Robust vendor risk management practices has never been more important. It is increasingly one of the top concerns of CISOs around the world. This is because outsourcing, digitization, and globalization have changed the way we do business over the last few decades.
These forces have led to innovation in products and services, the ability to focus on core competencies, reduced costs, and new global markets. But they also introduced significant cyber risk, particularly the risk of data breaches and data leaks.
The truth is globally dispersed, highly networked and digitized businesses face new cyber threats and resiliency risks that many businesses are only beginning to address. As a result, both governments and commercial organizations are establishing third-party cyber risk management programs to better identify, assess, mitigate, and oversee the risks created by third-party vendors, fourth-parties, and even customers. These risks are known as first, second, third, and fourth-party risk.
In the past, these programs have been time-consuming and limited to highly regulated industries, such as financial services, healthcare, and energy. Today, the introduction of extraterritorial general data protection laws means the majority of organizations require a scalable and cost-efficient way to assess risk exposure across their supply chain to protect their customers, company, and to comply with regulatory requirements. Examples include the EU's GDPR, Canada's PIPEDA, Florida's FIPA, New York's SHIELD Act, California's CCPA, and Brazil's LGPD.
The increased reputational, financial, and regulatory impact of these trends and laws has led to a number of different third-party risk management solutions. Each promises to help create a more efficient process while providing greater insight into which risks need to be prioritized for mitigation.
Additionally, these tools often translate technical details like security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into terms non-technical stakeholders can understand.
However, without past experience, it can be hard to choose the right solution for your organization. That's why we wrote this post, to make it as easy as possible for you to compare CyberGRX and UpGuard.
Table of contents
- CyberGRX overview
- UpGuard overview
- CyberGRX vs. UpGuard in-depth comparison
- Scoreboard and summary
- Other third-party risk management software comparisons
CyberGRX is based in Denver, Colorado in the United States and founded by Fred Kneip in 2015. CyberGRX provides enterprises and their third-parties with a cost-effective and scalable approach to third-party cyber risk management.
It does this by collecting data and cyber risk assessments in a structured format and then sharing them on their information exchange platform. This allows assessors to quickly access information about a vendor while reducing the operational overhead for the vendor by reducing the number of similar questionnaires they need to fill out.
In December 2019, CyberGRX announced it had raised $40 million in a Series D funding led by ICONIQ Capital.
CyberGRX UI. Source: cybergrx.com
UpGuard was founded in 2012 in Sydney, Australia by technologists from Australia's largest banks. Using their first-hand experience, they built a platform to fill an important need in the nascent DevOps market, reducing the risk of incidents through proactive documentation and configuration management.
With proprietary, patented data visualization and risk analysis algorithms, UpGuard gave Operations and Security teams the ability to discover and understand their risk exposure within the data center and cloud (e.g. Microsoft Azure, Google Cloud, and Amazon Web Services) to reduce cybersecurity risk.
We then took this expertise and applied it to the assessment of external security postures, allowing you to instantly assess an organization. This assessment would provide a security rating from 0 to 950. Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk. Read our full guide on security ratings here.
UpGuard is headquartered in Mountain View, California, with offices in Sydney, Hobart, Auckland, Mexico City, Madrid, Denver, Portland, and Atlanta.
CyberGRX vs. UpGuard in-depth comparison
Learn about how CyberGRX and UpGuard compare across ten categories including capabilities, usability, community support, release rate, API and extensibility, third-party integrations, customers, predictive capabilities, and security ratings.
CyberGRX relies on point-in-time risk assessments to determine enterprise risk and primarily focuses on internal security controls and policies. While UpGuard focuses on both internal and external security postures through the use of security questionnaires and instantaneous security ratings.
- CyberGRX: Relies on a shared library of point-in-time risk assessments.
- UpGuard: Provides an always up-to-date score between 0 and 950 along with the following letter grades, A: 801-950, B: 601-800, C: 401-600, D: 201-400, F: 0-200. You can request your free security rating by clicking here.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
Risk assessment methodology
CyberGRX provides a risk exchanged based on a storehouse of validated third-party risk assessments. It's designed to remove inefficiencies in third-party risk management programs for vendors who are responding to the same risk assessments again and again. Rather than doing the same risk assessment over and over, CyberGRX aims to let vendors do one assessment and share it with any company that wants it.
