Nick Rafferty, SureCloud chief operating officer, talks IP EXPO Online through the company’s strategy for tackling third-party assurance for governance, risk and compliance.
At a time when customer data privacy is a concern that every organisation must address, having rock-solid compliance processes in place internally is no longer enough.
A company can put its best team on the case, with knowledge of the regulatory and legislative landscape that is second to none – but if the suppliers with which the company does business are leaking data like sieves, its best efforts to ward off an investigation and potentially hefty penalties may be futile.
This is the risky situation that executives at SureCloud witness at many organisations and one that the UK-based governance, risk and compliance (GRC) specialist aims to address with its cloud-based collaborative compliance platform. According to the company, auditing the supply chain for risk – or “third-party assurance” – is a growing area of concern for organisations in the UK and now the company’s primary focus, according to the company’s chief operating officer Nick Rafferty.
That marks something of a shift in strategy for the company, he acknowledges. “We’ve always had an eye on governance, risk and compliance as an area of interest – but we originally started supporting monitoring and testing – helping IT teams to track penetration test output, for example, and log monitoring.” So while SureCloud’s offering was “always driven around compliance”, he says, it’s starting to look higher up the stack, so that it can tackle more than just day-to-day IT security concerns, addressing a more general area of business risk – but one that it hopes will be more lucrative.
With that in mind, the company has recently launched business analytics for the SureCloud platform, which it claims brings a whole new level of insight into third-party assurance. Previously, the SureCloud Platform enabled customers to centralise all the information generated by assessing and monitoring compliance with data privacy policies across their wider supply chains. In other words, it provides a repository where a company’s supply-chain partners can access and complete data-privacy audit forms and where employees of the company itself can analyse those forms. This, says Rafferty, is a process that many organisations still attempt to manage using emailed spreadsheets.
Now, with business analytics, the compliance teams of SureCloud customers can ask questions such as: “Which are my worst performing suppliers in data-privacy compliance terms? Should I continue to trade with them? Which compliance requirements do a sizeable chunk of my suppliers struggle to meet?
An early customer of the new capabilities is Shop Direct Group, one of Europe’s biggest online retailers. “Our comprehensive third-party compliance programme requires a robust compliance tool to help us demonstrate that customer data is secure, regardless of its physical location,” says Mike Marshall, group security director at Shop Direct Group. “SureCloud will make managing the due diligence process with our third parties much more straightforward, eliminate the need for emailing spreadsheets backwards and forwards as we did in the past and have the versatility to support our future needs,” he says.
SureCloud is still a small, UK-based start-up: with its focus on third-party assurance, says Rafferty, the company hopes to double sales in the next year or so, a plan that would grow revenues to some £5 million. Right now, 99 percent of its customers are UK-based, too, although SureCloud has picked up a couple of Middle East-based financial services companies along the way. The US, naturally, is its next big target, and expansion in that territory is a major project for 2013, according to Rafferty.
A recent technology audit of the SureCloud platform, conducted by IT market analyst firm Ovum, is largely positive, commending it on four key findings. First is its flexibility in helping organisations start their IT governance, risk and compliance (GRC) projects, whether they want to customise, develop themselves or use best-practice templates. Second is the simple price per-user model, which offers tiered pricing based on the customer’s capability requirements. Third is the platform’s customisable management dashboard, which provides users with specific views and analysis of their IT GRC information, and finally, Ovum’s report references SureCloud’s professional services, which aim to enable customers to either implemented SureCloud for existing IT GRC processes themselves, “or get a services-led ‘kick-start’ to implementing IT GRC,” it says.
“SureCloud helps organisations of all sizes automate any IT GRC process, such as compliance audits, policy management, risk assessments, or third-party assurance programs,” writes Ovum analyst Roy Illsley. “Ovum considers that the biggest value proposition is SureCloud’s collaborative use case by devolving the work to the most appropriate location, whether internal, external or a supply chain partner.”