How do I select a risk assessment solution for my business?

One of the cornerstones of a security leader’s job is to successfully evaluate risk. A risk assessment is a thorough look at everything that can impact the security of an organization. When a CISO determines the potential issues and their severity, measures can be put in place to prevent harm from happening.

To select a suitable risk assessment solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Jaymin Desai, Offering Manager, OneTrust

select risk assessmentFirst, consider what type of assessments or control content as frameworks, laws, and standards are readily available for your business (e.g., NIST, ISO, CSA CAIQ, SIG, HIPAA, PCI DSS, NYDFS, GDPR, EBA, CCPA). This is an area where you can leverage templates to bypass building and updating your own custom records.

Second, consider the assessment formats. Look for a technology that can automate workflows to support consistency and streamline completion. This level of standardization helps businesses scale risk assessments to the line of business users. A by-product of workflow-based structured evaluations is the ability to improve your reporting with reliable and timely insights.

One other key consideration is how the risk assessment solution can scale with your business? This is important in evaluating your efficiencies overtime. Are the assessments static exports to excel, or can they be integrated into a live risk register? Can you map insights gathered from responses to adjust risk across your assets, processes, vendors, and more? Consider the core data structure and how you can model and adjust it as your business changes and your risk management program matures.

The solution should enable you to discover, remediate, and monitor granular risks in a single, easy-to-use dashboard while engaging with the first line of your business to keep risk data current and context-rich with today’s information.

Brenda Ferraro, VP of Third Party Risk, Prevalent

select risk assessmentThe right risk assessment solution will drive program maturity from compliance, to data breach avoidance, to third-party risk management.

There are seven key fundamentals that must be considered:

  • Network repository: Uses the ‘fill out once, use with many approach’ to rapidly obtain risk information awareness.
  • Vendor risk visibility: Harmonizes inside-out and outside-in vendor risk and proactively shares actionable insights to enhanced decision-making on prioritization, remediation, and compliance.
  • Flexible automation: Helps the enterprise to place focus quickly and accurately on risk management, not administrative tasks, to reduce third-party risk management process costs.
  • Enables scalability: Adapts to changing processes, risks, and business needs.
  • Tangible ROI: Reduces time and costs associated with the vendor management lifecycle to justify cost.
  • Advisory and managed services: Has subject matter experts to assist with improving your program by leveraging the solution.
  • Reporting and dashboards: Provides real-time intelligence to drive more informed, risk-based decisions internally and externally at every business level.

The right risk assessment solution selection will enable dynamic evolution for you and your vendors by using real-time visibility into vendor risks, more automation and integration to speed your vendor assessments, and by applying an agile, process-driven approach to successfully adapt and scale your program to meet future demands.

Fred Kneip, CEO, CyberGRX

select risk assessmentOrganizations should look for a scalable risk assessment solution that has the ability to deliver informed risk-reducing decision making. To be truly valuable, risk assessments need to go beyond lengthy questionnaires that serve as a check the box exercises that don’t provide insight and they need to go beyond a simple outside in rating that, alone, can be misleading.

Rather, risk assessments should help you to collect accurate and validated risk data that enables decision making, and ultimately, allow you to identify and reduce risk ecosystem at the individual level as well as the portfolio level.

Optimal solutions will help you identify which vendors pose the greatest risk and require immediate attention as well as the tools and data that you need to tell a complete story about an organization’s third-party cyber risk efforts. They should also help leadership understand whether risk management efforts are improving the organization’s risk posture and if the organization is more or less vulnerable to an adverse cyber incident than it was last month.

Jake Olcott, VP of Government Affairs, BitSight

select risk assessmentOrganizations are now being held accountable for the performance of their cybersecurity programs, and ensuring businesses have a strong risk assessment strategy in place can have a major impact. The best risk assessment solutions meet four specific criteria— they are automated, continuous, comprehensive and cost-effective.

Leveraging automation for risk assessments means that the technology is taking the brunt of the workload, giving security teams more time back to focus on other important tasks to the business. Risk assessments should be continuous as well. Taking a point-in-time approach is inadequate, and does not provide the full picture, so it’s important that assessments are delivered on an ongoing basis.