Standardizing security assessment practices against recognized security frameworks, and making attestations easily shareable can help all businesses save time, resources, and increase trust in their supply chain. This is why UpGuard has also introduced a Security Assessment exchange to market. UpGuard adds critical risk monitoring capabilities, integrated vendor processes, and accessibility to provide businesses with a complete solution for risk and compliance needs.
- CyberGRX: Relies on point-in-time risk assessments which can become out of date until the next assessment process.
- UpGuard: Uses point-in-time risk assessments along with security ratings. Our security ratings algorithm runs hundreds of individual checks including email security and email spoofing risks (SPF, DKIM, and DMARC), website security (SSL, HSTS, header exposure), phishing and malware risk, explicit checks for 200 services across thousands of ports (mail, app, user auth, file sharing, voice, administration, database, unidentified, and open ports), domain hijacking risk (DNSSEC and domain registry issues), reputational risks (CEO rating and employee rating), credential management (exposure to known data breaches and data leaks detected by our data leak detection engine).
Not every solution is able to provide the same level of coverage. If your organization employs small specialist vendors, they may not be covered by a solution. As you know, even cyber attacks on small vendors can lead to large data breaches, e.g. the HVAC vendor that eventually led to Target's exposure of credit card and personal data on more than 110 million consumers.
- CyberGRX: 63,883 companies on the exchange.
- UpGuard: 2,000,000 organizations scanned daily and new vendors can be automatically added by customers.
2. Usability and learning curve
The usability, design, and learning curve of a product can play a large role in deciding which solution is right for you. The faster you and your team can get up to speed, the faster you can get your money's worth. CyberGRX and UpGuard offer their services via SaaS with minimal installation or configuration needed and are easily accessible from a web-based platform that can help you find, assess, and remediate risk.
- CyberGRX: Risks detailed on each point-in-time vendor assessment, which means new risks are only detected during the next assessment process. Remediation requests are not available. Their risk assessments are aligned to NIST and ISO 27001.
- UpGuard: High-level summation of risk with the ability to drill down into precise technical details. Each risk is prioritized based on extensive research conducted by our in-house security team, and where possible remediation and protection suggestions are provided. Additionally, we have a library of pre-built questionnaires that can be sent and managed with the UpGuard platform including a pandemic (e.g. coronavirus), ISO 27001, PCI DSS, NIST Cybersecurity Framework, CCPA, and Modern Slavery questionnaires. Read our full guide on the top security questionnaires here.
|Usability and learning curve||4/5||5/5|
3. Community support
CyberGRX and UpGuard both invest in their community, making it easier for customers and prospects to get up to speed, reduce operational overhead, and decide on the right product for them. Each company has their own blogs that are useful sources of information for cybersecurity awareness training.
- CyberGRX: Company and product blog.
- UpGuard: The UpGuard cybersecurity and risk management blog is updated four times a week and our breach research blog has uncovered and secured some of the largest data breaches.
4. Release rate
New vulnerabilities are uncovered, exploited, and shared on CVE on a daily basis. The faster a provider can incorporate changes and determine how to respond to threats should be a large factor in choosing a solution. Additionally, they should be comfortable with updating, adjusting, and improving their service based on customer requests.
UpGuard has always adopted DevOps principles internally to develop, test, and release software, ensuring fast and consistent releases that have been tested for quality, and as we use both security ratings and risk assessments, we can incorporate new threats quickly.
5. Pricing and support
Third-party risk management solutions can be expensive, with opaque pricing policies designed to put the power in the hands of the provider. They are typically priced on a per vendor, per year basis.
- CyberGRX: There is no public pricing available for CyberGRX, making it hard to know how much you would pay without talking to them.
- UpGuard: UpGuard has a transparent pricing model for UpGuard Vendor Risk and UpGuard BreachSight, which you can view here. Vendor Risk pricing starts at $179 for a one-time report on a vendor or $29 per month per vendor billed annually. UpGuard BreachSight pricing starts at $299 per month billed annually. If you have any questions, please let us know via firstname.lastname@example.org.
|Pricing and support||1/5||5/5|
6. API and extensibility
While both services have their own platforms, some customers also want to access the resources they provide outside of their platform to consolidate them into another product or service. Both solutions offer standard APIs to pull data into other enterprise applications.
|API and extensibility||4/5||4/5|
7. Third-party integrations
APIs are useful for technical staff, but not all vendor risk management teams have access to developers. This is why standard third-party integrations are an important part of decision-making.
