Outsourcing, digitization, and globalization have led to new products and services, increased specialization, lower costs, and better access for customers and organizations alike.
They've also introduced significant cyber risk, particularly the risk of unintended data exposure in the form of a data breach or data leak. In fact, a recent study by the Ponemon Institute and IBM put the average cost of a data breach at $3.92 million.
Our connected, global economy faces unprecedented cyber threats and resiliency risks that many organizations are not equipped to handle.
To remediate these risks, governments around the world have enacted laws and regulations that require the establishment of third-party cyber risk management programs designed to better identify, assess, mitigate, and oversee risks created by third-party vendors, fourth-parties, and even customers.
While financial services, healthcare, energy, military, and government organizations know how to operate and scale these programs, many industries do not.
In the past, this wasn't a problem as these laws and regulations tended to focus on those industries. Today, with the introduction of extraterritorial general data protection laws, this is no longer the case.
Governments around the world expect even loosely regulated entities to have vendor risk management processes in place. Just look at the requirements of the EU's GDPR, Canada's PIPEDA, Florida's FIPA, New York's SHIELD Act, California's CCPA, and Brazil's LGPD.
In addition to vendor risk management requirements, many of these laws have also introduced mandatory data breach notification requirements, dramatically increasing the reputational impact of inadequate vendor and cybersecurity risk management practices.
Given these trends, security teams must now develop the expertise required to translate technical details, such as security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into terms non-technical stakeholders can understand, particularly board members.
The good news is a host of third-party risk management tools have popped up to do exactly this. Now the main issue is deciding which to choose (UpGuard, BitSight, SecurityScorecard, RiskRecon, CyberGRX, MetricStream, Panorays, OneTrust, and more).
It's hard to know which tools to assess, let alone what criteria to assess them against.
That's why we wrote this post to provide you with a clear comparison between CyberGRX, RiskRecon, and UpGuard, so you can make an informed decision and choose the tool right for you.
CyberGRX is a Denver-based company that was founded by Fred Kneip in 2015. It provides organizations and third-parties with a cost-effective, scalable approach to third-party risk management.
The CyberGRX Exchange collects standardized data and cyber risk assessments, sharing them for others to use. This means assessors can access information about a vendor and vendors no longer need to answer the same questionnaires over and over.
In December 2019, CyberGRX announced it had raised $40 million in a Series D funding round led by ICONIQ Capital.
RiskRecon is headquartered in Salt Lake City and was founded by Kelly White. RiskRecon make it easy to gain deep, risk contextualized insights into the cybersecurity risk performance of third-parties by continuously monitoring them across 11 security domains and 41 security criteria.
Like UpGuard, it can be used for third-party risk management, enterprise risk management, and mergers & acquisitions.