The amount of cyber risk the average organization is taking on has never been higher, a big part of it in the form of third-party and fourth-party risk. A household name reporting a data breach or data leak feels like a daily occurrence. And with the average cost of a data breach reaching close to $4 million dollars according to a recent study by the Ponemon Institute, organizations are looking for new ways to prevent them.
The unfortunate truth is third-parties cause a lot of data breaches. That's why cybersecurity and Vendor Risk Management (VRM) has become a top priority for CISOs, Vice Presidents of Security, and other members of senior management, even at the Board level.
Beyond avoiding costs, third-party risk management is quickly becoming a regulatory requirement for many industries. Governments are enacting laws and regulations designed to promote or require the use of third-party cyber risk management programs to identify, assess, mitigate and oversee risks created by vendors, fourth-parties, and customers.
This is business-as-usual for financial services, healthcare, energy, military, and government organizations. But it's a new problem for other industries.
The introduction of general data protection laws with extraterritorial application means most organizations need to invest in developing vendor risk management practices.
For example in the United States California has introduced CCPA and Florida has introduced FIPA to protect the personally identifiable information of their constituents. Outside of the United States, GDPR, LGPD, and PIPEDA are three important extraterritorial laws from the European Union, Brazil, and Canada respectively.
Alongside the protection of PII and PHI, many of these laws have introduced mandatory data breach notification requirements which have greatly increased the reputational impact of inadequate vendor and cybersecurity risk management practices.
To add to this, security teams have more expected to not only manage and improve security postures and information security policies, but to translate technical details from cybersecurity risk assessments and vendor questionnaires into terms that non-technical stakeholders can understand.
The good news is third-party risk management tools can help you do exactly that. The issue is it's hard to decide on which ones to assess, let alone what criteria to assess them against.
That's why we wrote this post to provide you with a clear comparison between CyberGRX, Whistic, and UpGuard, so you can make an informed decision and choose the tool that is right for you.
CyberGRX Overview
CyberGRX is a Denver-based company that was founded by Fred Kneip in 2015. It provides organizations and third-parties with a cost-effective, scalable approach to third-party risk management.
The CyberGRX Exchange collects standardized data and cyber risk assessments, sharing them for others to use. This means assessors can access information about a vendor and vendors no longer need to answer the same questionnaires over and over.
In December 2019, CyberGRX announced it had raised $40 million in a Series D funding round led by ICONIQ Capital.
Whistic Overview
Whistic is based in Salt Lake City, Utah and aims to help companies hold each other accountable for protecting their shared data. Whistic's CEO is Nick Sorensen.
Whistic helps its customers conduct and respond to security reviews.
Their platform has tools to help you onboard, assess, and track vendors, allowing you to compare third-parties against a set of predefined criteria based on vendor questionnaires, documentation, and metadata.
Vendors can assess themselves against one of the top vendor questionnaires and publish it to their profile, along with supporting documentation including audits and certifications.