One of the cornerstones of a security leader’s job is to successfully evaluate risk. A risk assessment is a thorough look at everything that can impact the security of an organization. When a CISO determines the potential issues and their severity, measures can be put in place to prevent harm from happening.
To select a suitable risk assessment solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Jaymin Desai, Offering Manager, OneTrust
First, consider what type of assessments or control content as frameworks, laws, and standards are readily available for your business (e.g., NIST, ISO, CSA CAIQ, SIG, HIPAA, PCI DSS, NYDFS, GDPR, EBA, CCPA). This is an area where you can leverage templates to bypass building and updating your own custom records.
Second, consider the assessment formats. Look for a technology that can automate workflows to support consistency and streamline completion. This level of standardization helps businesses scale risk assessments to the line of business users. A by-product of workflow-based structured evaluations is the ability to improve your reporting with reliable and timely insights.
One other key consideration is how the risk assessment solution can scale with your business? This is important in evaluating your efficiencies overtime. Are the assessments static exports to excel, or can they be integrated into a live risk register? Can you map insights gathered from responses to adjust risk across your assets, processes, vendors, and more? Consider the core data structure and how you can model and adjust it as your business changes and your risk management program matures.
The solution should enable you to discover, remediate, and monitor granular risks in a single, easy-to-use dashboard while engaging with the first line of your business to keep risk data current and context-rich with today’s information.
Brenda Ferraro, VP of Third Party Risk, Prevalent
The right risk assessment solution will drive program maturity from compliance, to data breach avoidance, to third-party risk management.
There are seven key fundamentals that must be considered:
- Network repository: Uses the ‘fill out once, use with many approach’ to rapidly obtain risk information awareness.
- Vendor risk visibility: Harmonizes inside-out and outside-in vendor risk and proactively shares actionable insights to enhanced decision-making on prioritization, remediation, and compliance.
- Flexible automation: Helps the enterprise to place focus quickly and accurately on risk management, not administrative tasks, to reduce third-party risk management process costs.
- Enables scalability: Adapts to changing processes, risks, and business needs.
- Tangible ROI: Reduces time and costs associated with the vendor management lifecycle to justify cost.
- Advisory and managed services: Has subject matter experts to assist with improving your program by leveraging the solution.
- Reporting and dashboards: Provides real-time intelligence to drive more informed, risk-based decisions internally and externally at every business level.
The right risk assessment solution selection will enable dynamic evolution for you and your vendors by using real-time visibility into vendor risks, more automation and integration to speed your vendor assessments, and by applying an agile, process-driven approach to successfully adapt and scale your program to meet future demands.
Fred Kneip, CEO, CyberGRX
Organizations should look for a scalable risk assessment solution that has the ability to deliver informed risk-reducing decision making. To be truly valuable, risk assessments need to go beyond lengthy questionnaires that serve as a check the box exercises that don’t provide insight and they need to go beyond a simple outside in rating that, alone, can be misleading.
Rather, risk assessments should help you to collect accurate and validated risk data that enables decision making, and ultimately, allow you to identify and reduce risk ecosystem at the individual level as well as the portfolio level.
Optimal solutions will help you identify which vendors pose the greatest risk and require immediate attention as well as the tools and data that you need to tell a complete story about an organization’s third-party cyber risk efforts. They should also help leadership understand whether risk management efforts are improving the organization’s risk posture and if the organization is more or less vulnerable to an adverse cyber incident than it was last month.
Jake Olcott, VP of Government Affairs, BitSight
Organizations are now being held accountable for the performance of their cybersecurity programs, and ensuring businesses have a strong risk assessment strategy in place can have a major impact. The best risk assessment solutions meet four specific criteria— they are automated, continuous, comprehensive and cost-effective.
Leveraging automation for risk assessments means that the technology is taking the brunt of the workload, giving security teams more time back to focus on other important tasks to the business. Risk assessments should be continuous as well. Taking a point-in-time approach is inadequate, and does not provide the full picture, so it’s important that assessments are delivered on an ongoing basis.
Risk assessments also need to be comprehensive and cover the full breadth of the business including third and fourth party risks, and address the expanding attack surface that comes with working from home.
Lastly, risk assessments need to be cost-effective. As budgets are being heavily scrutinized across the board, ensuring that a risk assessment solution does not require significant resources can make a major impact for the business and allow organizations to maximize their budgets to address other areas of security.
