Governance & Risk Management , GRC
RegScale Buys GovReady to Simplify Compliance for the MassesThe GovReady Purchase Will Make Compliance as Easy as Filling Out a Questionnaire
RegScale has purchased a startup founded by the FCC's former chief data officer that makes documenting compliance easier for nontechnical personnel by using a questionnaire.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Washington, D.C.-area governance, risk and compliance provider says its acquisition of fellow D.C.-area company GovReady means customers will be able to demonstrate their adherence to standards such as NIST, PCI and HIPAA by answering questions rather than documenting how they address specific controls. The latter can be challenging for nontechnical individuals given the size of RegScale's system (see: PCI Compliance: The New - and Evolving - Landscape).
"We're really focused on driving compliance from a point-in-time activity to something that can be real-time and continuous and complete," RegScale co-founder and CEO Anil Karmel tells Information Security Media Group. "We're leveraging code as opposed to what we traditionally see with paper that's filled out after the fact and immediately out-of-date the moment it's created."
Taking on the Documentation Headache
The terms of the acquisition, which closed a couple of weeks ago, weren't disclosed. Current GovReady CEO and former Federal Communications Commission Chief Data Officer Greg Elin has joined RegScale's R&D team, which brings RegScale's headcount to more than 30 staff. RegScale's technology was created four years ago, and the company was spun out from digital services firm C2 Labs in 2021.
While GovReady's technology excels at simplifying the creation of compliance documentation, Karmel says RegScale ensures that documentation is kept up to date through tight integrations with third-party security and compliance technology. GovReady clients historically had to fill out the same questionnaire to update their compliance information since there was no technology providing automatic checks.
RegScale leverages APIs to exchange information with systems that are monitoring the customer's IT environment to ensure compliance documentation is kept up to date and any gaps are identified easily, Karmel says. The platform comes with more than 40 compliance frameworks loaded out of the box, including federal requirements as well as industry-specific ones in areas such as healthcare and finance.
Both RegScale and GovReady have historically sold to compliance professionals, but RegScale has focused more on the CISO while GovReady has worked directly with developers, Karmel says. GovReady has been very focused on selling to federal government agencies, while RegScale serves the financial services, high-tech, energy and utilities sectors in addition to the U.S. government, according to Karmel.
Sizing Up the Competition
RegScale competes against Archer and home-grown compliance systems in the commercial space and CSAM, eMASS and Archer in the government arena. Karmel says RegScale's next-generation technology can feed legacy compliance platforms such as Archer to reduce the time needed to demonstrate regulatory compliance with the U.S. government or in specific verticals.
Karmel anticipates the acquisition of GovReady will drive adoption of the company's free community edition platform, which allows customers to get immediate value from RegScale's technology. The paid enterprise edition of RegScale's technology offers integrations with third-party tools to streamline reporting capabilities and ensure customers aren't manually inputting data to keep paperwork current.
"The 'shift left' movement is here. It's already happened for security. There are security tools that exist in your environment today that add tremendous value," Karmel says. "But compliance is an area that hasn't seen innovation in decades. The time for 'shift left' compliance is here, and RegScale is here to solve that problem."