Risk assessments also need to be comprehensive and cover the full breadth of the business including third and fourth party risks, and address the expanding attack surface that comes with working from home.

Lastly, risk assessments need to be cost-effective. As budgets are being heavily scrutinized across the board, ensuring that a risk assessment solution does not require significant resources can make a major impact for the business and allow organizations to maximize their budgets to address other areas of security.

Mads Pærregaard, CEO, Human Risks

select risk assessmentWhen you pick a risk assessment tool, you should look for three key elements to ensure a value-adding and effective risk management program:

1. Reduce reliance on manual processes
2. Reduce complexity for stakeholders
3. Improve communication

Tools that rely on constant manual data entry, remembering to make updates and a complicated risk methodology will likely lead to outdated information and errors, meaning valuable time is lost and decisions are made too late or on the wrong basis.

Tools that automate processes and data gathering give you awareness of critical incidents faster, reducing response times. They also reduce dependency on a few key individuals that might otherwise have responsibility for updating information, which can be a major point of vulnerability.

Often, non-risk management professionals are involved with or responsible for implementation of mitigating measures. Look for tools that are user-friendly and intuitive, so it takes little training time and teams can hit the ground running.

Critically, you must be able to communicate the value that risk management provides to the organization. The right tool will help you keep it simple, and communicate key information using up-to-date data.

Steve Schlarman, Portfolio Strategist, RSA Security

select risk assessmentGiven the complexity of risk, risk management programs must rely on a solid technology infrastructure and a centralized platform is a key ingredient to success. Risk assessment processes need to share data and establish processes that promote a strong governance culture.

Choosing a risk management platform that can not only solve today’s tactical issues but also lay a foundation for long-term success is critical.

Business growth is interwoven with technology strategies and therefore risk assessments should connect both business and IT risk management processes. The technology solution should accelerate your strategy by providing elements such as data taxonomies, workflows and reports. Even with best practices within the technology, you will find areas where you need to modify the platform based on your unique needs.

The technology should make that easy. As you engage more front-line employees and cross-functional groups, you will need the flexibility to make adjustments. There are some common entry points to implement risk assessment strategies but you need the ability to pivot the technical infrastructure towards the direction your business needs.

You need a flexible platform to manage multiple dimensions of risk and choosing a solution provider with the right pedigree is a significant consideration. Today’s risks are too complex to be managed with a solution that’s just “good enough.”

Yair Solow, CEO, CyGov

select risk assessmentThe starting point for any business should be clarity on the frameworks they are looking to cover both from a risk and compliance perspective. You will want to be clear on what relevant use cases the platform can effectively address (internal risk, vendor risk, executive reporting and others).

Once this has been clarified, it is a question of weighing up a number of parameters. For a start, how quickly can you expect to see results? Will it take days, weeks, months or perhaps more? Businesses should also weigh up the quality of user experience, including how difficult the solution is to customize and deploy. In addition, it is worth considering the platform’s project management capabilities, such as efficient ticketing and workflow assignments.

Usability aside, there are of course several important factors when it comes to the output itself. Is the data produced by the solution in question automatically analyzed and visualized? Are the automatic workflows replacing manual processes? Ultimately, in order to assess the platform’s usefulness, businesses should also be asking to what extent the data is actionable, as that is the most important output.

This is not an exhaustive list, but these are certainly some of the fundamental questions any business should be asking when selecting a risk assessment solution.

Prevalent offers questionnaires for all levels of the CMMC to C3PAOs and DoD contractors

Prevalent announced that it is the first third-party risk management company to offer questionnaires for all five levels of the CMMC to certified third-party audit organizations (C3PAOs) and Department of Defense (DoD) contractors.

The leader in third-party risk management provides the only solution to assess, monitor and remediate risks across all CMMC domains and practice areas.

“Companies are under tremendous pressures to ensure that their supply chains are secure and resilient,” stated Brad Hibbert, chief strategy officer for Prevalent.