Mads Pærregaard, CEO, Human Risks
When you pick a risk assessment tool, you should look for three key elements to ensure a value-adding and effective risk management program:
1. Reduce reliance on manual processes
2. Reduce complexity for stakeholders
3. Improve communication
Tools that rely on constant manual data entry, remembering to make updates and a complicated risk methodology will likely lead to outdated information and errors, meaning valuable time is lost and decisions are made too late or on the wrong basis.
Tools that automate processes and data gathering give you awareness of critical incidents faster, reducing response times. They also reduce dependency on a few key individuals that might otherwise have responsibility for updating information, which can be a major point of vulnerability.
Often, non-risk management professionals are involved with or responsible for implementation of mitigating measures. Look for tools that are user-friendly and intuitive, so it takes little training time and teams can hit the ground running.
Critically, you must be able to communicate the value that risk management provides to the organization. The right tool will help you keep it simple, and communicate key information using up-to-date data.
Steve Schlarman, Portfolio Strategist, RSA Security
Given the complexity of risk, risk management programs must rely on a solid technology infrastructure and a centralized platform is a key ingredient to success. Risk assessment processes need to share data and establish processes that promote a strong governance culture.
Choosing a risk management platform that can not only solve today’s tactical issues but also lay a foundation for long-term success is critical.
Business growth is interwoven with technology strategies and therefore risk assessments should connect both business and IT risk management processes. The technology solution should accelerate your strategy by providing elements such as data taxonomies, workflows and reports. Even with best practices within the technology, you will find areas where you need to modify the platform based on your unique needs.
The technology should make that easy. As you engage more front-line employees and cross-functional groups, you will need the flexibility to make adjustments. There are some common entry points to implement risk assessment strategies but you need the ability to pivot the technical infrastructure towards the direction your business needs.
You need a flexible platform to manage multiple dimensions of risk and choosing a solution provider with the right pedigree is a significant consideration. Today’s risks are too complex to be managed with a solution that’s just “good enough.”
Yair Solow, CEO, CyGov
The starting point for any business should be clarity on the frameworks they are looking to cover both from a risk and compliance perspective. You will want to be clear on what relevant use cases the platform can effectively address (internal risk, vendor risk, executive reporting and others).
Once this has been clarified, it is a question of weighing up a number of parameters. For a start, how quickly can you expect to see results? Will it take days, weeks, months or perhaps more? Businesses should also weigh up the quality of user experience, including how difficult the solution is to customize and deploy. In addition, it is worth considering the platform’s project management capabilities, such as efficient ticketing and workflow assignments.
Usability aside, there are of course several important factors when it comes to the output itself. Is the data produced by the solution in question automatically analyzed and visualized? Are the automatic workflows replacing manual processes? Ultimately, in order to assess the platform’s usefulness, businesses should also be asking to what extent the data is actionable, as that is the most important output.
This is not an exhaustive list, but these are certainly some of the fundamental questions any business should be asking when selecting a risk assessment solution.
While digital transformation is understood to be critical, its rapid adoption, as seen with cloud providers, IoT and shadow IT, is creating significant cyber risk for most organizations. Today, these vulnerabilities are only exacerbated by misalignment between IT security professionals and the C-suite.
The research by CyberGRX and Ponemon Institute surveyed 900 IT security professionals and C-level executives covering financial, healthcare, industrial, public sector and retail industries.
Digital transformation is increasing cyber risk
Digital transformation is increasing cyber risk, and IT security has very little involvement in directing efforts to ensure a secure digital transformation process. Such misalignment of resources is illustrated by 82% of respondents believing their organizations experienced at least one data breach as a result of digital transformation.
Fifty-five percent of respondents say with certainty that at least one of the breaches affecting their organization was caused by a third party.
Digital transformation has increased reliance on third parties
Digital transformation has significantly increased reliance on third parties, specifically cloud providers, IoT and shadow IT; and many organizations do not have a third-party cyber risk management program.
Sixty-three percent of respondents say their organizations have difficulty in ensuring a secure cloud environment and 54% of IT security professionals say avoiding security exploits is a challenge.
Additionally, 56% of C-level executives say their organizations find it a challenge to ensure third parties have policies and practices that ensure the security of their information.
IT security and C-suite misalignments
Conflicting priorities between IT security and the C-suite create vulnerabilities and risk. These two groups do not agree on the importance of safeguarding risk areas, including high value assets.
