A Modern Approach to TPCRM: the Exchange
Outsourcing, digitization, and globalization – the three main drivers of business transformation over the last 30 years. From these forces, organizations have prospered from the innovation of new products and services, the ability to focus on their core competencies, reduce costs and enter new global markets.
But with agility comes cyber risk.
Globally dispersed, highly networked and digitized businesses now face new cybersecurity and resiliency risks that many businesses are just now beginning to address. As a result, both government and commercial enterprises are establishing third-party cyber risk management (TPCRM) programs to better identify, assess, mitigate and oversee the risks created by third-parties, partners, and customers in their digital ecosystem.
Previously, time-consuming and often costly regulatory requirements mandating TPCRM programs only affected organizations working in highly regulated industries, such as financial services, healthcare and energy. But today, all organizations require a scalable and cost-efficient TPCRM program to protect their company and to drive regulatory compliance.
Current practices and technologies used to support TPCRM and assess third parties are costly and often inadequate and inefficient. Third parties spend an average 15,000+ hours completing assessments each year. 54% of enterprises say this data is only somewhat valuable, and less than 8% of these assessments result in action. The cost of failing to properly evaluate and vet vendors is $13 million, impacting reputation and brand, decreasing share value, loss of business, and the like.
Ponemon Report: The Cost of Third-Party Risk Management
It seems TPCRM has presented a tough code to crack for many CISOs and security leaders alike. Pinpointing risk within your ecosystem is essential to being able to keep yourself secure, but with so many third parties to evaluate, it can be a seemingly insurmountable task with long turnaround times for static assessments and often inaccurate results from scanning tools.
Currently, 40% of organizations use manual procedures like spreadsheets and 51% employ risk scanning tools to vet their third parties. Over 54% of these organizations say that the results of these tools provide (at best) only somewhat valuable information. Not a lot of confidence in current processes, especially when the cost of failing to vet and evaluate third parties is roughly $13 million.
We’ve talked about the ONE thing all modern TPCRM programs do, but let’s break it down. Rather than maintaining a one-to-one relationship between companies and their third parties, why not work together with a community of risk management professionals towards a common goal of decreasing third-party risk. Why not ditch the disparate, one-to-one assessments, and use dynamic, one-to-many assessments hosted in an Exchange?
It benefits both sides. Enterprises simply look to see if their third-party has completed a dynamic assessment and request access. Essential risk information in the click of a button. And, instead of spending 15,000+ hours filling in spreadsheets every year, third parties are able to complete one assessment, share with their upstream partners, and keep the information updated as there are updates to their security controls.
The CyberGRX Exchange is the destination for enterprises and third parties to connect based on a common goal to cut out busy work and take a truly risk-based approach to TPCRM. It allows companies with expanding ecosystems to easily scale their TPCRM programs while reducing the assessment burden third parties deal with every year. And, with over 34,000 companies on the Exchange (and growing) there’s a good chance your third parties are already on the Exchange. That’s the power of an Exchange – and it’s one of our primary differentiators.