Thanks to improvements in automation products, some solutions providers can now make governance, risk and compliance software a key part of their business.
Governance, risk and compliance (GRC) software provides a comprehensive approach to managing an organization's vulnerabilities and regulatory obligations. Automation helps reduce the time-consuming manual chores businesses face in the struggle to stay on top of risk management and compliance demands -- especially in highly regulated vertical markets such as health care.
"We switched to GRC as the method for entering the market," said Bill Currier, GRC specialist with SYNERGY Technology Partners, a solutions provider in Oregon. "The IT providers out there need to recognize that this market is going to explode because of the regulations."
SYNERGY first considered entering the local IT market strictly as a managed services provider, but GRC software soon became its focus. The company opted to specialize in health care, where its GRC software business fills a niche by helping customers comply with the Health Insurance Portability and Accountability Act (HIPAA).
The selling of GRC software and services is emerging as a go-to-market approach for solutions providers, resellers and systems integrators. Channel companies typically lead with services but often set up clients with a GRC software tool.
GRC software has been available for several years, but the growth of GRC as a channel play is fairly recent. The higher availability of channel-friendly software is one factor behind the interest in GRC. Companies working with the latest generation of tools say the current technology provides improved ease of use, better integration with other security components, and greater flexibility to deal with customer-specific concerns.
Flavors of GRC software
GRC comes in more than one form, so an early task for solutions providers is to define their offering.
The term GRC has been redefined a couple of times in recent years, said Keith White, managing principal and GRC practice area lead at Accuvant Inc., an information security partner based in Denver. IT GRC was the first to emerge, followed more recently by enterprise GRC, he said.
More on GRC software
Top 10 GRC strategy tips for midmarket companies
Think: Don't depend too much on IT audits
Quiz: Test your GRC management strategies IQ
Improving business performance with GRC software
IT GRC focuses on such issues as information security, disaster recovery and technology-related compliance programs. The scope of enterprise GRC, on the other hand, goes beyond IT and delves into risk and compliance concerns in areas such as finance.
White also pointed to a third GRC variation, which he termed an "enterprise integrated GRC implementation." That GRC iteration facilitates a close integration between enterprise GRC and information security programs and practices, he said.
Many customers are coming to Accuvant with no previous experience in GRC deployments of any kind, he added.
"So, you have to pull back when a client comes to you and have a conversation with them about what GRC is, what it could be and the cost/benefit of optimizing it," White said.
As GRC providers define their services, they should also define their target markets. SYNERGY, for example, focuses on solo practices and small clinics. Within that scope, the company primarily sells to specialty health care providers such as chiropractors and optometrists.
Customers in different health care disciplines differ in their mentality and budget, among other factors, said Michael Paulsen, sales and account manager at SYNERGY.
"We started going after one field at a time," Paulsen said.
How GRC software deals work
A GRC engagement usually kicks off a consulting gig, with the provider learning about the risk management and compliance concerns and priorities. The security specialist then determines which element of GRC the customer needs to pursue.
In the case of a vendor risk assurance program, for example, Secure Digital Solutions, an information security management company based in Saint Louis Park, Minn., proposes a new policy, assists the customer with the proper categorization of vendors, and helps the customer identify appropriate risk assessments based on vendor categories.
At this point, Secure Digital Solutions introduces a GRC tool, LockPath's Keylight Platform, said Chad Boeckmann, the company's president. The software removes much of the manual labor associated with running a vendor risk assurance program, he said.
Typically, an organization would seek audit information from vendors and enter the responses in a spreadsheet. The Keylight Platform automates the process of distributing vendor assessment questionnaires, collecting the feedback and reporting the data.
The transition from manual to automated vendor risk assessment can result in significant time savings. Keylight can trim a four-week vendor risk assessment process down to two weeks and, in some cases, one week, Boeckmann said.
"There's still the human element involved," he said. "We say to everyone that software only automates things; it doesn't fix problems."
At SYNERGY, SecureGRC helps customers collect the material they need for HIPAA compliance. The compliance process is a self-assessment and SYNERGY assists clients in moving through that process, Currier said. They work with customers over the phone and via screen sharing to get them oriented on the SecureGRC software and to produce the final documents.
"We find we spend a lot of time ... motivating them, providing moral support," Currier said. "They don't have to succumb to the sense that this is overwhelming."
Improvements to GRC software drive adoption
Software helps customers shrink time-to-compliance, but the channel benefits as well. Improvements in GRC software have helped propel solutions providers into the market.
Secure Digital Solutions had looked into IT GRC software prior to working with LockPath, but found the earlier tools lacking in critical areas.
"We found that the earlier tools were too complicated to use," Boeckmann said. "We had explored their use at various clients, but they took a lot of customization and didn't have a lot of API integration with other tools like vulnerability reporting tools or event management tools."
The complexity of some GRC software has kept resellers on the sidelines, but newer products appear to be reversing that pattern. Chris Caldwell, chief executive officer at LockPath, said that more than 60% of the company's sales comes through the channel and expects to close the year at about 75%. The goal, he said, is to conduct all of its sales through the channel.
About the author
John Moore is a Syracuse, N.Y.-based freelance writer. Reach him at firstname.lastname@example.org.