Laying the Groundwork – the Back Story
SimpleRisk CEO and founder, Josh Sokol, a security practitioner by trade, created SimpleRisk out of necessity. During his tenure at National Instruments (NI), a publicly traded, $1B+ global company, Josh was responsible for the security program, a role which he held for over a decade. In 2013, he was tasked with establishing a risk management program that would scale globally and had hit “the wall” using spreadsheets and manual processes. With no budget to purchase a tool, and out of options, Josh set out to develop his own enterprise risk management solution, which led to the creation of SimpleRisk.
The first iteration was nothing more than a page to submit a risk, a page to edit risks, and a page to view all of the risks submitted – essentially, a simple risk registry. While it was rudimentary by any standard, it passed the “good enough” test, so Josh deployed it at NI and called it “SimpleRisk”. As a way to give back to the security community, he released his tool free and open source, so that other security practitioners could overcome similar hurdles.
The Current State of the GRC Market
A recent survey from Michael Rasmussen, the “GRC Pundit & Analyst” from GRC 20/20 Research, estimated that there are over 350 providers of Governance, Risk Management and Compliance solutions. Given the sheer volume of vendors in the GRC space, choosing the product that meets your requirements can be a dizzying experience. There’s a wide range of solutions where vendors profess to cover all of the functional GRC components (and beyond) and promote their platforms as being “fully integrated”. Other products are purpose built around auditing and compliance, while a variety of point solutions are risk management centric and others are designed to focus on vendor risk assessments. And, there’s yet another vendor category where a GRC tool is sold as a subset of a larger software solution.
Over the past several years, SimpleRisk has engaged with thousands of prospects and customers, and we’ve repeatedly heard that most GRC tools are overly complex, cumbersome, lack flexibility and are costly to implement and maintain. This input reinforced what Josh discovered during SimpleRisk’s seven year incubation at NI, where he realized the optimal design would require a framework that was highly configurable, intuitive and simple to use.
The Luxury of a Global Sandbox
The global footprint at NI provided Josh with a fertile breeding ground to transform SimpleRisk from its infancy into a robust, battle tested, ERM system that would ultimately evolve into a comprehensive GRC and Incident Management platform. At NI, Josh was “patient zero” with SimpleRisk. The need to meet the constantly changing requirements in a large, complex, production environment caused him to continually adapt SimpleRisk functionality and workflows.
This diverse ecosystem proved to be the perfect environment for a nascent product like SimpleRisk to blossom into the commercial success it has become today.
The “Aha” Moment
Here’s where the story gets interesting. Initially, Josh had a single-minded purpose - to build out SimpleRisk to implement a successful global Enterprise Risk Management (ERM) program at NI. This objective was achieved, but it wasn’t until he began receiving a variety of enhancement requests from the growing SimpleRisk user base that he realized the product also had the makings of a commercial success.
Having seven years to experiment and harden SimpleRisk in the “global petri dish” at NI set the stage for the company’s remarkable journey. Here are five key reasons that SimpleRisk rises above the noise in a highly fragmented GRC market.
Reason #1 – Simplicity
It’s common for GRC tools to take months or even years to get implemented and in some cases, a rollout never occurs due to their complexity. From inception, SimpleRisk was designed to be simple and effective, and we strive to make the user experience match our vision.
Today, we rely on direct feedback from customers and prospects to guide our development efforts and reinforce our strategic direction. But, SimpleRisk’s underlying simplicity is a result of a security practitioner creating the foundational framework in a global, production environment.
The organizational hierarchy at NI encompassed a wide range of users including Board Members, C-Level Executives, VPs, Directors, Area Managers, Technical Resources and members of a Security Team, each of whom mapped to various business units. Josh recognized early on that to achieve a successful ERM rollout, it would require that the business and technical users he served remain engaged with the risk management process, and keeping things simple and intuitive were vital to achieving this outcome.
Simplicity has now become synonymous with the SimpleRisk brand and is a clear-cut differentiator in the GRC space.
Reason #2 - Configurability
Josh successfully deployed seven SimpleRisk instances at NI and the data points he collected along the way proved invaluable. One lesson learned early on was that creating rigid workflows and processes with GRC software is a recipe for failure, since there’s no such thing as a “one size fits all” approach. GRC programs not only vary from one organization to the next but within larger organizations, a GRC program can vary widely from one division to another.
In order to adapt to the everchanging requirements at NI, SimpleRisk needed to be flexible and highly configurable. Josh recognized that the ability to customize SimpleRisk to meet a wide array of use cases and processes would be a huge benefit to all stakeholders and encourage user adoption.
Having the flexibility to easily configure and customize SimpleRisk is a significant differentiator and has paved the way for widespread adoption for all SimpleRisk customers.
Reason #3 - Pricing Integrity
At NI, Josh Sokol sat in the CISO chair and over the years became disgruntled dealing with vendors and the pricing games they played. Josh wrote a blog about this issue a while back and you can read more about it here. At SimpleRisk, Josh vowed that he would not resort to these same vendor pricing games and his goal was to ensure all customers be offered the same pricing, regardless of size or industry, and that time-based incentives would go by the wayside.
