Unlocking the Potential of GRC Tools: A Path to Strategic Risk Management

By James Rees, MD, Razorthorn Security

In today’s complex cybersecurity landscape, Governance, Risk and Compliance (GRC) tools have become essential for organisations managing intricate security ecosystems. These tools are designed to centralise information, streamline processes and offer crucial insights into an organisation’s risk posture. However, as cybersecurity expert Jack Jones revealed when he joined me on a recent podcast, the reality often falls short of these ambitious claims.

GRC tools have proliferated, offering modular solutions for everything from asset management to compliance tracking. They’re marketed as indispensable for any organisation serious about information security. Yet, despite widespread adoption and substantial costs, many of these tools are fundamentally flawed in their approach to risk management, which makes getting value for money more challenging.

This blog takes a look at the critical issues affecting GRC tools, drawing on insights from Jack Jones, a former CISO and creator of the FAIR (Factor Analysis of Information Risk) model. We’ll explore why these expensive solutions often fail to deliver on their promises and discuss potential paths forward for truly effective risk management.

What is the main issue with GRC tools?

Many GRC tools suffer from a fundamental flaw: they lack a comprehensive understanding of risk. A fundamental misunderstanding of risk is a pervasive issue in the cybersecurity field, even among experienced professionals. While many are well versed in security controls, they often lack the foundational knowledge to distinguish between an actual risk, such as a potential loss scenario, and a mere control deficiency, like an unpatched server. This confusion is at the root of many problems in risk management and GRC tool implementation.

This misunderstanding undermines the entire purpose of GRC tools. Without solid grounding in risk management principles, GRC tools often collect vast amounts of data without providing meaningful insights into an organisation’s actual risk exposure.

The confusion between actual risks and control deficiencies is a common problem in GRC tools. Users often mistakenly label control issues, like the unpatched server mentioned above, as risks. They might assign a high likelihood (since the server is definitely unpatched) and severe impact (imagining worst case scenarios). However, an unpatched server isn’t a risk itself, but a weakness that could contribute to actual risks. A true risk would be a specific scenario, such as a data breach caused by exploiting the unpatched vulnerability. This misclassification can lead to inaccurate risk assessments and misguided priorities in cybersecurity efforts.

As a result of this confusion, many organisations end up with what Jack Jones colourfully described as a “junkyard” in their risk registers. Instead of containing well defined risks, these registers often become a dumping ground for various security concerns, control deficiencies and vague threats. As a result, the risk register loses its purpose as a focused tool for understanding and managing an organisation’s key risks and instead becomes an unwieldy collection of miscellaneous security related items, making it difficult to identify and prioritise genuine risks.

This “junkyard” has several negative consequences:

  1. It obscures the actual risks facing the organisation.
  2. It makes prioritisation nearly impossible, as everything in the register is treated as a risk.
  3. It leads to inefficient allocation of resources, as organisations try to address every item in the overstuffed register.
  4. It creates a false sense of security, as organisations believe they’re managing risks when they’re really just cataloguing concerns.
  5. Compliance over security: The focus may shift to ticking boxes and addressing every item in the register, rather than thoughtfully managing the most critical risks.
  6. Burnout and cynicism: Security professionals may become overwhelmed by the sheer volume of ‘risks’ they are expected to manage, leading to burnout or a cynical attitude towards risk management.

The Cost Conundrum

GRC tools often come with a hefty price tag, not just for the software itself, but also for the implementation process, which can often cost more than the software.

This substantial initial investment can be a significant barrier for many organisations, particularly small to medium-sized businesses. The high cost is often justified by vendors on the promise of improved risk management and compliance, but as we’ve seen, these promises frequently go unfulfilled.

A troubling trend in the GRC tool market is the practice of steep price increases upon renewal. Some organisations have faced renewal costs up to 200% higher than their initial purchase price. This pricing strategy takes advantage of the ‘vendor lock-in’ effect, where organisations find it difficult to switch solutions after investing time and resources into implementing and populating a GRC tool.

Perhaps the most concerning aspect of the cost conundrum is that many organisations are not seeing a return on investment proportional to the resources they’re pouring into these tools. As Jones noted, “If the GRC products and their implementations were actually doing the job they were intended to do, they should cost a lot of money because they would be providing a ton of value.”

Implementation Challenges

Implementing GRC tools often involves a lengthy and complex process that can stretch on for months or even years. This prolonged implementation period not only adds to the overall cost but also delays the realisation of any potential benefits from the tool.

The implementation process is often so complex that organisations need to bring in outside consultants. However, depending on external parties creates additional challenges. The key issue is that while these consultants may have technical expertise with the specific tools and systems, they frequently lack a deeper understanding of risk management principles.

