Based in Denver, CyberGRX is the world’s first end-to-end, third-party cyber risk management exchange platform that brings efficiency to today’s broken spreadsheet-based approach. The platform provides a full spectrum of Risk Assessments as a Service (RAaaS), threat correlation to weak controls and, for the first time, a cyber risk assessment exchange.
I recently sat down with our CEO, Fred Kneip to learn more about this innovative third-party cyber risk management platform and risk exchange.
What were you doing prior to starting CyberGRX?
Fred: I was the Head of Security and prior to that the Head of Compliance at Bridgewater Associates, a large hedge fund. We had a pretty robust physical and staff security program but there was definitely room for improvement in cyber. Over my two and a half year tenure in the role, I needed to really ramp up my understanding of the cyber risk management space to build the program effectively. This was my first real exposure to the complexities of third-party risk management.
Give me a brief history of CyberGRX.
Fred: I wish I could take credit for it, but CyberGRX is the brainchild of Jay Leek at Blackstone – now at ClearSky Security. Jay was thinking about the inefficiencies of third-party risk management across his portfolio. In an ad-hoc survey of his portfolio companies, he found that 90 of his 115 portfolio companies were using the exact same vendor. Fifty of those were doing a full-blown assessment of that vendor every year.
He realized this was completely inefficient and thought, “Why don’t we perform one cyber risk assessment of this vendor and share the across all portfolio companies?.” It could at least improve some programs and streamline others. In speaking with his peers at other companies, he discovered this was a massive challenge across a growing number of third parties.
Jay quickly realized his idea of solving a problem at Blackstone had farther reaching market implications. I connected with Jay in June of 2015, and when he shared his vision, he and I decided that we wanted to make this a reality. The company was officially formed in October of 2015. We went out and built our consortium of design partners and went from there.
How did you come up with the name?
Fred: The original name was actually Global Risk Exchange. As we spoke with people about our concept, they were trying to figure out what exactly we were covering. So we put “cyber” on the front of it to help delineate that. We will see over time if that sticks. It is more of a matter of what we are focusing on right now. The whole idea is the exchange of information, not “one to one” but “one to many.”
What makes CyberGRX unique? How does the company and product differ from others?
Fred: It’s hard to point out one thing. It is the only platform that allows people to holistically transform their third-party risk management program in terms of reducing risk and costs. The concept of the exchange of assessments is very unique. We are the first on both of these fronts.
There are plenty of tools or processes out there that help you identify more information, but there are few that actually help you holistically think about your problem. There is a lot of focus on risk identification, but not actionable recommendations. Part of the unique benefit of the CyberGRX platform is it not only helps identify risk, but reports are structured in the right way to help you do something about it, with the same or less resources.
Also, performing advanced analytics on your entire ecosystem of third parties simply isn’t being done today in the market. The CyberGRX platform allows a user to review their third parties as a portfolio, filtered or sorted as necessary to make risk decisions. This helps cyber risk managers ensure they are focusing on the right issues. It effectively takes on the role of being one step shy of a managed service. I think that is pretty unique.
The way CyberGRX was formed is also different. Instead of a regulatory body coming up with this or some kind of ad-hoc consortium, we sat down with real practitioners at Aetna, ADP, MassMutual, Blackstone and other top firms and had detailed working sessions really thinking through what made sense. We helped them trade off the better or worse components of their programs. We developed streamlined approaches that actually cover the majority of what is necessary to accurately understand the cyber risk posed by a third party and facilitate ongoing management.
Fred: Denver is a great place with something for everyone. We looked at a variety of locations. There were several things we were looking for in a home.
First we looked into emerging areas of cyber talent. Of course, the east and west coast were the first to come up. Then the Austin-San Antonio corridor and the Denver-Boulder area stood out along with a variety of rather small pockets. After we overlaid cost of living, we took the coasts off our list. Then we looked at general quality of life and where people wanted to go. Denver was a no-brainer for us.
What were the benefits having design partners?
Fred: It helped us really address the product-market fit question up front. We were able to take a good idea and then bring it to business practitioners, expand and reshape it and then bring it to market. Versus the concept of building something cool and then trying to push it onto people. We have been sitting and thinking with the people who work on this problem day in and day out. We have spent hours upon and hours working with each of them to help them to go through their programs.
That has helped us identify a lot of things we weren’t originally thinking about. It has helped us tailor the user experience, the metrics, and all of the information we are providing to be a fully market ready product. We are leap-frogging the typical startup iterative approach of putting something out there, getting the customer feedback, iterating again. We are starting a couple of steps into that approach as a result.
What book are you reading now?
Fred: Right now I am reading a book called Multipliers which is effectively about recognizing the success of business is not you but the team. How do you empower them? How do you allow them to really grow to reach their potential? I am working through a variety of tips and tools on that front.
What is the best piece of advice you ever received?
Fred: Interestingly, it came later in my career and I wish I had gotten it earlier. It is pretty straight forward, “Don’t be afraid to say I don’t know.” I spent too much of my career thinking I always had to have the right answer. That I always had to be the smartest guy in the room and quite often that not being the case. It is so much better to actually say, “Wait a minute, I don’t understand that, let me get into that.” Then you can then become so much more effective at digging in and helping solve problems.
Where do you see CyberGRX in the next 5 years?
Fred: The possibilities are endless where we can grow with this platform. We think it is going to have an explosive viral growth as every customer is a potential third-party and every third-party is a potential customer. As we add more and more to the platform we expect our community to grow.
We believe we are helping create a market-based force to ultimately improve cybersecurity across the entire market. I am excited to be a part of that. Right now we are offering cybersecurity. But it is pretty easy to scale beyond that and go into other products as well.
Thanks to Fred for sharing insights on CyberGRX.