IT security respondents are more likely to say the rush to produce and release apps, plus the increased use of shadow IT, are the primary reasons their organizations are more vulnerable following digital transformation.
But in contrast, C-level respondents say increased migration to the cloud and increased outsourcing to third parties makes a security incident more likely. The majority of C-level respondents do not want the security measures used by IT security to prevent the free flow of information and an open business model.
Budgets are, and will continue to be, inadequate to secure the digital transformation process. The majority of organizations do not have adequate budget for protecting data assets and don’t believe they will in the future. In fact, only 35% of respondents say they have such a budget.
Because of the risks created by digital transformation, respondents believe the percentage of IT security allocated to digital transformation today should almost be doubled from an average of 21% to 37%. In two years, the average percentage will be only 37% and respondents say ideally it should be 45%.
“If there’s one major takeaway from our research, it’s that digital transformation is not going anywhere. In fact, organizations should expect—and plan for—digital transformation to become more of an imperative over time,” says Dave Stapleton, CISO, CyberGRX.
“For this reason, organizations must consider the security implications of digital transformation and shift their strategy to build in resources that mitigate risk of cyberattacks.
“Based on these findings, we recommend involving organizations’ IT security teams in the digital transformation process, identifying the essential components for a successful process, educating colleagues on cyber risk and prevention, and creating a strategy that protects what matters most.”
Security personnel and senior management need to unite
The research identifies trends and best practices from organizations that had mature digital transformation programs in place. These findings suggest that across organizations, flexibility and collaboration—particularly between IT teams and C-level executives—will be key to ensure digital transformation that is both efficient and secure.
Going forward, it is imperative that C-level executives comprehend the level of risk they take on when they become vulnerable to reputational damage brought on by security incidents involving third-party relationships.
At the same time, both security personnel and senior management need to unite on a strategy that lowers the organization’s cyber risk profile while keeping key business goals and operations in sync. Finally, significant investments in skilled personnel and the technologies that secure and protect data and assets must be made to reduce third-party risk.
CyberGRX, provider of the world’s first and largest global cyber risk exchange, announced that it has raised $40 million in Series D funding led by ICONIQ Capital, who has also backed fast growth companies such as Datadog, Gitlab, Procore and Snowflake.
Existing investors AllegisCyber, Bessemer Venture Partners, The Blackstone Group, ClearSky, GV, MassMutual Ventures, Scale Venture Partners and TenEleven Ventures also participated in the round.
This investment precedes another year of tremendous growth for CyberGRX, which anticipates closing the year with 5x increase in recurring revenue and more than 54,000 organizations worldwide on their Exchange. To date, the company has raised a total of $100 million in equity financing.
With this raise, CyberGRX will continue to disrupt industry inertia around third-party cyber risk management (TPCRM) by advancing its innovative and proven approach to reducing third-party cyber risk.
The additional funds will enable the company to meet increasing demand, including expanding internationally and driving innovative product development in a direction that eradicates current mundane, time-consuming procedures.
To help steer the company’s enterprise growth strategy, Doug Pepper, General Partner, ICONIQ Capital, has joined CyberGRX’s board of directors.
“We are excited to partner with CyberGRX to actively support its continued growth and focus on product innovation,” said Pepper.
“As third-party related breaches continue to increase and as enterprises are exposed to an increasing number of third-party cyber risks, we recognize there is a clear need in the market for a modern approach to third-party cyber risk management.
“We believe that CyberGRX is uniquely positioned as a highly scalable third-party cyber risk management platform, with structured assessments and rich analytics, which is enabling a shift towards automation of risk identification and mitigation.”
CyberGRX has zeroed in on one of the most expensive and exploited attack vectors in cybersecurity with a mission of developing innovative software to mitigate the challenges organizations face in managing it.
Plagued with outdated solutions, third-party cyber risk management has been a painful and frustrating process that has drained valuable IT resources as well as confidence between partners, leadership, and other business stakeholders.
Globally, organizations have turned to CyberGRX to break the status quo and TPCRM inertia, and finally, start effectively managing and reducing third-party cyber risk.
“We are grateful to have ICONIQ as our partner as we continue to disrupt the cybersecurity and TPCRM markets,” said Fred Kneip, CEO, CyberGRX. “With their support, we aim to truly redefine the role of TPCRM in cybersecurity and create safer ecosystems for our customers.”