GRC Report 2017

Governance, Risk & Compliance (GRC) Report


Q1 2017

The GRC Report — sponsored by Sera-Brynn — provides Governance, Risk & Compliance trends, statistics, best practices, and resources for C-Suite executives, CIOs, chief information security officers (CISOs) and IT security teams.


GRC market powered by cost of doing business with U.S. DoD, handling European data

johnmelloembossedJohn P. Mello, Jr.

Menlo Park, Calif. – Mar. 6, 2017

A tougher global regulatory environment and a darkening risk landscape is firing the software market for governing organizations, managing risk and complying with security standards.

For years, GRC software has been in the doldrums, but the realization that the only way to effectively protect an organization’s information is to consolidate the GRC functions into a unified solution will spur growth in the sector in the coming months.

“A large part of this uptick in risk and compliance technologies is being driven by trends in the global regulatory environment and enhanced risk levels facing the enterprise today,” explains Angela Gelnaw, a senior research analyst with IDC and co-author of a forecast on worldwide governance, risk and compliance software.


RELATED: DoD Contractors Urged to Comply with DFARS in 2017 — multi-factor authentication, endpoint encryption, and continuous monitoring, are mandatory.


One report predicts the GRC global market will reach $38 billion by 2021. In the United States, growth will be driven by agencies demanding anyone they do business with meet certain minimum cybersecurity requirements, more companies requiring their contractors to show proof of compliance and financial institutions making addressing information security risk a condition for loans and credit.

72 Hour Reporting Requirement

Contractors doing business with the U.S. Department of Defense are already feeling the pressure to upgrade their cybersecurity postures. By the end of this year, all DoD contractors — about 160,000 or so — will have to meet regulations (DFARS 252.204-7012) which require prime contractors and their subs to employ adequate security. “That’s a lot of companies scrambling to meet these standards pretty quickly,” notes Rob S. Hegedus, CEO of Sera-Brynn, a global cybersecurity audit and advisory firm.

Adequate security, according to the regulation, requires protective measures “commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of, information.”


RELATED: Sera-Brynn Awarded Top 10 Spot in Global Rankings as the Pure Compliance Cybersecurity Resource


Those measures include implementing certain security controls published by the National Institute of Standards and Technology (NIST SP 800-171). Among the controls is a requirement that contractors notify the DoD in 72 hours of a cyber incident, as well as capture an image of any malicious software used to infect their systems.

“The Defense Department wants a clear, effective and consistent cybersecurity protections in all its contracts,” Hegedus explains.

Although the deadline for compliance with the new regulations is Dec. 31, some agencies are already refusing to award contracts to contractors who don’t meet the rules, Hegedus says. And for good reason. He estimates that about 30 percent of the DoD contractors his firm worked with have already suffered at least one data breach.

Tough EU Rules

Certainly there’s a higher need for cybersecurity in the nation’s defense establishment than there is in other government departments where national security is in less jeopardy, but given the massive data breach at the Office of Personnel Management and the prolific tax refund scams at the IRS that have cost taxpayers $26 billion from 2012 to 2016, the DoD’s tough stance on cybersecurity could be expanded, some believe as early as 2018.

“This is just the beginning,” Hegedus maintains. “Right now it’s DoD. It could very well be pushed out to all government contractors in a year or two.” If that were the case, there’ll be another 300,000 to 400,000 government contractors looking for GRC services.


RELATED: Alarming Industry Trends Reported in DFARS Cybersecurity Compliance


Companies doing business with Uncle Sam aren’t the only ones who will be in need of GRC services. Those peddling their wares in Europe, in addition to businesses inside the European Union, will need to square their information protection practices with the new General Data Protection Regulation, which takes effect in May 2018.

The GPDR set out tough new rules for anyone — either inside or outside the EU — handling the personal data of Europeans. Having a strong GRC program in place will be a necessity for any company subject to the new rules because failing to comply with them carries a maximum penalty equal to four percent of its gross worldwide revenues.

“That’s the strictest penalty on the planet,” Hegedus says.

A Better Way to Cope with Risk

In addition to regulators pressuring companies to put their GRC house in order, financial institutions are starting to get involved, too. They’re starting to look at non-compliance as a credit risk.

“If you’re non-compliant with he security standards for your industry, technically you’re not insurable,” Hegedus reasons, “Generally, banks and credit unions don’t give out loans or lines-of-credit increases to uninsurable companies.”

Fear of the consequences of non-compliance and demands by regulators are only part of the growth story, though. There’s also an increased recognition by corporate brass that GRC is not just an IT issue but an organizational one.

Risk, for example, is often managed by individual departments without contact with each other and with heads who report to different people at the top of the management food chain. If that risk is managed as part of a unified GRC system, it could be analyzed through all the organization’s processes and any damage caused by those risks becoming a reality could be more effectively dealt with.

The GRC market will continue to grow at a rapid clip because companies are recognizing that GRC technology can give top management a holistic portrait of their security picture that allows them to better react to not only expected risks but the unexpected ones, too.

“Governance, Risk and Compliance is a unique segment of the cybersecurity industry” says Steve Morgan, founder and Editor-In-Chief at Cybersecurity Ventures. “GRC is mandated security, which will be the cost of doing business for hundreds of thousands (and possibly millions) of companies globally over the next several years.”

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.


© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.