"As such, it costs a lot and requires a substantial amount of time to even train the workforce to get value from the tool. And even after being trained, users still fail to utilize the system to requirements. The resulting data tends to be inaccurate, then the tool fails to produce actionable information, which was the entire reason organizations purchase GRC tools in the first place."

That problem should be relatively easy to fix, according to Farshchi. "Vendors should take a page from Apple or Intuit and apply some user experience testing into the design of the tool interface," he says.

"By making the GRC tools more user friendly while controlling for invalid data, training is easier and cheaper, adoption is quicker and the likelihood for input errors is reduced."

Another issue for organizations turning to GRC technology is vendor lock-in, says Robert Brown, CISO at Western Bridge Corporate FCU, a credit union in San Dimas, Calif.