Evaluating GRC Software? Four Key Questions to Ask
There are many GRC software companies in the market today. Many are startups but there’s also a few players who have been in business for decades. GRC software tools come with a wide range of different functionalities and cover a huge price range.
It can be difficult and time-consuming to understand the differences between the various solutions and figure out which ones are best suited to your objectives.
If you want to save time in the evaluation process and ensure you’re making the right choice, you’ll benefit from taking time to answer these four questions before talking to any GRC software vendors.
Why Look For GRC Software?
Many organizations start to consider GRC solutions when they realize that their current work-around to compliance has become unsustainable.
A recent survey of infosec leaders conducted by Coalfire found that for the majority of organizations, growing compliance obligations are now consuming 40% or more of IT security budgets and threaten to become an unsustainable cost.
Further, the resource load just to maintain status quo for larger organizations can exceed 10,000 hours for each compliance requirement they carry.
Here at Hyperproof, we’ve talked to many organizations that are up against this situation: The company has a compliance program in place. But they don’t have a dedicated compliance team. Rather, all security audits and compliance work has to be done by the security team or the IT operations team. The team has to participate in and pass multiple security audits every year because their customers need a lot of assurance on the organization’s security posture.
The team uses a homegrown solution to manage the work; usually consists of Excel spreadsheets, cloud based file storage like G-Drive and a project management tool. But tracking ever-changing compliance requirements isn’t very effective in Excel. And collecting evidence needed to verify controls’ effectiveness consumes so much of a team’s time that they’re left with little time to focus on other important security functions.
Further, because compliance and risk data live in different places, the team has a hard time truly understanding where gaps exist within their control environment, how prepared they are to pass an audit, and how well they’re protecting their organization from risks that matter.
With cyber risks changing significantly due to the coronavirus pandemic and the shift to remote work, CFOs freezing headcount, and customers sending out security questionnaires each day, it’s no wonder compliance professionals are struggling to keep up.
There’re a lot of GRC solutions on the market. How do you quickly hone in on which ones actually meet your needs?
Here are a few key questions and considerations to guide your GRC purchase process.
Question #1: What Problems Do You Need to Solve?
First, it’s important to be clear about the specific problems you’re looking to solve. What’s the real challenge for your organization? What problem, if it goes unsolved, threatens to introduce the greatest risk, costs and operational headaches for your team and the organization?
Some examples of problems organizations would like to solve include:
-Compliance is so time-consuming that it’s becoming an unsustainable cost.
-Keeping controls up-to-date; a faster way to collect evidence needed for audits.
-Not knowing where gaps exist in the control environment and want stronger monitoring capabilities
-Reporting is too hard, takes too long to answer simple questions about cybersecurity from the board.
-Responding to security questionnaires from customers takes too much time.
–Teams are adhering to specific cybersecurity frameworks on paper, but don’t know how secure they truly are.
Different GRC solutions solve different types of problems; some claim to solve for a host of issues but are actually only great at solving for one or two.
If you want to pick the right solution and get immediate value from it, it’s vital you get clear on the problems that matter most to you and your key stakeholders.
Question #2: What Do Your Stakeholders Need?
This is around understanding your stakeholders and their needs.
Who in your organization will be the power-user of the tool? Who will occasionally use the GRC tool? And who will consume reports and information generated by the tool to make business decisions?
We’ve all seen shelf-ware before. You don’t want your GRC solution to become one.
As such, you want to get clear on who needs what functionality and how often they will be using the tool. Map out what are your must-haves versus nice-to-haves for all user types.
For instance, the compliance program director’s core needs for a GRC tool might be around organization, efficiency and accountability.
Thus, in a GRC tool, he has to be able to manage various infosec frameworks, quickly migrate the existing compliance programs into the tool, collect evidence for audits and on-going control evaluations, and assign control ownership to other stakeholders, create tasks for team members and keep team members accountable.
On the other hand, the CISO will need reports that help him understand how well-protected the organization is from risks that matter.
Meanwhile, there may be others in your org who occasionally provide information for audits. These people don’t want to learn another tool. In this case, you may say that one must-have criteria in a GRC tool is integration with your existing productivity tools and file storage systems.
Question #3: What Level of Resources Do You Have For Implementation?
Do you have a full-time person who can implement your GRC solution and manage it on an ongoing basis? Do you have an outsourced team or a virtual compliance officer who can manage your compliance program and the tool for you? Or is compliance just 25% or 30% of one person’s job?
Some GRC tools are quite easy to implement, and others are heavy-duty and require much longer ramp up time.
Make sure to pick something that works for the team you have right now, not something that works for the 10,000 person company across town.
Question #4: What’s Your Budget?
GRC solutions’ price range runs the gamut from four-figures per year in annual recurring cost all the way to seven-figures per year in annual recurring cost. Further, you’ll want to factor in the people costs if you’re going to hire someone to implement and manage the tool on your behalf.
Remember, a GRC tool is only ROI positive if the value it has provided in time saving, operational improvements and risk reduction is greater than the fully loaded cost of the tool.
Related: The Business Case for Compliance, Even Now
Where Hyperproof Stands in the GRC Software Market
Hyperproof’s mission is to help organizations build trust through proof. We know that the typical compliance approach taken today is too time-consuming, too labor-intensive, not effective enough in risk reduction, and ultimately unsustainable.
In terms of where we stand in the GRC market, Hyperproof is easy to get started with and affordable to small organizations, yet powerful enough to support businesses with dozens of frameworks.
Hyperproof provides a single source of truth for compliance and audit-related tasks. It makes it easier to keep your data privacy and infosec programs up-to-date and make sure your controls are compliant with the requirements within frameworks like SOC 2, ISO 27001, PCI DSS, etc.
Cybersecurity experts have repeated again and again that continuous monitoring is necessary to keep risks mitigated to an acceptable level. Hyperproof gives people tools to see what needs their attention, set reminders to evaluate controls on an ongoing basis and keep their teams accountable.
Compliance teams also use Hyperproof to prepare for upcoming audits. Hyperproof is the place to create controls, verify that you’ve got the right controls to satisfy each requirement, collect evidence, and track tasks.
Last but not least, Hyperproof provides reports to compliance leaders to help them understand the status of their infosec program easily.
To see how Hyperproof can help your organization ease the burden of compliance and improve your security posture, sign up for a personal consultation.
Banner photo by Miguelangel Miquelena on Unsplash
Monthly Newsletter
Get the Latest on Compliance Operations.
Hyperproof Team
Hyperproof has built innovative compliance operations software that helps organizations gain the visibility, efficiency, and consistency IT compliance teams need to stay on top of all of their security assurance and compliance work. With Hyperproof, organizations have a single platform for managing daily compliance operations; they can plan their work, make key tasks visible, get work done efficiently and track progress in real-time.
Organizations using Hyperproof are able to cut the time spent on evidence management in half, using the platform’s intuitive features, automated workflows and native integrations. Hyperproof also provides a central risk register for organizations to track risks, document risk mitigation plans and map risks to existing controls. Hyperproof is used by fast-growing companies in technology and business and professional services, including Netflix, UIPath, Figma, Nutanix, Qorus, Glance Networks, Prime8 Consulting and others.
