RSAC insights: CyberGRX finds a ton of value in wider sharing of third-party risk assessments

The value of sharing threat intelligence is obvious. It’s much easier to blunt the attack of an enemy you can clearly see coming at you.

Related: Supply chains under siege.

AWS Builder Community Hub

But what about trusted allies who unwittingly put your company in harm’s way? Third-party exposures can lead to devastating breaches, just ask any Solar Winds first-party customer.

So could sharing intelligence about third-party suppliers help?

With RSA Conference 2021 technical sessions getting underway today, I sat down with Fred Kneip, CEO of CyberGRX, to hash over the notion that a lot of good could come from more systematic sharing of the risk profiles that large enterprises routinely compile with respect to their third-party contractors.

For a full drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

The genesis of risk-profiles

It turns out there is a ton of third-party risk profiles sitting around not being put to any kind of high use. Back in the mid-1990s, big banks and insurance companies came up with something called “bespoke assessments” as the approach for assessing third party vendor risk.

This took the form of programmatic audits. In order to get the blessing of financiers and insurers, enterprises had to set up systems to get their third-party suppliers to fill out extensive risk-profile questionnaires; and this  cumbersome process had to be repeated on a periodic base for as many contractors as they could get to.

CyberGRX launched in 2016 as a clearinghouse for companies to pool and share standardized assessment data and actually analyze the results for action. The idea was to benefit both the first-party contractors and the third-party suppliers, Kneip says. Thus, the Fortune 1,000 companies who collected and consumed the security profiles of major suppliers could see and analyze that data in aggregate and thus conduct a much higher level of risk analysis.

“So much time and energy was put into the administrative exercise of just requesting data and responding to questionnaires,” Kneip says. “By taking that out of the equation, the consumers of that data could see the whole ecosystem and focus on risk management.”

Meanwhile, the third-party suppliers were relieved of a big burden. “It can be a big strain on resources just to respond to security questionnaires,” he says. “At a mid-market company, that duty typically falls to the CTO who has to spend 20 percent of his or her time on this. That’s a colossal waste of resources that goes away by using our standardized approach and Exchange.”

Crowdsourcing risk profiles

CyberGRX’s global cyber risk Exchange caught on quickly. In five years it has grown to over 100,000 participants with first-party and third-party organizations collaborating to crowdsource risk assessments and share intelligence about successful risk remediation strategies.

This sharing of intel for a common good has freed-up resources, on the part of first-party companies. It became possible to take a much closer look at the armies of mid-sized and smaller third-party suppliers who simply had escaped scrutiny in the past. Traditionally, Kneip told me, enterprises have been able to conduct full risk assessments on, at best, 5 percent of their suppliers, usually the biggest ones who were already doing a good job with security.

This meant that many first-party enterprises really had no clue about the make-up of their supply chain, much less any kind of actionable understanding of emerging risks, Kneip says. Conversely, their small- and mid-sized contractors felt no pressure to improve their security postures.

But what exchange users are discovering is that everyone has been turning a blind eye to the mounting cyber risks. No one, save threat actors, was paying close attention to the ramifications of granting a myriad of small- and mid-sized contractors privileged access inside the company firewall. These are the providers with whom sensitive data and privileged access gets shared daily.

Two entrenched patterns need fixing: first-party companies need to get much better visibility of what’s going on in their supply chain; and third-party suppliers need be start taking basic cyber hygiene much more seriously. “It’s this middle group that’s really terrifying because they get access to sensitive information and many of them have very little security in place,” Kneip says.

Visibility boost

It’s notable that the Solar Winds hack is something of an outlier. It is an example of a highly-sophisticated, nation state-sponsored hack of a third-party supplier in order to infiltrate its marquee first-party customers. Many of Solar Winds customers had the best security money can buy, but were still deeply compromised, via what essentially was a third-party hack.

Thus, Solar Winds is a vivid reminder of just how pliable and wide open our Internet-centric supply chain remains.  However, for most organizations the bigger day-to-day concerns revolve around the many ways modestly clever criminals can so easily manipulate the supply chain.

Attackers got deep access into Target’s customer transactions records by usurping network access granted to an HVAC contractor; JPMorganChase got profoundly hacked in much the same way, via third-party supplier that helped the bank run its charitable marathon races.

No first-party company wants to be the next Target or JPMorganChase. For that matter, all third-party suppliers should see the wisdom in taking  reasonable steps to avoid becoming the next culpable HVAC contractor or special events coordinator.


So can sharing programmatic risk profiles help change things for the better? I came away from my discussion with Kneip encouraged that the answer is definitely, yes. Some promising inertia is rising from the intelligence sharing taking place on the CyberGRX’s global cyber risk Exchange.

Observes Kneip: “Awareness alone is creating a benefit. For many of the third-party companies coming into the Exchange, it’s the first time they’ve ever gone through a cyber risk assessment. They’re asking questions like ‘What is DLP?’ and ‘What exactly do you mean by patching cadence?’

“One of the other things we found is companies who’ve been on our platform for 12 months or more, show marked improvement in their security. We track people over time. And as they log in and update their profiles, we’ll reevaluate that information to ensure that it’s accurate. We’re seeing companies go from a 1.2 level of security maturity to a 2.8, or whatever it is, showing very material change.”

We’ve got a long, long way to go to adequately clean up a supply chain rife with cyber exposures. Wider sharing of risk profiles adds to visibility on all sides in a way that promotes a meritorious cycle. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)



*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: