Posted by Michael Reedy on March 8, 2017
“Why can’t we perform one assessment and share with all our portfolio companies?” asked the CISO, after realizing that 50 of the 115 companies in his portfolio were all performing separate cyber risk assessments on the same Human Capital Management provider.
What began with this simple question has evolved into the world’s first end-to-end third party cyber risk management (TPCRM) platform and exchange.
CyberGRX was designed in collaboration with some of the world’s most sophisticated cybersecurity organizations, including AETNA, ADP, MassMutual, Blackstone, and others, to answer the question, “Which of my third parties poses the greatest risk to my organization according to today’s threat landscape?”
A 180° turn from current Third Party Cyber Risk Management (TPCRM) strategies that are largely based on spreadsheets, unvalidated self-questionnaires and manual remediation efforts that provide no scale and limited visibility.
Today’s Broken Third Party Cyber Risk Management Strategy
Organizations today operate in an environment that is highly complex and full of disruptors. To keep pace, organizations rely on outsourcing, cloud providers and other services to reduce costs, add value, and drive agility.
But this agility comes with cyber risk. Cybercriminals have discovered third parties are the path of least resistance to gaining access to your confidential information.
So, how have organizations responded?
They typically utilize a cobbled together combination of:
- “Shared spreadsheet” assessments
- Contrived GRC tools
- Consulting services
- Internal Resources
The result? Few businesses can answer the most important question in TPCRM – “Which of my third parties pose the most risk to my organization today?”
A Different Approach to Third Party Cyber Risk Management
Organizations today require a scalable, transformative way to manage third-party cyber risks. One that provides unified visibility into their third-party risk posture at the touch of a button and encourages their third parties to see value in their participation.
The market requires a platform that is risk-based, simple, and cost-effective. An adaptive exchange that drives innovation and adds value to your business model.
Reduce Cost – A platform that leverages a crowdsourced model and an exchange so an assessment can be performed once and shared with multiple upstream business partners.
Manage Complexity – A framework and assessment strategy that is simplified and standardized to reduce the number and variety of questionnaires third parties must answer.
Mitigate Risk – A platform that uses threat modeling and advanced analytics to better understand digital ecosystem risks. Organizations need to view residual risk from central control gap assessments in detailed analytic models. To facilitate mitigation, organizations need collaboration tools to manage and facilitate remediation on a centralized dashboard.
Introducing CyberGRX (Global Risk Exchange)
After countless hours of researching, fine-tuning, and implementing feedback from our design partners – ADP, Aetna, MassMutual, Blackstone, and others – we are proud to introduce CyberGRX.
The CyberGRX Exchange is the market’s first cyber risk exchange designed to make it simple, easy and cost effective to get up-to-date, comprehensive one-click access to third parties cyber risk assessments. We allow your team to move from being data collectors to being third-party risk mitigators.
Your team will always be prepared to answer the question, “Which of our third parties pose the most cyber risk to us today?”
Three primary things are driving the need for enhanced third party cyber security today:
- Businesses must outsource non-core functions to third parties to improve agility to compete in a global marketplace full of disruptors,
- Regulatory requirements and scrutiny of third-party programs are increasing.
- Attacks from third parties are the second biggest source of security incidents.
We’ve worked hard to make sure both sides – enterprises and their third parties – are satisfied and empowered by the CyberGRX Platform & Exchange.
Plan: The proprietary CyberGRX algorithm tiers your third parties based on inherent risk factors.
Assess: Order assessments from the CyberGRX Exchange. Our team provides Risk Assessment as a Service (RAaaS) in the form of an on-site assessment or portal based self-assessment that is always up-to-date.
Mitigate: CyberGRX prioritizes the most appropriate mitigation strategy and enables collaboration with your third party’s to reduce phone calls and emails.
Monitor: The market’s only continuous monitoring from the inside/out and outside/in. Correlate threat intelligence to weak controls to dynamically reprioritize levels of due diligence.
For Third Parties:
Getting Assessed: The CyberGRX assessment is simplified, straightforward, and comprehensive. It is updated every ninety days. No more spreadsheets. No more quarterly rushes to fill out similar data in a different format. Easily delegate assessment responsibilities within the CyberGRX platform.
Sharing with Upstream Partners: You have the capability to send your CyberGRX assessment to any of your upstream partners.
Collaborate: Collaboration tools make it possible to better work with upstream partners to keep track of mitigation steps.
The Future of Third Party Cyber Risk Management
In 2017, cybersecurity professionals are faced with unprecedented challenges in TPCRM. As digital ecosystems continue to grow, it can seem like an insurmountable task for cybersecurity professionals to manage digital ecosystem complexity and mitigate cyber risks, all while trying to help meet their organization’s bottom line.
A CISO at one of America’s largest media companies recently expressed his own frustrations with third-party risk management. He told us, “I have two cybersecurity professionals dedicated to third-party risk. I need 15-17. I run compliance audits on 100 vendors, but should be doing 700.”
We believe these challenges are not insurmountable. Organizations just need a better way to manage third-party risks. To do so requires a better approach. With the CyberGRX approach, your organization will finally know which of their third parties poses the greatest risk and they will have the tools to manage it.