This lack of risk expertise among implementers can lead to GRC tools being set up in ways that perpetuate misunderstandings about risk, rather than addressing them.

Even after the lengthy and costly implementation process, many organisations struggle to extract real value from their GRC tools. This difficulty stems from factors such as complexity, data quality issues, lack of integration with existing systems, misalignment with organisational needs and the ongoing effort required for maintenance.

The Missing Cornerstone of GRC Tools: Loss Event Scenarios

The core purpose of risk management is to prevent or mitigate potential loss events. However, many GRC tools fail to centre their functionality around this crucial concept. Loss event scenarios are specific, tangible situations that could result in harm to the organisation. By focusing on these scenarios organisations can better understand and prioritise their risks.

If GRC tools were built around a proper understanding of risk as loss event scenarios, their effectiveness would significantly improve. They could help organisations identify and catalogue real risks, assess their likelihood and potential impact, prioritise based on severity and track mitigation efforts more effectively.

Rather than treating control deficiencies as risks themselves, effective GRC tools should link these deficiencies to relevant loss scenarios. This approach provides context for control deficiencies and helps prioritise remediation efforts based on their potential impact on actual risks.

The Compliance Trap

Many GRC tools place a heavy emphasis on compliance, often at the expense of effective risk management. While compliance is important, it should not be the primary focus of risk management efforts. Compliance requirements are often a minimum standard and may not address an organisation’s specific risk profile.

GRC tools often present compliance requirements as a checklist, with all items appearing equally important. This approach fails to consider that some compliance requirements may be more critical than others in managing an organisation’s specific risks.

A more effective approach would be to view compliance through a risk-based lens, prioritising compliance efforts based on their relevance to the organisation’s key risk scenarios.

Vendor Issues

Many GRC tool vendors lack deep expertise in risk management principles. This deficiency often results in tools that fail to address the fundamental needs of effective risk management.

Many GRC tools adopt a modular approach, where additional functionality is sold as separate modules. While this can allow for customisation, it often results in increased costs and complexity.

Vendors often focus on improving user interfaces and adding features without addressing the underlying issues in their risk management approach. This focus on superficial improvements can be misleading and may come at the expense of addressing more fundamental issues.

Getting the Best Out of GRC Tools: The Way Forward

To truly address the issues plaguing current GRC tools, a fundamental shift towards a risk-centric approach is necessary. This means building tools from the ground up with a focus on identifying, assessing and managing loss event scenarios.

Improving GRC tools alone is not enough. There’s a pressing need to educate security professionals about proper risk management principles, focusing on understanding the difference between risks and control deficiencies and how to identify and assess loss event scenarios.

There’s significant potential for developing GRC solutions that truly meet organisations’ risk management needs. These solutions should focus on loss event scenarios, provide clear differentiation between risks and control deficiencies, offer robust prioritisation capabilities, integrate compliance requirements into a risk-based framework and facilitate better communication about risk across the organisation.

Conclusion

The current state of GRC tools clearly has some significant drawbacks. These tools, meant to be cornerstones of organisational risk management, can create more problems than they solve. The disconnect between GRC tool functionality and the realities of effective risk management is not merely an inconvenience – it’s a critical issue that leaves many organisations vulnerable and ill-equipped to handle their true risk landscape.

The way forward demands a fundamental reimagining of GRC tools. We need solutions built from the ground up with a proper understanding of risk, centred on loss event scenarios rather than compliance checklists or control deficiencies. This new generation of GRC tools should empower organisations to identify, prioritise and manage their most significant risks effectively.

Getting GRC right could be transformative for organisations. Tools must provide clear, actionable insights into an organisation’s risk landscape, facilitating better decision making at all levels. These tools could enable more efficient resource allocation, closer alignment between risk management and business strategy and ultimately, more resilient organisations.

The challenge ahead is significant, but so is the opportunity. It’s time for GRC vendors, risk management professionals and organisations to collaborate in developing solutions that truly serve the needs of modern risk management. By doing so, we can turn GRC from a compliance burden into a strategic asset, enabling organisations to navigate the complex risk landscape of the 21st century with confidence and agility.

The future of GRC is not just about better software – it’s about creating a deeper understanding of risk throughout organisations. It’s an ambitious goal, but one that’s essential for building more secure, resilient and successful businesses in an increasingly uncertain world.

Get in touch to discover how Razorthorn can help your organisation with GRC, including finding the correct GRC tool for your requirements.

TALK TO US ABOUT YOUR
GRC REQUIREMENTS

Please leave a few contact details and one of our team will get back to you.

Follow Us