GRC: CISOs must crawl, walk and run, says MetricStream's Gunjan Sinha

Governance, Risk, and Compliance (GRC) is fast becoming an important part of the security of organizations. MetricStream, a provider of GRC solutions, has a team of over 2,000 employees in India. The company's executive chairman Gunjan Sinha speaks about opportunities in India and how Indian CISOs should approach GRC.

Edited Excerpts:

What are the definite opportunities for MetricStream in India?

From day one, we  are building a strong strategy around India by tapping into the innovation ecosystem in Bangalore. Being a global company with customers worldwide, we have fundamentally done significant innovation in India. That is core and central to our strategy.

We have built major amount of talent expertise and invested in R&D engineering that helped us expand into new areas within MetricStream in Bangalore. For example, we are tapping into the emerging market from India for opportunities across different domains. As I look forward, we have built a team of over 2000 employees in India and our challenge is to continue to be the employee of choice and build deep domain expertise in GRC. 

GRC is a very domain-heavy space. There are best practices in large financial markets, large companies in healthcare and other verticals. We are making sure that our team is not just technically competent but also domain competent. 

Acceptance of solutions in a new domain like GRC takes time. Is that a roadblock in India?

The roadblock is more around us as we are investing to educate talent to help bring people up to speed in GRC. We launched Metricstream University in mid-2014 because it was not easy to find people with GRC expertise, though you will find some talent in accounting firms like E&Y, PwC and Deloitte, to name a few. But after a few years, as GRC becomes more popular among enterprises, we will interact with hundreds and thousands of domain experts.

Metricstream is now the largest university in GRC with curriculum, programs certification and training.  We are working with universities to train and then hire talent. We are also ensuring trained domain experts are available for our partners like Infosys, TCS and Wipro. With large availability of talent pool in GRC, it will be a lot easier for us and also our partner ecosystem to execute projects.

Why is GRC not on every CISOs agenda?

Most CISOs are occupied more around ‘block and tackle’ solutions, vulnerability assessment and basic fixes to avoid blatant security breaches. The companies up the maturity curve with basics in place are the ones embracing GRC. Companies more advanced in infrastructure are using GRC to get a 360 degree perspective to know emergence of risks and then proactively and prospectively address and fix them.

In more developed economies and developed companies, GRC is now a must-have globally. India is an emerging market as many businesses are still climbing up the maturity curve. And as they are at right stage and correct time to embrace GRC technology, we are making sure to be at the forefront as a technology enabler. The adoption of GRC in India is very encouraging for us.

Are compliance-centric organizations the early ones to adopt GRC?

Yes. Industries which are more regulated have much higher impetus for GRC. The compulsion is not coming from security breaches or data loss threats but from strict regulations and laws.

GRC is largely perceived as a giant complex beast for CISOs in the overall security conundrum. Would you demystify it?

GRC is all-encompassing and it feels complex, it feels big. And it is big.  A decade ago, we realized one could not approach this problem as a monolithic beast as it would be as futile as trying to boil the ocean.

The genesis of MetricStream is the creation of a very simple GRC platform and modular apps. Each byte-sized app allows CISOs and their teams to adapt GRC in pieces. The simple set of apps on the GRC journey makes it more manageable and a simpler experience. If someone attempts the whole thing in a single shot, it leads to complexity. Our company motto and tagline is ‘Make GRC simple’ with our technology, partners and team.

How does MetricStream view India market in terms of business operations?

Besides significant R&D and innovation, we have full-fledged operations in sales, finance and other departments. India is more strategic because of the presence of our many established partners and big systems integrators like Infosys, TCS, KPMG, Deloitte and others who implement our GRC solutions. It is fundamentally important to have local presence in adequate numbers and functions to support them to deliver best GRC solutions.

Tech Mahindra early this year entered into a strategic alliance with us by establishing a dedicated MetricStream Center of Excellence (CoE) in Bangalore. Hence India is strategic for us in multiple ways.

What do you look for in channel partners?

Channel partners need to have certain expertise and domain specialization. If they have expertise in law and regulation in the country and you understand the domain and have built a practice around it, it is a natural partnership for us. We don’t look at the size as the determinant.

The biggest requisite for our partners is depth and understanding around enterprise solutions besides interest in the world of security and governance, risk and compliance. That’s what we use as qualification criteria with more than hundreds if not thousands of companies approaching us for partnerships. We are carefully distilling the prospective partners as we have different grades of partnerships like strategic, resellers, entry level etcetera. We have Metricstream University, where they can get people trained and certified.

Do you see the government adopting GRC? Does MetricStream cater to SMBs too?

Most of our early adoptions globally have happened in the commercial sector more than government. For the past five to seven years, we have focused on commercial companies and today we have enough large, mid-market and small customers.  The government are now moving in to adopt GRC.

Last year noted Gartner analyst French Caldwell joined our team as chief evangelist at MetricStream. Just as SAP created ERP and salesforce introduced CRM, we worked closely with analyst firms to define GRC as a three letter acronym because it sits one level above ERP and CRM.

Just like it’s said ‘men are from Mars, women are from Venus,’ I have the phrase ‘businesses are sitting on Mars, regulators and government are sititng on Venus’ for GRC.

