Third party cyber risk management platform CyberGRX is extending its reach in the UK with a new channel partner programme
In highlighting the security risks posed by supply chain partners, December’s SolarWinds breach gave a further fillip to the concept of third-party cyber risk management (TPCRM).
With around 60% of security breaches linked to a third party, according to the Ponemon Institute, TPCRM is an essential component of a multi-layered approach to security. However, the process of assessing the security posture of third parties has historically been slow, labour-intensive, expensive and unreliable.
CyberGRX was founded in 2015 to address these shortcomings by providing an automated SaaS platform for the ordering, completion and sharing of TPCRM assessments. Since then, it has attracted almost $100 million in funding from venture capital organisations.
Now, the company is hoping to make greater inroads in the UK with the extension of its Global Partner Programme to resellers, systems integrators, consultancies, MSSPs and distributors on this side of the pond.
The four-tier programme includes risk management training; business development programmes – joint marketing campaigns, market development funds, sales incentives etc.; and a guaranteed margin on every sale.
Walter Specht, CyberGRX Director of Worldwide Channel Development & Alliances, told Technology Reseller that CyberGRX provides a solution to a problem many organisations still face.
“We came into being for the simple purpose of helping organisations to get a handle on the security posture of their third parties or vendors. The way that many organisations were doing this was, when they wanted to onboard a new vendor, law firm, payroll company or whatever, to send them a spreadsheet with a set of questions that varied in size and detail according to the criticality of that vendor to that business.
“We help organisations manage that. Instead of sending spreadsheets and hiring expensive risk people to chase that data around and hunt down the answers to those questions, we created an online platform that allows a company to order three tiers of assessment for a particular vendor and then we go and facilitate the completion of that assessment with the vendor.”
CyberGRX assessments are based on a third party’s self-declarations, which are then validated by CyberGRX and its community of validation partners, using evidence request sheets to collect any additional data that might be required.
Nick Swallow, Director of Solutions Architecture, EMEA at CyberGRX, says that validation is one of the key factors distinguishing CyberGRX from competitors. Another is the effort it takes to contextualise data, resulting in more nuanced risk assessments.
“We cross-reference any weaknesses we come across against the live threat landscape. So, if they have something that may be considered a medium risk gap, but which corresponds to attacks that are happening today, we would go ahead and elevate that,” he said.
One to many
The other big benefit of CyberGRX’s platform is that once a third-party cyber risk assessment has been completed – and to date CyberGRX has done assessments for 6,000 organisations, including 60% of the Fortune 500 – it is added to the CyberGRX exchange where it can be accessed by any other business with that vendor’s approval.
This prevents duplication of effort by the vendor, as they only need to complete a CyberGRX assessment once – a process that typically takes an average of 20 to 30 hours – while also making it easier for their customers to get the information they need.
“If every single company that wanted to bring on Rolls Royce as a vendor did a security assessment, Rolls Royce would be bogged down with assessments and customers would risk not getting that data. We have streamlined the process so Rolls Royce can do one CyberGRX assessment, validated by CyberGRX and our validation partners, which is then stored on our exchange and updated at least annually, with no limit to how many customers can order that assessment,” explained Specht.
“Some global vendors are assessed 4,000, 5,000 times or more every year. If you are now able to do one assessment and maybe answer a few follow-on questions from those companies that have specialised practices or work that they do outside the realm of CyberGRX, the amount of time saved and the amount of people and resources and dollars they are now able to reassign to other areas of the business is just awesome.”
The main market for CyberGRX assessments are large organisations in regulated industries like banking, financial services, insurance, life sciences and healthcare that might deal with hundreds and thousands of suppliers. Ordering assessments from CyberGRX enables such organisations to marshal their resources so that they can spend more time on risk mitigation and less on assessments.
Its services might also be attractive to medium-sized businesses that don’t have extensive in-house resources and often lack leverage in getting third party cyber risk assessments underway. As the number of assessments that can be pulled down from the exchange continues to grow, its usefulness for medium-sized organisations will only increase.
In this context, Max Dalziel, CyberGRX Director of Strategic Accounts EMEA, draws a distinction between the data consumers – the big organisations in regulated industries – and the data providers, the smaller companies in the supply chain, which, he says, are increasingly taking a proactive approach and asking to complete assessments unilaterally.
“People are contacting us and asking to complete a CyberGRX assessment because they know they can reuse it. They are saying ‘We have received Google’s CyberGRX assessment and really like the way it was structured; can we go ahead and complete one ourselves so that when big bank ABC comes along, instead of completing a 500-row spreadsheet we can say ‘We have looked at your questions. They are all answered in our CyberGRX assessment. Here’s a link. You have permission to access our responses’,” he said.
Last year, CyberGRX increased revenue by 100% and grew the number of validated assessments on its exchange by 180%. This year, with the roll-out of its partner programme globally, including in the UK, and a growing need for third party cyber risk management, continued growth looks likely for CyberGRX and its partners.