Your GRC solution is the backbone of your risk management and compliance teams—so it’s crucial that your technology doesn’t experience any security lapses or interruptions of service and can be easily updated when needed.
When hosting your GRC platform, your organization has two options: in the cloud or on-premises. We’ll evaluate the pros and cons of each.
When you decide to host your GRC platform on premises, that means you’re using in-house servers and IT infrastructure to run the software.
- Maintenance and storage. You’re fully responsible for server uptime, as well as application updates and configuration. You’ll need to have specialized technicians available who understand how to maintain the servers and manage updates. There’s also a cap on how much data each server can hold, so be prepared to add additional servers when more storage is required. Implementing on-premises solutions also can take longer than cloud solutions because you’ll first have to complete the installation on your server, and then on individual computers.
- Costs. You’ll buy a software license rather than pay a monthly fee for usage, but the license cost may be high up front, and you’ll also be responsible for the ongoing cost of server upkeep and energy consumption. Although licensing fees may eventually be lower than paying for a monthly SaaS service, it could take years to break even, at which point you may discover that your software needs have changed.
- Security. Many organizations feel that on-premises software is more secure than cloud-based software, but this isn’t always the case. Because on-premises software relies on your staff to complete updates, security patches aren’t automatically installed, leaving your software vulnerable to hackers. This was the case with a recent attack on on-premises versions of Microsoft Exchange Server, which affected more than 30,000 organizations in the United States. Instead of specialized admins, organizations running on-premises software often have IT generalists responsible for the software updates, which means that these tools are extremely vulnerable to attacks.
When moving to a cloud environment, you’re relying on the vendor’s servers to host your application, and you’ll be able to access it from any device—no matter where you are.
- Maintenance and storage. Because the vendor maintains responsibility for hosting your application, deployment can happen within a matter of hours or days, with no need for physical installation on individual devices. The vendor is also responsible for managing updates, which should occur automatically. And because your organization is sharing server space with other customers, you have the potential to quickly scale up or down depending on your needs.
- Costs. Rather than purchasing a license upfront, you’ll typically pay for a SaaS solution in monthly installments, with your pricing based on the level of service you need and the number of users you have. There are no up-front capital expenditures, and pricing is typically guaranteed for a period of 12 to 24 months, or potentially even longer. You can also easily make upgrades and add additional services or users without having to make manual updates to the application to do so.
- Security. While security for a cloud-based GRC tool comes down to the individual software, many have higher security standards than on-premises tools. Security patches are instantly installed across all of your users’ applications, eliminating the need to rely on in-house staff to make updates. To ensure high levels of security, choose a platform that encrypts its data and has government certification to demonstrate their security compliance. Galvanize’s HighBond platform, for example, received a FedRAMP Agency Authorization from the U.S. Federal Government in 2019, after meeting strict cybersecurity compliance requirements demanded by government agencies. And this year, we announced an additional certification—the Department of Defense Impact Level 5 Authorization—ensuring that our platform is suitable to manage the mission-critical work of the DoD and other government organizations.
Evaluating your options
While on-premises software may be necessary for certain businesses because of compliance requirements, the vast majority of organizations now have the freedom to move to the cloud. And as many cloud-based software vendors have ensured that their solutions are secure and stable enough for enterprise and government use, we’ve seen adoption rates skyrocket: Gartner predicts public cloud spending worldwide to grow by 23% in 2021.
The COVID-19 pandemic and move to more distributed teams has shown the dangers of relying on on-premises tools and infrastructure. By embracing digital transformation and building a secure technology stack of cloud-based tools, you can sleep easy knowing that your teams have the tools to work from anywhere, at any time, without compromising your organization’s security.
When choosing a cloud-based GRC tool, take the time to trial the product and ensure that it meets your needs. Ideally, it should provide an integrated platform where your entire risk management team can collaborate and share data. It should also have the ability to automate common compliance workflows and provide visuals and real-time analytics to help you gauge your risk levels for key risk indicators.
It’s also important to make sure that your vendor is financially stable and has a strong history of servicing government and enterprise customers without data breaches. Check for certifications that demonstrate their dedication to cybersecurity, such as the FedRAMP and IL5 certifications mentioned above.
Making the move from on-premises to a cloud-based solution can be a big leap of faith, but with the right partner, you’ll see many benefits. The choice is clear: A cloud-based GRC solution is the way of the future.
KRI Basics for IT Governance
This white paper addresses some of the most common challenges of implementing, managing, and maintaining key risk indicators (KRIs) within your IT department.
- the purpose and role of KRIs
- the difference between KPIs, KRIs and KCIs
- example KRIs to get you started