Governance, Risk & Compliance (GRC): Vendors to Watch, Know, Understand

 In Cybersecurity

In preparing the Horizon Report Cybersecurity Strategy for the Looming Regulatory Quagmire, the Stratascale Innovation Labs team assessed 41 companies to evaluate different approaches to enabling key components of a governance, risk, and compliance (GRC) security strategy. These vendors address one or more of the issues associated with “cyber-risk” – one of many types of risk that are managed via a GRC approach established and enforced by the board of directors and corporate senior management – and (or) “cyberthreats,” specific cybersecurity issues that are addressed by the CISO and security team. Readers looking for guidance on potential sources of point or platform capabilities can use this vendor list as a starting point. Please note that no recommendation or warranty is implied by the inclusion of any vendor within this report.

Where to start?

GRC is an incredibly complex area, and the 41 vendors included on our vendor long list reflect the many different requirements that corporate security teams need to address: based on an analysis rooted in a cross-industry taxonomy, we find that the vendors identified in our long list address 31 use cases, spread across 11 sectors and six solution categories. This complexity in turn motivates enterprises to prize systems that tie easily (via no-code/low-code and APIs) to comprehensive data inputs and the applications used to manage workflows.

Given this need for extensive inputs, system flexibility, and integration with workflows and adjacent applications, the Stratascale team sees ServiceNow as a vendor of interest in the GRC space. Commentary on ServiceNow captured in research discussions includes:

  • ServiceNow “floats to the top [of evaluations]…does so many things” – IT risk management, vendor risk management, data governance, privacy, business continuity…
  • Breadth of connections and data access is extremely beneficial, makes [ServiceNow] effective at risk management.
  • No code-low code is really important in this space; “important to process management…[supporting] ability to adapt to changes” in the business/regulatory environment/etc.
    • INTEGRATE don’t CUSTOMIZE! ServiceNow can be configured via “no-code and APIs, [customers] can buy plug-ins” to integrate with other applications or functions.
  • “A lot of GRC is about workflow management – you can layer GRC atop workflow, and that’s what ServiceNow has done.”

Another vendor attracting broad interest from Stratascale experts is Onspring. One senior Stratascale expert said, “I see a lot of our bigger customers abandoning complex, labor-intensive legacy GRC platforms to go towards simpler, modular, more scalable GRC solutions.” Other comments included:

  • Strong in business process management – “ties together BPM and GRC with overall posture.”
  • Onspring has superior modularity, “and I really liked that platform. It’s helped me do so much automation… has integration with things like OneTrust.”

The Stratascale team also singled out Unified Compliance Framework (UCF®) as a potentially-important element of the GRC toolkit. One expert noted, “UFC provides a singular lens of control relevance and mapping to many frameworks, regulations, laws, standards, privacy, etc…”

Other platform vendors highlighted in this discussion included Reciprocity ZenGRC (“Small, lightweight, cloud-based solution…probably best for smaller firms, or enterprises looking for a compliance-only solution”) and LockPath.

All about data

A second branch of the capabilities discussion focused on data governance as a core GRC capability. Here, the vendor attracting most support in the research conversations was OneTrust. OneTrust references included:

  • “Excellent for large environments that don’t already have a ServiceNow instance.”
  • “Expensive, but offer good features, such as VendorPedia – security artifacts from big companies built in so you don’t have to build everything from scratch.”
  • “I really like their training…I really like everything I’ve seen of them.”

Broader discussion of data identified TrustArc as being directly comparable to OneTrust as a data governance vendor, with as a firm offering new capabilities in this space, and Alation and Collibra as other vendors worth investigating.

What about the legacy leaders?

Much as Sherlock Holmes once famously commented on the absence of a barking dog, the discussion of GRC vendors was shaped in part by a lack of focus on legacy GRC platforms, as well as only passing references to “best of group” option Microsoft 365 Compliance (compliance capabilities acquired individually or included in an E5 license). The complex, labor-intensive legacy GRC platforms were viewed as being out of sync with current trends and requirements: “customizable but not configurable” – able to be coded to adapt to new requirements or accept new inputs, but unable to evolve via low-code/no-code or API-driven modifications – and requiring “a team of administrators and programmers” to function optimally.

Discussion around Microsoft focused on the fact that access to its security suite is available to many customers with no incremental license cost, which is driving intense interest in Microsoft within the Stratascale client set. There are certainly cases where Microsoft is an appropriate supplier option, but one research participant cautioned that users “face a choice: optimize [Microsoft through investment in building needed expertise and capabilities] or pursue alternatives.”

Options for specific functionality

In many cases, organizations are looking more for specific capabilities than for full-blown GRC systems. There are a number of vendors delivering effective solutions in key areas, including ProcessUnity (“really like them for simple cloud-based VRM…enjoyed my experience with their product and services), Varonis (“great platform,” strong in data discovery/classification), BigID and WireWheel (for data privacy/data management), and Prevalent (third party risk management).

Assessments of these vendors, Stratascale sources note, should emphasize interoperability as a primary feature. Addressing specific requirements with dedicated solutions may respond to an immediate need, but these systems won’t deliver optimal benefit if they are isolated from the broader GRC platform. One Stratascale expert notes that “point or task-specific technologies are a nuisance if they are not compatible and can’t integrate with other solutions.”

Other vendors

Our analysis included additional vendors which may meet the needs of specific buyers, particularly those seeking depth in particular areas, and/or with existing investments in one or more of these vendors. These vendors include AlgoSec, Allgress, Anecdotes A.I, BitSight, Cura Software, CyberSaint, Cyturus, Fusion Risk Management, Galvanize (acquired by Diligent in 2021), Infinite Blue, JupiterOne, LogicGate, LogicManager, MetricStream, NAVEX Global, Netwrix, Resolver (acquired by Klass Capital in 2015), RiskLens, Riskonnect, SecurityScorecard, SureCloud, TechDemocracy and TrustMAPP.

Research sources

This list of 41 suppliers of GRC and related capabilities is drawn from multiple sources:

  • It incorporates input from authors of the “Cybersecurity Strategy for the Looming Regulatory Quagmire” report (Michael O’Neil, Joseph Karpenko, Michael Wilcox, Dennis Allen, and Andrew Lee).
  • The list and perspectives benefit tremendously from input supplied by Stratascale Senior Security Solutions Architect Tom Costin, who has extensive practical experience and has developed deep research in this area.
  • We have also drawn on a variety of external sources, notably Vation Ventures, which tracks investment trends across technology segments.

Stratascale brings a unique combination of expertise, solution depth and vendor relationships and insight to the cybersecurity market. Readers seeking support in developing scalable approaches to GRC are encouraged to contact their Stratascale Account Executive or to connect with us at