Data from a recent survey suggests security solution providers could find new business opportunities by pursuing partnerships with GRC vendors to provide much-needed security expertise for GRC projects.
Lexington, Mass.-based market analysis firm Hypatia Research LLC recently surveyed more than 440 companies about their GRC requirements and investment plans. Hypatia’s research found the market for governance, risk and compliance is split between vendors that provide enterprise GRC services (eGRC) such as risk management and workflow tracking services, and vendors that provide technology-based GRC products (IT GRC) such as security tools to monitor access and communications for compliance.
© 2011 Hypatia Research, LLC
“The split between eGRC and IT-GRC is giving customers an incomplete view of their entire GRC picture," said Howard Baldwin, a senior analyst with Hypatia. For example, Baldwin cited survey respondents who had a security appliance and a compliance application, but could not share data between them.
Opportunities for security solution providers
Hypatia’s survey found customers plan to invest most heavily in eGRC functions, placing a lower priority on IT GRC software and services. “I was surprised how many people were looking at GRC and not including basic concepts of security,” Baldwin said.
many people were looking at GRC and not including basic concepts of security.
Hypatia Research LLC
Baldwin believes the research reveals an opportunity for solution providers who can bring security expertise to GRC projects. But he cautions solution providers to understand both eGRC and IT GRC before approaching the customer.
“They should not just go in with security,” Baldwin said. “Instead, they should approach the customer by saying, ‘Let me tell you my plan for the security portion of your GRC problem.’”
Baldwin encourages solution providers to partner with a GRC vendor, even if that vendor has its own professional services staff. “Security is the blind spot for many of the GRC vendors we researched,” Baldwin said. He noted that relationships between the GRC vendor and the customer tend to be fluid, allowing the possibility of an independent consultant joining the project team.
The respondents in Hypatia’s survey had direct accountability for the selection and use of eGRC and IT GRC software and services. Most respondents came from large or mid-size companies in North America, EMEA and Asia Pacific.
Hypatia’s surveyed respondents from a variety of industries including retail, insurance, manufacturing, telco, financial services, not-for-profit and healthcare. According to Baldwin, the survey revealed GRC priorities are consistent across all these industries, indicating security solution providers may find opportunities to support GRC projects no matter what industry their customers are in.
“GRC had its roots in highly regulated industries, such as medical and financial verticals,” Baldwin said. “But all companies need to be compliant in some manner today. GRC is turning out to be highly horizontal.”