Whether you're a CISO, Vice President or individual contributor, you understand that information technology has changed how we do business, for better and for worse.
Technology has brought speed, scale, and better customer experience to all aspects of commerce and communication, but it has also increased cybersecurity risk, particularly data breaches, cyber attacks, and other cyber threats.
The consequences of poor risk management, particularly Third-Party Risk Management and Vendor Risk Management, are increasing in cost, reputation, and regulatory impact. According to research done by the Ponemon Institute, the average cost of a data breach globally has grown by 12 percent in the last five years to $3.92 million.
This number balloons to $8.19 million in the United States. It's safe to say it pays to prevent data breaches and data leaks.
Beyond financial costs, the reputational and regulatory impact is growing due to increasingly stringent general data protection and breach notification laws around the world. Examples include GDPR, PIPEDA, FIPA, the SHIELD Act, CCPA, and LGPD.
Many of these new regulations are extraterritorial, meaning they apply to any organization who processes the personally identifiable information (PII) or other sensitive data of any individual protected by the law, regardless of whether your organization operates in their jurisdiction.
What this all means is there is no excuse for mismanagement of your first-party and third-party cyber risk. Increasingly, you will be expected to assess the security performance of vendors who are deeper in your supply chain, i.e. fourth-party risk.
This requires the translation of the technical details security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into business terms.
An increasingly popular way to do this is through security ratings (or cybersecurity ratings) providers who offer an instantaneous assessment of cyber risk, much like a credit score does for assessing credit risk.
The issue is that the methodologies employed by these threat intelligence tools vary greatly, as do their results.
For example, BitSight, SecurityScorecard, and RiskRecon largely focus on security assessments of business partners, third-party vendors, and service providers. Read our guide on SecurityScorecard vs BitSight to learn how they stack up.
In contrast, UpGuard has a complete continuous monitoring risk management solution that can handle internal risk with our behind-the-firewall Core product, vendor risk management with our Vendor Risk product, and data leak detection and cybersecurity performance monitoring with our UpGuard BreachSight product.
In this comparison, we'll help you understand what to look for in a solution and see how BitSight, RiskRecon, and UpGuard stack up for managing Internet-facing first and third-party risk.
But before we dive into the specifics, it's important to understand what security risk ratings are.
BitSight Technologies Overview
BitSight Technologies is a Cambridge, MA-based company that aims to quantify the external cybersecurity posture of organizations using publicly accessible data.
BitSight’s security ratings are used by security and cybersecurity risk professionals to conduct due diligence research for Vendor Risk Management programs, private equity, M&A activities, and more.
Additionally, these security ratings are used for attack surface analytics, industry benchmarking, and the assessment of fourth-party risk.
RiskRecon Overview
RiskRecon is headquartered in Salt Lake City, UT with a presence in Boston, MA and representatives around the world. RiskRecon makes it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all third-parties by continuously monitoring across 11 security domains and 41 security criteria.
Like BitSight, it can be used for third-party risk management, enterprise risk management, and mergers & acquisitions.
