Keeping an Eye on Vendor Risk

Ask any enterprise security risk manager about their favorite PowerPoint chart, and I know the answer: It’ll be the one showing aggregate risk for each executive group on a named basis. You know the chart: It’s that one with that histogram showing Operations under Ms. Crosby with 39 high risk items, Marketing under Mr. Stills having 23 high-risk items, Engineering under Ms. Nash having 11 high-risk items, and so on.

Everyone pays attention when this shame chart is up on the screen because it names names. It connects risk to the people who make decisions about security. And nowhere is the risk more intense than with the vendors, suppliers, and other third-parties supporting an organization. These external groups are usually the primary root cause behind your bad risk score on that uncomfortable histogram.

Last week, I had the great privilege to visit the headquarters of Prevalent, a New Jersey-based cyber security firm offering continuous monitoring and management of third-party risk. I couldn’t contain my enthusiasm when CEO Jonathan Dambrot and his team showed me their fine dashboards and series of risk reports. All I could think of was how such fine-grained reporting would be so useful for enterprise security teams.

The basis for the Prevalent offering is the obvious need for continuous risk monitoring of third-party organizations to properly manage enterprise cyber security. “The major factors determining third-party risk,” Dambrot explained, “include the service they provide, the sensitivity of their work, the type and scope of access they’ve been given, and many similar factors – including business and financial viability.”

Using these factors, the Prevalent platform continually maintains an accurate risk scoring for each third-party engagement, thus reducing dependence on conventional, manual risk assessments. The problem, as Dambrot explained, is that “the way expert security assessments are done today results in a risk snapshot for a specific time, without any continuous view of how factors might change after an assessment.”

This automation of the tedious security assessment process may be one of the most consequential aspects of any risk management platform. Periodic scheduled reviews of security are error-prone and limited by the expertise of the reviewer. “Scaling and automating the laborious, expensive assessment process is a huge pain point with heavy cost and consistency burdens,” explained Prevalent executive Dave McNamara. “Solving that and the continuous threat view is where the magic happens.”

But here is where it gets interesting: The company offers a collaboration capability called Synapse, which allows for uniform, automated sharing of third-party risk data. This is not some chatty “Yelp for vendors,” but is rather a mechanized information exchange using standard, structured reporting to support comparative baselining of risk – not just within the company, but across different organizations. This is a powerful capability, one that should be a norm in all enterprise risk environments.

The Prevalent team was kind enough to share a demonstration of their platform portal, which includes all the drill-down and highlighting capabilities one would expect in an automated tool for risk managers. We discussed the possibility of adding a more visually striking SOC-mode view, but that is a nice-to-have rather than a requirement. The platform certainly appears to do its job, and I suspect that risk managers will like the features.

To summarize: The use of shame charts illustrates the conundrum of enterprise risk management – namely, that managers do care about risk scores, despite practical evidence to the contrary. Third-party engagements are the riskiest aspect of any business, which is why the Prevalent platform is compelling: It combines continuous assessment, well-designed portal features, and accurate risk scoring into a platform that keeps an eye on third-party vendor risk.

Let me know what you think.