SimpleRisk pricing is 100% transparent and the published pricing on our website contains no hidden fees. All discounts are also listed on our website and available to everyone. And, while we’re happy to field pricing questions and send prospects a formal quote if desired, you won’t need to “call us for a quote” since quotes can easily be self-generated.
In addition, all SimpleRisk pricing options include unlimited users and risks. Our pricing model is tied to product functionality, simple as that. We don’t want to inhibit organizations from adding users based on pricing, since that creates a potential impediment to adoption. Our goal is for organizations to deploy SimpleRisk widely, promote adoption and produce a strong ROI.
SimpleRisk pricing is often viewed as a radical departure from the fees charged by other GRC vendors, yet we have repeatedly demonstrated that to be effective, a GRC platform need not be complex, costly or an administrative burden.
Reason #4 – The Freemium Model
When Josh Sokol launched SimpleRisk in 2013 and made the open source version of SimpleRisk free to download as a way to give back to the security community, he had no idea that over the years, it would go viral. While there were hundreds of users that downloaded SimpleRisk Core between 2013 and 2015, this number has exploded in recent years and to date, SimpleRisk has been downloaded over 70,000 times globally.
Eventually renamed to “SimpleRisk Core”, this free and open source version of SimpleRisk offers all of the basic functionality for organizations to establish a foundational GRC program. This provides SimpleRisk with two significant benefits.
One, we offer SimpleRisk Core users free email support giving us access to product feedback from this global segment of users. While our paying customers and Customer Advisory Board members regularly provide us with their input regarding new features and enhancements, SimpleRisk Core users have contributed a wealth of useful suggestions over the years.
Two, as their GRC programs mature, SimpleRisk Core users look to SimpleRisk to meet their extended requirements. More often than not, a relationship has been established with Core users upfront, making the transition to a SimpleRisk paying customer frictionless.
For a freemium model to be successful, an open source offering needs to be effective, continually enhanced, deliver an exceptional user experience, and be actively supported by the vendor. SimpleRisk Core checks all of these boxes and this has proven to be another key differentiator for us in the marketplace and a significant contributor to our growth.
Reason #5 – Customer Success and Support
Going the extra mile at SimpleRisk with customer support is ingrained into our company culture and held to the highest standard. We continually track customer support metrics and the average ticket response time is under thirty minutes. This has its roots in Josh Sokol’s experience at NI, where the support he received from the wide range of vendors he dealt with was frequently subpar and often unacceptable.
We frequently receive unsolicited accolades, with respect to the quality of our support, from paid and unpaid customers alike. In addition, we receive high marks from customers through direct interaction and support surveys. And, members of our Customer Advisory Board claim our response times and product knowledge are unmatched in the industry.
We also offer also offer free quarterly “Ask the Expert” calls for any customer that purchases a SimpleRisk package. These are one-on-one consulting sessions with SimpleRisk creator Josh Sokol to help ensure SimpleRisk customers are using the product effectively. During these calls, Josh shares his real world experience at NI and topics covered often include strategy, use cases, customization, functionality and how to avoid the pitfalls he encountered at NI.
Another unique support offering is our custom development option. If a customer has specific requirements they consider critical to their success, but are outside of the currently available functionality, a custom development effort can address this need. This allows customers to get the exact functionality desired to meet their requirements, on a meaningful timeline. Any new custom development functionality that’s added is 1) fully supported by SimpleRisk going forward and 2) is shared with the rest of our customer base as a way to give back to the community.
At SimpleRisk, we’ve gone to great lengths to ensure that our Customer Success and Support program is a key strength and customers will attest to the responsiveness and in depth knowledge our support team delivers that sets SimpleRisk apart from other vendors.
The End Game - Return On Investment
The demonstrable ROI realized by SimpleRisk customers is the ultimate benefit. Most SimpleRisk customers transitioned to our platform from spreadsheets and related manual processes, while others replaced existing solutions that fell short. The time, resource and financial savings they achieve is dramatic and measurable, even with our free and open source SimpleRisk Core product. Here’s a recap of the key reasons customers are able to achieve a strong and rapid ROI with SimpleRisk.
- Simple and intuitive – From “zero to GRC” in a matter of minutes
- Comprehensive, configurable, easy to customize – no professional services required
- Affordable – bundled packages with built-in discounts or A la Carte Extras available
- Unlimited users and risks – promotes user adoption and eliminates budget hassles
- Responsive, knowledgeable customer support with swift resolution of support issues
If you’d like to schedule a demo to learn more about the SimpleRisk GRC and Incident Management Platform, you can access our online calendar here and choose any one hour slot that’s convenient. Or, feel free to register for a free 30-day Hosted Trial where you can try out the fully-featured version of SimpleRisk firsthand. You can also download our free and open source SimpleRisk Core product here.