“In today’s environment it’s more important than ever to ensure that third-party suppliers are compliant with DoD standards. Prevalent prides itself on providing contractors and auditors with questionnaires to support all of the certification levels needed to ensure a secure supply chain.”

On January 31, 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment in the DoD released v1.0 of the CMMC. Developed to serve as a single cybersecurity standard for all future DoD acquisitions, CMMC requires that each of the more than 300,000 DoD contractors become CMMC certified beginning in October 2020, with a five-year phase-in and renewals every three years after that.

The Prevalent Third-Party Risk Management Platform simplifies and accelerates risk identification and audit reporting with a single cost-effective platform for all CMMC questionnaire levels.

The solution automatically creates, quantifies and contextualizes risks from questionnaire responses in order to streamline the risk assessment process and provides prescriptive guidance and recommendations to contractors in order to improve their security hygiene and compliance standing.

The platform improves visibility with clear scoring and compliance status against accepted DoD standards and ensures auditors and contractors use the most current questionnaires with automatic updates. The platform enables C3PAO auditors and DoD contractors to assess and demonstrate CMMC compliance.

With Prevalent, CMMC certified auditors can use the platform with all five levels of CMMC controls questionnaires included. Certified auditors can:

  • Invite clients into the Prevalent platform to complete standardized control assessments in an easy-to-use, secure tenant
  • Automate chasing reminders to clients to reduce the time required to complete assessments
  • Centralize supporting documents submitted as evidence of the presence of controls
  • Produce a single risk register based on client responses
  • Issue remediation recommendations for failed controls

Additionally, any DoD contractor can use the platform to conduct a pre-assessment prior to the formal audit. With this access, DoD contractors can:

  • Assess against the controls required to measure any level of compliance
  • Upload documentation and evidence to support answers to questions
  • Gain visibility into current compliance status
  • Leverage built-in remediation guidance to address shortcomings prior to a formal audit
  • Produce compliance reports for auditors

Third-party risk is broken, businesses unprepared for supply chain disruptions

Many companies are not dedicating proper resources to assess third-party risks, and those that are still lack confidence in their programs, according to Prevalent.

supply chain disruptions

Supply chain disruptions

As a result, there are real consequences including loss of revenue, loss of productivity, and loss of reputation – all of which can jeopardize resiliency and are amplified given today’s supply chain concerns related to COVID-19.

“Organizations are starting to ask the question about what happens to them if their supply chain partners go out of business. Sadly, most companies don’t have the risk visibility into their supply chains to answer that question,” stated Brenda Ferraro, VP of third-party risk at Prevalent.

“How can they expect to adequately manage their own risk without understanding the risks vendors and partners pose?”

Key findings from the report

  • Lack of confidence in the program inhibits results: 54% of organizations have some meaningful experience in conducting third-party risk assessments, yet only 10% are extremely confident in their programs.
  • Significant consequences: 76% of respondents said that they experienced one or more issues that impacted vendor performance – resulting in a loss of productivity (39%), monetary damages (28%) and a loss of reputation (25%).
  • Unsatisfactory number of assessments: 66% of respondents say they should be assessing more than three-fourths of their top tier vendors but aren’t doing so.
  • Costs, resources and lack of process are inhibitors to success: Lack of resources (74%), cost (39%) and insufficient processes (32%) are keeping respondents from assessing all their top-tier vendors.
  • No one seems happy with their existing toolset: Satisfaction levels among existing tools hovers in the 50% range, and weighted average of satisfaction caps out at 3.8/5.0. GRC tools have an especially long way to go with a 41% satisfaction rate.

supply chain disruptions

Third-party risk management program

Growing and maturing an adaptable and agile third-party risk management program that is resilient in times of crisis doesn’t have to be a complex and time-consuming process. The report concludes with five recommendations to jump start vendor risk activities:

  • Develop a programmatic process
  • Build a cross-functional team that extends beyond risk and compliance
  • Be comprehensive without being complex
  • Maintain options for assessment collection and analysis for agility
  • Complement your decision-making with risk-based intelligence