Why GRC does not stick?

GRC in IT field is supposed to be next best thing. But why is it not here yet?

The term IT-GRC is not a fabricated name. It is a real world response to an existing requirement which has evolved within the right steps: At the beginning there were only simple logs and policies, then came the tools, methodologies, and integrated solutions under the SIEM name. SIEM wasn’t enough, we needed a solution set for managing governance risk and compliance together, and then we had the IT GRC.

IT-GRC has all the good signs of the next killer solution, but why it is not mainstream? Many people including myself ask the same questions..

I would like to use the analogy in a very popular business book “Made to Stick” by Chip and Dan Heath.

Here is the book’s outline: The acronym "SUCCES" (with the last s omitted) abbreviates the ideas that stick... Each letter refers to a characteristic that can help make an idea "sticky":

Simple — find the core of any idea … First of all GRC has 3 cores (like an odd Intel processor) and each core points at different directions and groups in IT organizations. While we have difficulty in finding the the core of Governance, Risk of Compliance, we need the interpret all 3 cores together. Nobody can claim the presenting the core of GRC idea is simple (with the exception of funny SAP people who think GRC is SoD)

Unexpected — grab people's attention by surprising them. GRC is not surprising. We have been waiting for such a solution for years, there were simply not enough drivers for a commercial one. Within the name of toolkits, methodologies everybody had a hodgepodge workflow; at the end who beats a nice combination of excel, word and lately sharepoint documents :) . An organized solution such as IT-GRC that can tie into the governance of IT processes risk and compliance was always a project in progress. Luckily some vendors delivered much better organized solutions. But at the end of the day it was not surprising.. When I make a presentation on GRC, the first question that I get it (Can I buy a tool that delivers what you telling about?) The question is wrong of course but it steals all the “unexpected beauty of the solutions sets

Concrete — make sure an idea can be grasped and remembered later. No it won’t be remembered easily even if Gartner says so. GRC covers a broad area, and it is not easy to find individuals who carry the responsibility and the attention span for all the GRC solutions.

Credibility — give an idea believability. GRC is too good to be true. Since it is new in the IT field, credibility is not easy. Many of the vendors will oppose to this statement, but it is difficult to give credibility to a toolset where the implementation and the operational details of specific customers carry a higher role. Like ERP deployments, IT GRC deployments have to be unique for every operation. Toolsets require deployment and they need to be supported by management and operation teams. Credibility will eventually show up with the maturity of the solutions. There are some vendors out there with great customer names, which may form a good start.

Emotion — help people see the importance of an idea. The emotion was lost for most of the IT with the departure of the dot-com companies. But it is not difficult to create the emotion where governance can positively change the bottomline of the operations. I think this is a matter of time

Stories — empower people to use an idea through narrative. I can tell stories about the firewalls we built in 1994. GRC needs more stories. IT GRC is new, and our stories are limited, a search on Amazon ends up with SAP Oracle and the business side of old world GRC. IT GRC stories are not fully published yet.

It will stick at some point, but hopefully no too late.
cheers,
- yinal