In March of 2010, our Founder, Josh Sokol, began building the Information Security Program at National Instruments from the ground up. At the time, he was primarily tasked with managing their SOX compliance and developing a formal risk management program. Josh began his research into risk management by investigating the various frameworks that were available. He quickly settled on utilizing the NIST SP 800-30 framework as the basis for his new risk management program. Initially, he began using spreadsheets to track risk. They worked for a short time, but he quickly realized that spreadsheets would not be able to scale to meet his needs. Next, he worked with members of the IT team to develop a custom risk management platform using Lotus Notes as the basis. This solution addressed the scalability issues, but since his risk management program was still in development, the number of changes that he was requesting quickly overwhelmed his IT team. The Lotus Notes database simply wasn't dynamic enough to evolve to meet the changing needs of their growing risk management program. After a couple of years of growing the Information Security Program, and solidifying their enterprise risk management practices, Josh believed it was time to move forward with a fully featured GRC product.
Josh spent several months vetting the features of a wide variety of GRC products and eventually settled on one that he thought was a good match for their requirements. He took that frontrunner to his VP, along with a $500k quote, and told her that this was the tool he needed to take their risk management program to the next level. She laughed at him and said "Your budget is $0. Go figure it out."
Plato said "Necessity is the mother of invention" and in this case, stuck between a rock and a hard place, Josh set out to write a risk management tool that could scale better than spreadsheets, be more dynamic than the database his IT team built for him, and wouldn't consume his limited budget on a bloated tool. In March of 2013, three years after he began his risk management journey, Josh released the very first version of SimpleRisk, free and open source, at the BSides Austin Conference along with a talk entitled "Convincing Your Management, Your Peers, and Yourself that Risk Management Doesn't Suck."
What happened next was truly amazing. It turns out that Josh wasn't alone on this journey. There was a whole community of people like him out there who were struggling with the tooling to get their risk management programs moving in the right direction. They started coming to him asking for new features, support, and hosting. SimpleRisk, the world's first free and open source risk management tool, was born.
Today, SimpleRisk has been downloaded over 30,000 times. We support 33 different languages. We have customers who are startups with less than a dozen employees all the way up to multi-national corporations with hundreds of thousands of employees and billions of dollars of revenue. We have customers in just about any vertical you can imagine from healthcare to aerospace, from universities to energy, and on every continent except Antarctica. We've expanded our team and continue to grow the product to meet the needs of our expanding customer base. We are a fully featured governance, risk, and compliance tool. We have integrations with vulnerability management tools, ticketing systems, compliance databases, and more. We even have the capability to help you to streamline your internal and vendor risk assessments. We simplify your risk management processes and do it at a fraction of the cost of any other GRC tool on the market. In short, whether your company is just dipping your toe in the risk management waters, looking for something instantly better than spreadsheets, or you have an existing GRC tool and want more return on that investment, SimpleRisk can help. We look forward to having the opportunity to work with you!