I have the phrase, ‘Businesses are sitting on Mars, regulators and government are on Venus’ for GRC.

Through technology, our job is to bring them together on the same planet. This way, the cost of compliance and the consequence of breaches will be reduced.  That will bring down the risk and make the country--and the economy--better governed. And this is on every senior government official's agenda. That is the plan by PM Modi around governance and we want to make sure we feed on that. That’s Caldwell’s job as part of the leadership team.

GRC appears an expensive proposition for price sensitive SMBs...

Not really. MetricStream GRC platform is very modular. We have customers who are paying literally few thousand dollars a month to companies spending several million dollars.

There is an absolute array of things you can do. If you have few users and specific needs, you can get started in a matter of few weeks on the cloud. There are people who are building a complete global infrastructure. That’s the other end of the spectrum. We are serving the entire range, from the small company in the cloud to large enterprises.

What are the Dos and Donts for CISOs and their organizations on the GRC journey?

This is an area where you have the maximum failure rates in GRC – if you are not careful about how you think about your GRC journey, you could end up biting more than you can chew.

My recommendation for companies is to map out a journey through a modular and phased approach. I am a big proponent of crawl, walk and run. CISOs have to understand their company’s GRC maturity level today. Just like CMM quality model, think about GRC maturity model today and three or five years from now. Don’t try to boil the ocean with many different things simultaneously, as it will lead to disappointment or cost issues or system failures.

No security vendor has a silver bullet to halt security breaches. Do GRC solutions deliver TCO / RoI for organizations?  

Firstly, GRC cannot be done manually because of the monitoring of numerous data sets. It is like the big data problem of ‘finding a needle in a haystack’. Number of bodies thrown at the problem is not viable. This is only possible through technology to gauge what’s wrong in the company, which door is open and needs to be closed for attacks, what dataset is prompting potential breach risk. We mine all the data in an automatic manner to give the red, yellow and green alerts to CISOs.

RoI in GRC emerges from the fact that the other option is to hire people and manually inspect data. This is a losing proposition--no matter how many people you hire, they will miss things because humans cannot process such huge volumes of data.

On an ending note, do you see 2016 as the year of GRC?

GRC today stands at an interesting crossroad. Every company in 1990s wanted to deploy ERP with SAP. In early 2000, sales rode the wave of CRM.There is an absolute demand surging around the world for GRC. Every company I talk to, in US, Spain, Australia and India, is seriously exploring GRC. This will create massive demand. 2016 will be exciting and we will continue to accelerate our momentum.

GRC: CISOs must crawl, walk and run, says MetricStream's Gunjan Sinha

Governance, Risk, and Compliance (GRC) is fast becoming an important part of the security of organizations. MetricStream, a provider of GRC solutions, has a team of over 2,000 employees in India. The company's executive chairman Gunjan Sinha speaks about opportunities in India and how Indian CISOs should approach GRC.

Edited Excerpts:

What are the definite opportunities for MetricStream in India?

From day one, we  are building a strong strategy around India by tapping into the innovation ecosystem in Bangalore. Being a global company with customers worldwide, we have fundamentally done significant innovation in India. That is core and central to our strategy.

We have built major amount of talent expertise and invested in R&D engineering that helped us expand into new areas within MetricStream in Bangalore. For example, we are tapping into the emerging market from India for opportunities across different domains. As I look forward, we have built a team of over 2000 employees in India and our challenge is to continue to be the employee of choice and build deep domain expertise in GRC. 

GRC is a very domain-heavy space. There are best practices in large financial markets, large companies in healthcare and other verticals. We are making sure that our team is not just technically competent but also domain competent. 

Acceptance of solutions in a new domain like GRC takes time. Is that a roadblock in India?

The roadblock is more around us as we are investing to educate talent to help bring people up to speed in GRC. We launched Metricstream University in mid-2014 because it was not easy to find people with GRC expertise, though you will find some talent in accounting firms like E&Y, PwC and Deloitte, to name a few. But after a few years, as GRC becomes more popular among enterprises, we will interact with hundreds and thousands of domain experts.

Metricstream is now the largest university in GRC with curriculum, programs certification and training.  We are working with universities to train and then hire talent. We are also ensuring trained domain experts are available for our partners like Infosys, TCS and Wipro. With large availability of talent pool in GRC, it will be a lot easier for us and also our partner ecosystem to execute projects.

Why is GRC not on every CISOs agenda?

Most CISOs are occupied more around ‘block and tackle’ solutions, vulnerability assessment and basic fixes to avoid blatant security breaches. The companies up the maturity curve with basics in place are the ones embracing GRC. Companies more advanced in infrastructure are using GRC to get a 360 degree perspective to know emergence of risks and then proactively and prospectively address and fix them.

In more developed economies and developed companies, GRC is now a must-have globally. India is an emerging market as many businesses are still climbing up the maturity curve. And as they are at right stage and correct time to embrace GRC technology, we are making sure to be at the forefront as a technology enabler. The adoption of GRC in India is very encouraging for us.

Are compliance-centric organizations the early ones to adopt GRC?

