It’s like comparing apples to baseball stadiums: If you are (or will be) evaluating solutions to automate your IT Vendor Risk Management (VRM) program, READ THIS! It might save you some time. There are more solutions available to address this business challenge than you can possibly evaluate.
In the risk management space, there are multiple types of solutions all competing for your dollar. Solution providers have completely confused the market in this area, however. While many of these offerers are competing for the same spend, they really aren’t competitors at all. An IT VRM Tools ranking quadrant was recently published that compares the capabilities of many providers. In this quadrant, I have seen GRC platforms, platforms as a service (PaaS), Ratings companies, ERP bolt-on and Consulting providers, Procurement Sourcing platforms and the Exchange. All of the solutions address third-party cyber risk management in vastly different ways. Comparing these options to each other is like comparing apples to baseball stadiums. Let’s break down the difference between the Exchange, GRC platforms, ratings, platforms as a service, consulting providers, and more.
When selecting a solution, ask yourself (or whoever controls your budget), “do I want a solution to help me do this myself or do I want someone else to do this for me?”
In the do I want to do this myself category:
GRC: The Governance Risk and Compliance platform provides the essential forms and data structure to manage any type of risk discipline. In the box, there will be a risk register, control framework, assessment management (internal or external), issues management of some kind and probably some workflow and some dashboards. You’re going to have to hire some consultants to help implement this, and you will have to come up with your own content for your reassessments, risk register and control framework. Sounds a bit like Ikea, doesn’t it? You will end up with a table, but you are going to have to put it together first.
Platform as a Service (PaaS): Think Ikea again, but in this case instead of table parts coming in a box, you receive a table saw, a plainer, some polyurethane, a map to an available lumber yard, etc. PaaS solutions will have all of the essential application components – e.g. blank forms – that you can configure, such as workflow templates, reports, alerts, and more. You have to build the whole solution from scratch before you can start assessing you vendors, but you have guidance.
In the get someone to do it for me bucket:
Consulting: You can hire a consultant to do just about anything; they’ll wash your car if you want. If you hire consultants to perform risk assessments, you better get comfortable. Anything that gets paid by the hour is diametrically opposed to efficiency. This is going to be your most customizable solution and also the most expensive. If you conduct more than 100 assessments a year, you need to be ready to pay a premium.
Ratings Companies: These guys scan the outside perimeter of your vendors’ networks to see if they get the good housekeeping seal of approval. It’s a fast, high-level binary thumbs-up or thumbs down. This can produce false-positives, and will likely not show the full view of risk that a vendor poses – kind of like buying a house based off of its curb appeal, without getting an appraisal on the nitty gritty details of the house itself (structural integrity, building materials, age, termites, etc).
The Exchange: Exchange models are not new. Two-sided marketplaces have been around for a long time. Think eBay, Uber, Lyft, Instacart, etc. Exchanges bring buyers and sellers together for mutual benefit. In the ride share model, the app finds people that need transportation and pairs them with people with cars and free time. In the TPCRM context, the Exchange will usher vendors through a standardized cybersecurity risk assessment and then will provide that data to enterprises who want a validated assessment on their vendors. This model is the most efficient way to assess your vendors. It allows vendors to make broader utility of the assessment task (which everyone hates, believe me); instead of having to repeatedly answer the bespoke questionnaire coming out of the GRC Platform or the PaaS solution, the assessment is already there. Just click ‘Share’.
All of these solutions are driving to the same conclusion. They aim to tell you what risks a vendor will expose you to, but they all do it in very different ways. Before you head to the lot to kick tires, determine if you would much rather hop on a high-speed train or build your own car.
SR. DIRECTOR OF SOLUTION ENGINEERING