Why we need to democratize governance, risk, and compliance

Sravish Sridhar

16 Sep 2023

Today’s uncertain economy has presented an array of problems to organizations of every size and across all industries. In the world of tech titans alone, 70,000 jobs have been lost over the past year. It’s safe to say that businesses have laid off and lost talented and experienced professionals from their rosters.

We feel losing talent more acutely in cybersecurity and privacy as risk of cyberattacks and breaches may cost the global economy $10.5 trillion annually by 2025. As cybersecurity woes continue, governance, risk and compliance regulations are changing – and adapting to try and keep up with shrinking IT teams becomes impossible.

In addition to grappling with these economic factors and increasing risks, the very standards and systems that are supposed to help companies become more secure very often create confusion and distraction.

The state of governance, risk and compliance regulations

Modern compliance requirements are challenging because they are:

  • Cumbersome: Achieving certifications and attestations like SOC 2, CMMC, HIPAA, and ISO 27001 require extensive evidence collection, employee follow-up, and system checks. It’s resource-intensive to get a compliance program in place, and proving that it meets requirements, whether to auditors or potential customers, has become even more time-consuming.
  • Opaque: When evaluating a potential partner or vendor, companies want to be thorough, especially in the current climate where appetite for risk has reached an all-time low. But the typical workflow to evaluate partners, including security questionnaires, doesn’t actually provide an accurate view into an organization’s compliance posture, and it places a huge burden on all parties. This creates the feeling that compliance work is just a check-the-box exercise, which severely underestimates the importance of a strong GRC program.
  • Expensive: Because of the inefficiencies described above, many companies struggle to build and maintain a secure organization in a cost-effective way. It’s also hard to clearly show the connection to business outcomes. Additionally, compliance automation software companies can take advantage of the mandatory nature of their products and charge sky-high prices.

The number of data breaches continues to rise as more companies store more data, and more employees and systems have access to it. Combined with the changing nature of compliance standards (e.g. the potential updates to NIST CSF), this means that companies can’t take a passive role when it comes to adhering to security standards; however, it’s not always clear where to go for guidance.

Despite the challenges and investment of resources typically involved, achieving industry standards for compliance are a requirement. When companies can show their partners, prospects, and customers that they are taking action to go above and beyond to protect the organization, and their respective data and details, they earn trust, which helps to earn more business. An organization struggling to meet the latest compliance requirements gives a gift to their competitors.

Organizations of every size should get the support and help they need to  succeed when navigating risk and compliance, but they often don’t get that help. Current standards and tools create a barrier for many businesses in the form of financial requirements and technical expertise. It makes it difficult for smaller businesses and startups to invest in the tools and talent needed to achieve compliance.

New call-to-action

Changing the industry standard for compliance

It’s time to make GRC standards affordable, easy-to-understand, and achievable for every size of business. We can do this by democratizing access to governance, risk and compliance tools and information. This includes the following:

  • Offer free information about compliance: From SOC 2 to NIST-CSF, make it easy for anyone to learn about standards and frameworks. Free, online, comprehensive documentation that explains many details about each standard, such as what the standard is for, what steps are involved in starting and achieving compliance, how much time it takes, how much it costs, can change the game in the GRC industry.
  • Make basic GRC standard achievement accessible: We need to make the tools that can deliver visibility into the compliance process, real-time compliance status, and overall risk and compliance posture need more accessible from a budget and expertise standpoint. Not everyone can afford to spend a ton of budget on tools, or employ an expert that knows all the technical details.
  • Automate to increase efficiency and reduce costs of audits: Audits are too expensive in the GRC industry today.  Automation lets companies get audit-ready quickly, and offers auditors the ability to complete audits more efficiently, thereby reducing the cost of audits.

Companies often view compliance as an expensive, resource-intensive process. Why not turn compliance into a profit center? If we can help organizations of all sizes and types understand and achieve compliance with the right tools, resources, and transparency, then they can prove that they’re making their business a success while earning and keeping stakeholder trust.