- CyberGRX: Integrates with BitSight, Optiv, and other platforms.
- UpGuard: Integrates with GRC platforms, ticketing systems like ServiceNow, and more.
The best proof comes from each solution's customers. CyberGRX and UpGuard both have impressive customer lists, none more distinguished than the other.
- CyberGRX: Customers include ADP, Blackstone, aetna, GV, and ClearSky.
- UpGuard: Customers include NASA, the New York Stock Exchange (ICE), Morningstar, Akamai, Bill.com, IAG, and ADP. Read our customer case studies here and our Gartner reviews here.
9. Predictive capabilities
At the end of the day, the entire point of using a third-party risk management solution is to stop security incidents from happening in the first place. This makes the ability of a solution to prevent data breaches and other cyber attacks the main consideration. What differentiates CyberGRX and UpGuard are how well their methodology determines actual attack vectors, as well as their ability to detect data breaches and data leaks before they end up for sale on the dark web.
- CyberGRX: Relies on risk assessments which can quickly become out of date as new zero-day exploits are discovered and new IT infrastructure is used. The truth is that questionnaires, much like penetration testing, can be subjective and become inaccurate over time as new security issues emerge. Additionally, CyberGRX provides no controls for capturing data loss incidents.
- UpGuard: As UpGuard checks for misconfigurations across your Internet footprint, many important breach vectors are covered, including phishing, ransomware susceptibility (like WannaCry), man-in-the-middle attacks, DNSSEC, vulnerabilities, email spoofing, domain hijacking, and DNS issues. For example, we were able to detect data exposed in a GitHub repository by an AWS engineer in 30 minutes. We reported it to AWS and the repo was secured the same day. This repo contained personal identity documents and system credentials including passwords, AWS key pairs, and private keys. We're able to do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos, and unsecured RSync and FTP servers. Our data leak discovery engine continuously searches for keyword lists provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of breach research. The UpGuard methodology is continuously refined based on the actual data breaches we have discovered and reported to the world in the New York Times, Bloomberg, Washington Post, Forbes, and TechCrunch.
10. Security rating
Finally, let's take a look at how CyberGRX and UpGuard compare when assessed by UpGuard's platform on March 26, 2020. Although both platforms have a good security rating, UpGuard leads by 85 points.
- CyberGRX: 834/950 or A letter grade
- UpGuard: 919/950 or A letter grade
Scoreboard and summary
|Usability and learning curve||4/5||5/5|
|Pricing and support||1/5||5/5|
|API and extensibility||4/5||4/5|
Deciding between CyberGRX and UpGuard is a hard decision. What you choose will depend on the objectives of your organization, your risk appetite, and ultimately your budget.
We recommend asking for a free trial of each platform that you want to assess, so you can use each platform before deciding. You can book a free tailored 7-day trial on UpGuard's platform here. You'll get access to UpGuard Vendor Risk and UpGuard BreachSight for those seven days.
While point-in-time assessments are an important part of cybersecurity, they are not a complete solution on their own. UpGuard’s cyber resilience strategy looks at each company’s internet footprint and examines all of the vectors by which data exposure and service outage occur, including misconfigurations, a leading cause of successful attacks, and one undetected by risk assessment processes.
Additionally, our vendor questionnaire library can help you go beyond security ratings and to the assessment of internal security controls that aren't as easily determined. UpGuard is also the only company to offer an internal cyber risk management solution, Core, allowing organizations to completely manage primary risk as well.
UpGuard's easy to use platform is a complete security ratings platform that gives you great insight into your security posture and your vendors and how your organization's security posture is perceived from the outside. Giving you and your business partners a clear understanding of how and where to improve your cybersecurity and information security to prevent cyber attacks and reduce cybersecurity threats.
Try UpGuard for free for 7 days by clicking here. Before your 7-day trial begins, we'll provide you and your team with a free, personalized 45-minute onboarding call with one of our cybersecurity experts. They’ll help you get the most out of the UpGuard platform by showing you how to:
- Continuously monitor your third-party vendors
- Detect and remediate any leaked credentials and data exposures
- Instantly assess your external security posture
Other third-party risk management software comparisons
If you'd like to compare other third-party risk management software, see our other comparison posts: