The county was increasingly at the mercy of third parties who controlled sensitive data and access points. Most of the security incidents they responded to in recent years were tied to vendor compromises, such as business email compromise (BEC) attacks and breaches. Yet, their existing vendor risk management process was fragmented, manual, and lacked real-time insights.
“We didn’t realize how much risk we were exposed to because we had no visibility,” says Anthony. “It was like flying blind.”
Challenge: A Manual, Inefficient, and Risky Process
Before UpGuard, Riverside County had no scalable method to assess third-party security risk. Vendor evaluations were ad hoc and highly manual, relying on static questionnaires and incomplete self-attestations.
“I would say that we weren’t really managing the process at all,” admits Anthony. “It was very spotty. It was ad hoc, very manual.” Without a tool to provide a clear picture of their vendor ecosystem, they were unknowingly exposed to significant risks. “We didn’t know what we didn’t know,” he explains. “There was no way to assess our own attack surface, let alone that of our vendors.”
Damon Bagley, Deputy Chief Information Security Officer, echoes this frustration. “The challenge with traditional risk management is that you’re relying on vendors to be honest in their questionnaires,” he says. “But even if they answer truthfully, their security posture can change within weeks. A static assessment isn’t meaningful six months down the line.”
Security teams were also burdened with time-intensive reviews that lacked consistency. “When you’re trying to talk about risk, stakeholders come to you with a shiny new vendor, and they’re excited,” says Damon. “But you don’t want to rain on their parade—you want to give them a meaningful, objective measure of risk. Without a tool, those conversations were difficult.”
As a government agency, compliance and accountability added another layer of complexity. “We’re stewards of public funds,” says Damon. “That means we need to be able to justify every decision we make, especially when selecting vendors. Without real data, that process was incredibly difficult.”
“We were lucky for a long time,” admits Anthony. “But luck isn’t a security strategy.”
Solution: Real-Time Vendor Risk Insights with UpGuard
Seeking a scalable, data-driven approach, Riverside County evaluated multiple vendor risk management solutions, including SecurityScorecard and RiskRecon. UpGuard emerged as the clear winner.
“The biggest factor for us was time,” says Anthony. “We needed a tool that wouldn’t take more time to manage than the value it provided. UpGuard was by far the most efficient and user-friendly.”
According to Damon, UpGuard’s simplicity was a game-changer. “It’s a web-based tool. You log in, type in a vendor’s name, and instantly see their risk score. There’s no waiting, no back-and-forth. We can compare vendors side by side, which makes the decision-making process much easier. Before UpGuard, this kind of insight took days, if not weeks.”
UpGuard also provided continuous monitoring, something the team had never had before. “Traditionally, vendor risk was a one-and-done process—fill out a questionnaire, sign a contract, and move on,” explains Anthony. “But what happens six months later if that vendor suffers a breach? With UpGuard, we know immediately. We’re not just assessing risk at a point in time; we’re staying ahead of it.”
Another advantage was its impact on negotiations. “We can now hold vendors accountable,” says Anthony. “If they score poorly, we can say, ‘Hey, if you want to do business with us, you need to fix this.’ And because UpGuard’s scores are publicly visible, vendors have an extra incentive to improve.”
Impact: Faster, Smarter Risk Management
The transformation was immediate. Instead of taking hours or days to manually research and evaluate vendors, Riverside County can now assess risk in minutes.
“Previously, vetting a vendor took one to two days,” says Anthony. “Now, it takes minutes.”
Damon highlights how this has changed their role within the organization. “We used to be seen as a bottleneck. Security was the department of ‘No.’ Now, we’re an enabler. Business units come to us for advice early in the process because they know we can provide answers fast.”
Beyond efficiency, UpGuard has enhanced Riverside County’s credibility and compliance. “We’re stewards of public funds,” says Damon. “When we choose a vendor, we need to justify that decision. Now, if anyone questions why we selected a particular provider, we can point to an independent, third-party assessment. That transparency is crucial.”
The tool also helps in responding to breaches. “Before, if a major breach was reported in the news, our board members would ask, ‘Were we affected?’” says Anthony. “We’d have no way to know. Now, UpGuard alerts us instantly. We can take action before an incident escalates.”
Most importantly, UpGuard has strengthened Riverside County’s ability to mitigate risk proactively.“Instead of reacting to vendor breaches, we’re staying ahead of them,” says Anthony. “That’s a huge shift for us.”
A Model for Third-Party Risk Management
For Riverside County, UpGuard isn’t just a vendor; it’s a strategic partner.
“We consider UpGuard best-of-breed,” says Anthony. “We don’t just use it—we actively recommend it to other government agencies, neighboring counties, and industry peers.”
The county’s security team has become a benchmark for efficiency and proactive risk management in the public sector, proving that even with limited resources, smart technology can make all the difference.
Chief Information Security Officer (CISO) of Riverside County
We’re experts in securing data breaches and data leaks
