changing and expanding organizations.
With Constitution Day tomorrow, September 17, let’s learn what the Constitution can teach your organization about corporate governance.
Learn how Lance completed his 50 mile race and how it relates to building a risk management program.
This month’s Risk Roundup is about data privacy, the biggest California earthquake in 20 years, and the business impact of the US-China trade war.