Relationships of any kind are usually based on mutual trust, and it is no different when it comes to third parties–especially considering today’s cyber attack surface. Assessments can help define areas where third parties struggle or shine, but who is to say those third parties are answering the assessments accurately or even understand what they are being asked? Sometimes it is difficult to gauge how much trust should be extended. Add to this that there are usually fourth and fifth parties down- or upstream, and that’s a lot of trust being extended.
Let’s take a quick look at what trust means. Trust is a noun defined as a “firm belief in the integrity, ability, or character of a person or thing; confidence or reliance; the condition and resulting obligation of having confidence placed in one.” Consider the following quotes:
- "It takes 20 years to build a reputation and five minutes to ruin it." ~ Warren Buffet
- "Leadership requires five ingredients--brains, energy, determination, trust, and ethics. The key challenges today are in terms of the last two--trust and ethics." ~ Fred Hilmer
With those words in mind, how should companies approach showing they are trustworthy, and how do they go about gaining that trust? We believe the answer is transparency: trust requires transparency, and transparency requires an exchange of information. CyberGRX has made it a point to dig into what trust looks like and how it can be better expressed on our Platform so our members feel confident in the third parties they choose to do business with (and in us!). We want that confidence to be based not only on the answers provided in assessments, but also paired with your understanding of that company’s reputation, employees, executive board, relationships with other businesses, current industry trends, etc.
Transparency to CyberGRX means Exchange members have the ability to upload documents to verify and validate the answers they provided in their assessment, such as SOC 2 compliance reports, written policies, previously completed assessments or audit reports, appropriate screenshots, standard operating procedures (SOPs), and runbooks. These are great pieces of evidence, however, what do they say about trust? Does this documentation really express, “We hold ourselves to a higher standard, and here’s the proof?” Or does it just check the boxes many companies hope to see so they feel safe? Our validation process answers these questions. In the words of Ronald Reagan: trust, yet verify.
CyberGRX’s Chief Information Security Officer David Stapleton stated, “Every assessment must include certain questions (How do you encrypt data? How do you patch systems?) in order to collect data and establish trust. But there are other important questions that aren't as focused on traditional cybersecurity controls and should be points of discussion, as assessments will not cover every concern pertinent to your organization. Perhaps we should more commonly ask questions like: Does your CISO sit on your executive team? What is the ratio of employees to security staff at your company? What percentage of your overall budget is spent on cyber?” Then make sure to keep this conversation around trust open and two-sided for the best results.
Our Platform provides a way to explore any Exchange member’s inherent risk, residual risk, and even predicted risk. If a third party does not currently exist in our ecosystem, we are still able to predict with up to 85% accuracy the risk associated with that company based upon industry classification, threat intelligence, and perimeter scanning data. We feel these features are a solid foundation for identifying and establishing trust.