Third party cyber risk management platform CyberGRX is aiming to transform the assessment process by enabling organisation to share completed assessments with multiple parties
With around 60% of security breaches linked to third parties, according to the Ponemon Institute, third-party cyber risk management (TPCRM) is an essential component of a multi-layered approach to data security – albeit one that has historically been slow, labourintensive, expensive to administer and often unreliable.
In 2015, CyberGRX was set up to address these shortcomings by providing an automated SaaS platform for the ordering, completion and sharing of TPCRM assessments. Since then, it has attracted almost $100 million in funding from venture capital organisations and completed assessments for 6,000 organisations, including 60% of the Fortune 500.
Walter Specht, Director of Worldwide Channel Development & Alliances at CyberGRX, says the company came into being for the simple purpose of helping organisations to get a handle on the security posture of their third parties or vendors.
“The way that many organisations would onboard a new vendor – law firm, payroll company, cleaning company, whatever – was to send them a spreadsheet with a set of questions that varied in size and detail according to the criticality of that vendor to the business.
“We help organisations manage that process, but instead of sending spreadsheets and hiring expensive risk people to chase that data around and hunt down the answers to those questions, we created an online platform that allows a company to order three tiers of assessment for a particular vendor and then we go and facilitate the completion of that assessment with the vendor.”
CyberGRX assessments are based on a third party’s self-declarations, which are then validated by CyberGRX and its community of validation partners, using evidence request sheets to collect any additional data that might be required.
Nick Swallow, Director of Solutions Architecture, EMEA at CyberGRX, says that validation is one of the key factors distinguishing CyberGRX from competitors. Another is the effort it takes to contextualise data, resulting in more nuanced risk assessments.
“We cross-reference any weaknesses we come across against the live threat landscape. So, if they have something that may be considered a medium risk gap, but which corresponds to attacks that are happening today, we would go ahead and elevate that,” he said.
One to many
Once a third-party cyber risk assessment has been completed it is added to the CyberGRX exchange where it can be accessed by any other business with that vendor’s approval.
This prevents duplication of effort by the vendor, as they only need to complete a CyberGRX assessment once – a process that typically takes an average of 20 to 30 hours – while also making it easier for their customers to get the information they need.
“If every single company that wanted to bring on Rolls Royce as a vendor did a security assessment, Rolls Royce would be bogged down with assessments and customers would risk not getting that data. We have streamlined the process so Rolls Royce can do one CyberGRX assessment, validated by CyberGRX and our validation partners, which is then stored on our exchange and updated at least annually, with no limit on how many customers can order that assessment,” explains Specht.
“Some global vendors are assessed 4,000 or 5,000 times or more every year. If you are now able to do one assessment and maybe answer a few follow-on questions from companies that have specialised practices or work that they do outside the realm of CyberGRX, the amount of time saved and the amount of people and resources and dollars they are now able to reassign to other areas of the business is just awesome.”
The main market for CyberGRX assessments are large organisations in regulated industries like banking, financial services, insurance, life sciences and healthcare that might deal with hundreds and thousands of suppliers. Ordering assessments from CyberGRX enables such organisations to marshal their resources so that they can spend more time on risk mitigation and less on assessments.
Its services might also be attractive to medium-sized businesses that don’t have extensive in-house resources and which often lack leverage in getting third party cyber risk assessments underway. As the number of assessments that can be pulled down from the exchange continues to grow, its usefulness for medium-sized organisations will only increase.
In this context, Max Dalziel, CyberGRX Director of Strategic Accounts EMEA, draws a distinction between the data consumers – the big organisations in regulated industries – and the data providers, the smaller companies in the supply chain that, he says, are increasingly taking a proactive approach and asking to complete assessments unilaterally.
“People are contacting us and asking to complete a CyberGRX assessment because they know they can reuse it. They are saying ‘We have received Google’s CyberGRX assessment and really like the way it was structured. Can we go ahead and complete one ourselves so that when big bank ABC comes along, instead of completing a 500-row spreadsheet we can say ‘We have looked at your questions. They are all answered in our CyberGRX assessment. Here’s a link. You have permission to access our responses’.”
Last year, CyberGRX increased the number of validated assessments on its exchange by 180%. This year, that number is likely to grow again, further strengthening the CyberGRX proposition.