Bringing Sexy Back To Third-Party Risk Management

by Liesl Geier

RSA Conference 2018 is off to an amazing start. We had the honor to compete in the RSAC Innovation Sandbox competition with 9 other innovation finalists – Alcavio, Awake Security, Blu Vector, Fortinex, Hysolate, Refirm Labs, ShieldX, StackRox and BigID who was named the winner.

It was an amazing opportunity to talk about the challenges organizations face with third-party risk and show a captive audience how we are helping organizations overcome those obstacles with an innovative approach to third-party risk management. There is a lot of innovation happening throughout the cybersecurity space, but the threats are still very real and constantly evolving. It is inspiring and encouraging to be a part of  a community so dedicated to reducing threats and increasing security.

When we were initially informed that we were selected as a RSAC Innovation Sandbox finalist, someone commented that while third-party risk management isn’t sexy, it is necessary. And that got us thinking.

One of the key challenges third-party risk professionals face is the lack of innovative and automated third-party solutions.  Organizations still rely on archaic tools to address evolving third-party threats.  It’s no wonder third-party risk management isn’t considered sexy. And it’s no wonder third-party breaches continue to dominate the headlines.

So we wiped the slate clean and asked ourselves: “how should this work”? We believe third-party risk management requires three fundamental components to evolve from the dark ages and truly help organizations identify and reduce risk.


  1. An exchange model that creates efficiencies for both third parties and enterprises. 

    Where data is collected once and used many times.  This takes the burden of data collection and response off of both sides of the equation.

  2. A comprehensive and ongoing approach – not just an outside-in snapshot and not just an annual assessment. 

    You wouldn’t buy a house after just seeing it on Zillow, you would at least want a home inspector’s report.  Same for an important third party. This requires dynamic data that is continuously updated and validated, so you always know where the greatest risks lie at a individual company level and across your portfolio.

  3. Structured data and advanced analytics. 

    The data needs to be standardized and structured, so organizations can easily run analytics across it and derive actionable risk insights for risk management.

Once companies join the CyberGRX Exchange, they can find assessments on all of their third parties, of any size.  They can also share a comprehensive assessment of their company with all of their upstream customers.  This streamlines the process in both directions. So how do we make it sexy?

We have built sophisticated risk models based on known breach kill chains and use AI models to derive additional threat scenarios from them to generate over 16 million attack paths.  We categorize these by industry and objective and map them to the control responses provided in a questionnaire.  This provides a prioritized list of critical control gaps for any assessed company.


Actionable insights that allow real risk management. Think of the data we are collecting, and the potential that exists. Imagine a comprehensive understanding of ecosystem risk that extends to fourth, fifth or sixth party risk? We are building a risk weighted map of the customer vendor ecosystem and we have just begun to scratch the surface of the analytic potential.

The solution is constantly evolving and the possibilities are exponential. With that, we think third-party risk management is starting to get a little more sexy.

Watch the complete RSA Innovation Sandbox pitch

analytics third-party risk management (TPCRM)