If you work in GRC, you've probably noticed something: every market report about our industry is funded by the companies being evaluated. Analysts survey vendor customers. Vendors survey their own prospects or they might offer respondents an Amazon gift card.

The findings always seem to validate whoever paid for the research. There's no equivalent of an independent industry report for GRC that starts with practitioner data instead of vendor briefings.

So I built one.

This is the report I wish existed when I started working in GRC.

I wanted to see what happens when you ask the practitioners instead.

795 GRC and security professionals responded to the largest independent security GRC survey ever conducted outside of vendor-sponsored research. No vendor funded it. No sponsor influenced the questions. No partnership shaped the findings.

IN PARTNERSHIP WITH

Why FedRAMP Is About to Matter to Every GRC Team (Even If You Don’t Sell to the Government)

Compliance doesn't have to suck.

Stop drowning in "soul-crushing" spreadsheets. Whether you’re tackling FedRAMP 20x, Rev 5, or CMMC, Paramify automates the heavy lifting. Generate instant, machine-readable SSPs and POA&Ms that are actually audit-ready.

Get compliant 90% faster at 1/4 the cost - and like your job at the same time.

5 Key Takeaways from the Report

Here's what they told us:

-> The #1 GRC tool in 2026 is still a spreadsheet. 93 respondents rely on spreadsheets as their primary tool. Ahead of ServiceNow (86) and every commercial platform.

-> 59% of practitioners are commercially unaddressed. Spreadsheets, custom tools, open source, or nothing. Three out of five GRC professionals have not been converted by any vendor.

-> No vendor holds above 18% market share. This is the most fragmented enterprise software market in existence. For comparison: Salesforce holds 21% of CRM. ServiceNow holds 42% of ITSM. Datadog holds 52% of observability.

-> The average technical skill is 5.4 out of 10. Half the industry sits between spreadsheet defaults and automation capability.

-> CISOs don't trust the category. 73.6% of CISOs use no commercial tool at all.

The full 36-page report is below. It covers who responded, team sizes, the tool landscape, the buyer disconnect, tool choice as technical identity, and the skills gap that sits underneath everything.

This is my first attempt at something like this. It's not perfect. The survey design could be tighter, some sections could go deeper, and I'm sure there are angles I missed entirely. Also it’s based on the questions answered by the survey which I can expand on later.

But I believe in shipping v1 and improving from there. If you have feedback on what to add, what to cut, or what to explore further next year, I genuinely want to hear it. Reply to this email or message me on LinkedIn.

This is independent data from the people doing the work. I hope it's useful.

📄 Download the full State of GRC 2026 report

The full report is 36 pages across six chapters with over a dozen original charts and full methodology.

You can download the PDF right here, it's free and always will be.

That’s all for this week’s issue, folks!

If you enjoyed it, you might also enjoy:

• My spicier takes on LinkedIn [/in/ayoubfandi]

• Listening to the GRC Engineer Podcast 

  • Spotify

  • Youtube

  • Apple Podcasts

See you next week!