So how can vendors make GRC products more helpful for their customers?

"I really believe that products, companies and even people compete best by differentiating themselves--finding one or two things they are outstanding at, and leveraging them to outcompete all others in that space," Farshchi says. "Instead of trying to be all things to all people, GRC tools should focus in on a couple of key pain points for the IT enterprise, and offer a streamlined, standardized, interoperable solution to those problems."

Farshchi sees signs that GRC is moving in a positive direction. "First, the dashboard functionality in these tools is maturing, in that the data is more readily consumed by key users and stakeholders," he says. "Second, the notion of risk has become better reflected in GRC tools as organizations are able to set 'target' risk levels. Although the dashboards can still be improved and the applicability of the risk calculations leaves a lot to be desired, these improvements demonstrate that GRC tools are maturing."

In an ideal world, "a GRC product would work a bit like a Salesforce.com" customer relationship management (CRM) application, Brown says. "Secure, hosted software as a service, with a well-documented API [application programming interface] to enable data linkages with additional third-party tools that can easily extend functionality."