When Target fired both its CEO and CIO in 2014, it was a wake-up call for senior management.
The firings came as a result of a massive data breach which routed through an HVAC contractor’s compromised account. C-suite execs across the land suddenly realized something similar could happen to them. So they began inundating their third-party suppliers with “bespoke assessments” – customized cyber risk audits that were time consuming and redundant.
Out of that morass was born CyberGRX, a Denver, CO-based start-up that’s seeking to dramatically streamline third-party risk assessments, and actually turn them into a tool that can help mitigate cyber exposures.
I had the chance to visit with CyberGRX CEO Fred Kneip at RSA 2019 at San Francisco’s Moscone Center last week. He shared a telling anecdote about how CyberGRX got its start — essentially from backlash to the milestone Target breach.
Kneip also painted the wider context about why effective third-party cyber risk management is an essential ingredient to baking-in security at a foundational level. For a full drill down, please listen to the accompanying podcast. The key takeaways:
Rise of third parties
In 2016, Jay Leek – then CISO at the Blackstone investment firm, and now a CyberGRX board member — was collaborating with CSOs at several firms Blackstone had invested in when a common theme came up. The CSOs couldn’t scale their third-party risk assessment programs to keep up with growth. The problem had become untenable.
The Target firings lit a fire under senior management to make third-party security audits standard practice. But they did so without taking into account the hockey-stick rise in reliance on third-party suppliers. No one thought deeply enough about how they were distributing privileged access to innumerable third-party vendors.
Facilities repairman, like the HVAC vendor, was a small part of this trend. The corporate sector’s pursuit of digital transformation had given rise to new cottage industries of third-party contractors for everything from payroll services, accounting systems and HR functions to productivity suites, customer relationship services and analytics tools.
“Think about the CEO who’s overstretched and one step removed . . . the problem of how third-parties might be exposing company data became, not so much neglected, as de-prioritized, even as companies became more and more dependent on these third party providers,” Kneip told me.
Leek did a little digging and discovered just how many hoops both first-party and third-party companies were jumping through to conduct bespoke assessments. These were customized audits based on long-established frameworks and protocols from the National Institute of Standards and Technology and other organizations — but tweaked slightly by each company.
The resulting redundancy was staggering. Leek checked out the assessment programs at 100 companies and found that 90 of them audited payroll processor ADP, with 50 conducting an annual onsite inspection of ADP at a cost of between $5,000 and $15,000 per visit. Further investigation showed that there was a 96% overlap in various assessment programs. ADP, for instance, had to dedicate staff to deal with over 4,000 assessment requests per year.
The solution that occurred to Leek was this: instead of first-party companies doing nearly identical audits over and over on vendors they used in common, why not set up a clearinghouse that collects and shares the results of well-executed audits?
“Basically the problem got somewhat out of hand,” Kneip said. “So what we’ve done is made third-party risk assessments digestible for companies so they can scale and build a reasonable third-party program, and the biggest thing about what we’re doing is that it’s an exchange concept.”
With contributions from many organizations, CyberGRX has established a comprehensive cyber risk assessment and created a one to many clearinghouse of up-to-date and validated cyber risk assessments of third-party suppliers.
“We’ve actually collected the data, validated the information and confirmed that the suppliers have responded accurately,” Kneip says. “This allows the same data to be put to use multiple times.”
The benefits cut both ways. The third-party supplier no longer has to dedicate staff to deal with hundreds, or even thousands, of nearly identical bespoke assessments – and the first party companies don’t have to carve out resources to endlessly gather this information.
“If you talk to a third-party risk practitioner, they’ll tell you they spend 80 percent of their time chasing people down to fill out questionnaires. We take that away. The data is now readily available on a software-as-a-service platform,” Kneip said.
This clearinghouse approach also happens to bring in a large sample of operational insights that can be correlated and turned into actionable intelligence.
“If you’re not spending all of your time chasing down people and you have data at your fingertips, in SaaS form, you can start examining your ecosystem of third parties,” Kneip said. “Over time you can actually start to run portfolio analyses to find out: ‘Who’s better than whom? Where are the pockets of risk? What are the most common vulnerabilities across my systems?’ You can start understanding how to manage third-party risks much more effectively.”
In a complex and dynamic business environment undergoing digital transformation, this approach to efficient data collection is setting the table for intuitive analytics. Kneip told me how CyberGRX itself has begun building risk models at an aggregate level. This includes kill-chain analyses of historical breaches, dissecting the role third-party privileges played in various steps of an Advanced Persist Threat-type of intrusion.
CyberGRX is making this intelligence available to its members — to help them prioritize weaknesses to shore up, and to be able to dial-in adjustments that tightens security without hindering productivity.
In a complex and dynamic operational environment, CyberGRX has set out not just to streamline third-party risk assessments, but also to actually help all companies materially improve their respective security postures. This is another encouraging example of smart people moving the ball downfield. Talk more soon.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-cybergrx-seeks-to-streamline-morass-of-third-party-cyber-risk-assessments/