Yes. Industries which are more regulated have much higher impetus for GRC. The compulsion is not coming from security breaches or data loss threats but from strict regulations and laws.

GRC is largely perceived as a giant complex beast for CISOs in the overall security conundrum. Would you demystify it?

GRC is all-encompassing and it feels complex, it feels big. And it is big.  A decade ago, we realized one could not approach this problem as a monolithic beast as it would be as futile as trying to boil the ocean.

The genesis of MetricStream is the creation of a very simple GRC platform and modular apps. Each byte-sized app allows CISOs and their teams to adapt GRC in pieces. The simple set of apps on the GRC journey makes it more manageable and a simpler experience. If someone attempts the whole thing in a single shot, it leads to complexity. Our company motto and tagline is ‘Make GRC simple’ with our technology, partners and team.

How does MetricStream view India market in terms of business operations?

Besides significant R&D and innovation, we have full-fledged operations in sales, finance and other departments. India is more strategic because of the presence of our many established partners and big systems integrators like Infosys, TCS, KPMG, Deloitte and others who implement our GRC solutions. It is fundamentally important to have local presence in adequate numbers and functions to support them to deliver best GRC solutions.

Tech Mahindra early this year entered into a strategic alliance with us by establishing a dedicated MetricStream Center of Excellence (CoE) in Bangalore. Hence India is strategic for us in multiple ways.

What do you look for in channel partners?

Channel partners need to have certain expertise and domain specialization. If they have expertise in law and regulation in the country and you understand the domain and have built a practice around it, it is a natural partnership for us. We don’t look at the size as the determinant.

The biggest requisite for our partners is depth and understanding around enterprise solutions besides interest in the world of security and governance, risk and compliance. That’s what we use as qualification criteria with more than hundreds if not thousands of companies approaching us for partnerships. We are carefully distilling the prospective partners as we have different grades of partnerships like strategic, resellers, entry level etcetera. We have Metricstream University, where they can get people trained and certified.

Do you see the government adopting GRC? Does MetricStream cater to SMBs too?

Most of our early adoptions globally have happened in the commercial sector more than government. For the past five to seven years, we have focused on commercial companies and today we have enough large, mid-market and small customers.  The government are now moving in to adopt GRC.

Last year noted Gartner analyst French Caldwell joined our team as chief evangelist at MetricStream. Just as SAP created ERP and salesforce introduced CRM, we worked closely with analyst firms to define GRC as a three letter acronym because it sits one level above ERP and CRM.

Just like it’s said ‘men are from Mars, women are from Venus,’ I have the phrase ‘businesses are sitting on Mars, regulators and government are sititng on Venus’ for GRC.

I have the phrase, ‘Businesses are sitting on Mars, regulators and government are on Venus’ for GRC.

Through technology, our job is to bring them together on the same planet. This way, the cost of compliance and the consequence of breaches will be reduced.  That will bring down the risk and make the country--and the economy--better governed. And this is on every senior government official's agenda. That is the plan by PM Modi around governance and we want to make sure we feed on that. That’s Caldwell’s job as part of the leadership team.

GRC appears an expensive proposition for price sensitive SMBs...

Not really. MetricStream GRC platform is very modular. We have customers who are paying literally few thousand dollars a month to companies spending several million dollars.

There is an absolute array of things you can do. If you have few users and specific needs, you can get started in a matter of few weeks on the cloud. There are people who are building a complete global infrastructure. That’s the other end of the spectrum. We are serving the entire range, from the small company in the cloud to large enterprises.

What are the Dos and Donts for CISOs and their organizations on the GRC journey?

This is an area where you have the maximum failure rates in GRC – if you are not careful about how you think about your GRC journey, you could end up biting more than you can chew.

My recommendation for companies is to map out a journey through a modular and phased approach. I am a big proponent of crawl, walk and run. CISOs have to understand their company’s GRC maturity level today. Just like CMM quality model, think about GRC maturity model today and three or five years from now. Don’t try to boil the ocean with many different things simultaneously, as it will lead to disappointment or cost issues or system failures.

No security vendor has a silver bullet to halt security breaches. Do GRC solutions deliver TCO / RoI for organizations?  

Firstly, GRC cannot be done manually because of the monitoring of numerous data sets. It is like the big data problem of ‘finding a needle in a haystack’. Number of bodies thrown at the problem is not viable. This is only possible through technology to gauge what’s wrong in the company, which door is open and needs to be closed for attacks, what dataset is prompting potential breach risk. We mine all the data in an automatic manner to give the red, yellow and green alerts to CISOs.

RoI in GRC emerges from the fact that the other option is to hire people and manually inspect data. This is a losing proposition--no matter how many people you hire, they will miss things because humans cannot process such huge volumes of data.

On an ending note, do you see 2016 as the year of GRC?

GRC today stands at an interesting crossroad. Every company in 1990s wanted to deploy ERP with SAP. In early 2000, sales rode the wave of CRM.There is an absolute demand surging around the world for GRC. Every company I talk to, in US, Spain, Australia and India, is seriously exploring GRC. This will create massive demand. 2016 will be exciting and we will continue to accelerate our momentum.