MetricStream is a global market leader in integrated risk management (IRM) and governance, risk, and compliance (GRC). They help businesses prepare for cybersecurity risks, business disruptions, regulatory pressures, and a constantly evolving need to demonstrate responsible business practices. Analytics India Magazine spoke with CTO – Prasad Sabbineni to learn more about the company’s offerings and the state of cybersecurity in India.

AIM: What problem does MetricStream solve?

Prasad Sabbineni: MetricStream is a leader in the GRC industry, governance, risk and compliance. We help our customers assess, measure and manage their risk across their organisations. This includes enterprise risk management, regulatory compliance, audit and cyber risk—our latest offering in compliance with ESG, environmental, social and governance standards. We offer our Connected GRC products as those that connect across three product lines –  Business GRC, Cyber GRC and ESG. Business GRC connects across risk, audit, and compliance to bring insights to bring strategic advantage to our customers. With Cyber GRC, we help our customers gain visibility into and manage their IT and cyber across their enterprise and with their third parties and fourth parties. ESG is fast-evolving with many frameworks that the regulators are imposing on the organisations. We help our customers collect their internal environmental, social and governance metrics and combine them with external data sets and analytics from various sources. They can generate a large set of ESG metrics-based reports with a click of a button.

AIM: Tell us about the tech stack behind your IRM platform.

Prasad Sabbineni: We are a SaaS product company offering modern cloud-native architecture. All our products are built on top of our platform and are based on cloud-native architecture. The architecture is multi-tiered and service-oriented. The backend is Java with JTE technologies, JavaScript, React, JS on the front and Neto mobile offerings for iOS and Android. We also offer metrics stream intelligence, one of the latest offerings. It provides machine learning features through GRC ontology-based knowledge graphs for all three product lines. We have also introduced a Risk Quantification Engine and continue that journey with metrics from intelligence to make our products more AI-centric. We have recommendation engines built into our customers’ workflows, issues, and action plans.

AIM: What are the various offerings by MetricStream? 

Prasad Sabineni: Our integrated risk management platform is a set of components that bring together various domains through a federated data model, interconnected GRC objects, with our app studio, low code/ no-code configurations based on code generations, AI embedded workflows and assessments. These are available on the platform, and we build products on top of this, leveraging those components. Our strategy is to reuse rather than reinvent the wheel. So anytime something needs to be handled, for instance, issue management or policy management, we tap into the reusable components. These are brought together as part of the platform and that platform because of the federated data model and the interconnected GRC objects. This differentiates competitive advantage and allows us to bring insights across all three domains. It also allows for seamless integration, providing insights to our chief risk officers and chief compliance officers of an organisation and their teams. That’s really the power of MetricStream.

To ensure data privacy, we enable organisations to get a holistic view of risk posturing and take necessary actions to assess their risk and compliance. We do this by bringing in the ITA assets of an organisation, and we bring in all of the vulnerability data through vulnerability scanners. After that, we connect it with the threat intelligence and threat libraries with built-in mechanisms to mitigate and manage those risks. It’s all about automation, bringing data in real-time, assessing risks, performing control tests, and monitoring continuous control in real-time. We package various compliance standards like the GDPR, PCI, and DSS when it comes to privacy and standards. We couple that with rationalised controls to drive efficiency for organisations and perform testing and compliance reporting.

When it comes to India, cyber risk is not only an IT risk anymore. It’s integral to any business operation and cuts across all industries and sectors. It’s no different in India or abroad, anywhere in the world. 

AIM: Can you share some interesting case studies?

Prasad Sabbineni: We worked with Global Telecom to co-innovate a solution to address their escalating cyber security concerns. Given the pandemic and the increasing number of vendors, they realised they had a less timely risk scoring measure and did not have a sure model of how high, medium or low the risk is. We worked with their GRC officer and cyber teams to develop a risk quantification model. It helped identify, quantify, measure and translate the risks into a monetary impact. This helped them find a focus area. We considered their assets, threat and vulnerability data across 100+ systems and helped them reduce their decision-making time for critical cyber restrictions. 

AIM: Why are CIOs prioritising cyber investments, and what are the safety technologies available at their disposal?

Prasad Sabbineni: This ties right into risk quantification. It helps the source identify or quantify their risk across the entire universe to help them better identify which issues to tackle. Since not all risks are created equal and cannot be addressed, quantification comes into play. This allows CIOs to see the bigger picture and focus on the areas where there is the most monetary success. 

AIM: What are your plans for India?

Prasad Sabbineni: MetricStream has a large presence in India. It extends across the board to technology and customer success teams. India is one of the fastest-growing economies, and we see an increased opportunity in various sectors in India for our product offering. As businesses and organisations become highly regulated, they must comply with these risks and compliance standards. As they move on to the world stage, they need to deploy GRC offerings from leaders in the space to show they are compliant with these regulations and can manage their risks internally.