Michael Maggio, EVP of Product, ReciprocityMichael Maggio, EVP of Product
Compliance frameworks are typically created to identify key requirements to mitigate certain market risks, such as PCI for card payments and HIPAA for medical records. However, as ransomware and breaches become even more prevalent, the market is waking up to the fact that although compliance is the first step toward understanding potential risks, companies need to do even more to mitigate them. On average, it takes 280 days to discover and remediate a breach, leading to a loss of millions of dollars each year. Organizations are constantly struggling to identify risks before these types of losses happen, as being compliant is not enough. Understanding this market headwind, Reciprocity not only offers compliance frameworks but connects the information collected during the compliance effort to enable companies to capture and analyze data around their business assets presenting an immediate set of scored cyber risks. "We are moving our solution ahead of the market by providing a comprehensive overview of risks, along with adhering to compliance," says Michael Maggio, EVP of product, Reciprocity.

Reciprocity's ZenGRC platform enables clients to support different types of compliance frameworks, while collecting data around those. For instance, the company worked with an entertainment firm made up of multiple businesses - including streaming, retail, theme parks, and more - to collect data around their compliance frameworks, as well as tag the business assets that could possibly introduce risks. As the information related to assets for streaming services could also be repurposed in the other businesses, they were able to easily share information that helped them see areas of risk across all divisions - saving them time and money. "Our ability to share underlying data, controls, and risk registers enables clients to expand their footprint of not just compliance but also risk mitigation," says Maggio. Reciprocity also breaks down the solution into smaller modules such as compliance, data management, and risk mitigation for clients' respective departments.

In addition, Reciprocity's team of GRC experts assists clients with their compliance-related challenges.

We are moving our solution ahead of the market by providing a comprehensive overview of risks along with adhering to compliance, rather than focusing only on compliance

While clients approach the company with the immediate need to fulfil their compliance requirements, the Reciprocity team works with them to understand the underlying issues and goals before analyzing their data. By identifying and understanding areas of risk, the company helps its customers avoid or mitigate breaches. "We help clients build a cyber risk program around the compliance framework to provide clear visibility into their risk posture and that is where we are unique. Unlike other vendors who use their documents only to audit for compliance, ours is a live document that is continuously being monitored to prevent risks," mentions Maggio.

He illustrates another instance of a Telco start-up that was looking to upgrade their HR system from Excel to a high-end software like Workday or SuccessFactors. In the process, the company had to ensure Sarbanes-Oxley (SOC 2) compliance. Here, Reciprocity not only helped them build the right set of frameworks for compliance but also analyzed the risks around moving to a new HR system, assisted with the selection of vendors, and worked with the IT team to deploy the system. "We helped them understand that alongside passing compliance frameworks, it is also essential to ensure that new systems do not expose them to risks."

With such commendable success stories, Reciprocity is set to build visual applications with intuitive wizards that are easy to use and deploy for business users without any knowledge of security or compliance. The company recently released, Reciprocity® Risk Intellect, a risk-analysis tool that complements ZenGRC, which enables companies to easily and efficiently prioritize the right infosec activities to both strengthen their compliance and reduce risks.