I've Filled Out Those Damn Third-Party Spreadsheets

by Marc Haverland

I’ve been focused on building technology startups for over two decades now and have had the opportunity to build a few to significant scale and a long life after successful acquisition into larger enterprises. One of the key components of success in B2B startups is landing that first big enterprise customer, and then landing a few more significant enterprise customers.

With enterprise customers, however, comes the risk of being buried in the care and feeding of those customers: they are often held to stringent compliance requirements and often require their third-party vendors to step up significantly to meet similar requirements. You start receiving requests to fill out a “brief security questionnaire” — it’s just a check-the-box thing; shouldn’t take long.

You know where I’m going. Another request comes in to fill out a twelve-tab Excel-based questionnaire on your security posture and the controls you have in place. It is of course structured differently from the first. Another comes in, and you try to copy and paste as much as possible, but you can’t really build up a reusable document because the requests are always just different enough to confound your efforts at efficiency.

Ponemon Report: The Cost of Third-Party Cyber Risk Management

I’ve been there many, many times. I’ve filled out third-party spreadsheets for larger enterprise customers. In enterprise roles, I’ve evaluated the text-based answers of my vendors and tried to derive an understanding of their risk profile. No more!

I joined CyberGRX to head up the technology group because I believe CyberGRX has a better way: vastly more efficient, more unified, and more comprehensive than the home-grown spreadsheet-based security assessments.

The benefits go to both the assessed third-party and the enterprise risk manager or CISO who must request, review, and update dozens or hundreds of third-party assessments.

The better way looks like this to the risk manager at a larger enterprise needing to assess multiple third-party vendors: Log on to your CyberGRX account and see an overall portfolio view based on known pre-assessment characteristics across your entire ecosystem.

Request assessments on several (or upload a list of hundreds) that you want to drill down on in more detail. You see that some of your vendors already have recent assessments, so you simply request them, the vendor authorizes your access, and all of a sudden, several assessments are already done, further informing the analytics view of risk across your portfolio.

Those who haven’t done a CyberGRX assessment get a request to do so on your behalf, and soon it appears on your dashboard. You get an ecosystem view of your vendors, and the ability to filter and identify high risks and different types of risks across your ecosystem. The life of a Risk Manager just got a lot more efficient!

The better way looks like this to the third-party vendor being assessed: your new enterprise customer has requested an assessment on you, but since you’ve just completed one for some other customer, you simply authorize its release. Done! If you haven’t had one requested yet, the CyberGRX platform allows you to step through one of several different tiers, save your work along the way, and come back to complete an assessment while the platform identifies all the gaps.

Related: Getting Started with Third-Party Risk Management Guide

No more twelve-tab spreadsheets! You benefit from seeing the analysis of your security posture and can address items before finalizing the assessment. Your enterprise customer is automatically notified, and your assessment task is done — back to building your business!

The benefits are clear to both sides of the relationship. Efficiently manage your risk across an ecosystem of vendors. Efficiently respond to your customers’ requests for security assessments.

Ours is a world in which ever-increasing security risks and the need for more and more mature security controls will not be going away. Today’s modern, interconnected enterprise and vendor ecosystem needs better tools to analyze and manage interconnected third-party risk.

The challenges of security are not going away so we must develop stronger, more efficient processes to meet them head-on and at scale. CyberGRX is a key tool in your toolbox to handle these challenges, whether you are a large enterprise with dozens or hundreds of third-parties to assess, or you are needing to provide your company’s assessments to your customers.

Join the CyberGRX Exchange and stop filling out those damn spreadsheets.