Outsourcing, digitization, and globalization have brought us new products and services, allowed for increased specialization, lowered costs, and improved access but they've also introduced significant cyber risk. Particularly the risk of data breaches and data leaks.
The unfortunate truth is third-parties cause a lot of data breaches. That's why cybersecurity and vendor risk management (VRM) has become a top priority for CISOs and senior management alike, even at the Board level.
Additionally, governments around the world have enacted laws and regulations designed to promote, or even require the establishment of third-party cyber risk management programs to identify, assess, mitigate and oversee risks created by vendors, fourth-parties, and customers.
While this is business-as-usual for financial services, healthcare, energy, military, and government organizations, the introduction of general data protection laws with extraterritorial application means even loosely regulated industries must now develop vendor risk management practices.
For example in the United States, the introduction of CCPA and FIPA mean organizations that hold data on Californians and Floridians must protect their personally identifiable information even if they don't operate in those states.
These laws also introduce mandatory data breach notification requirements which means the reputational impact of inadequate vendor and cybersecurity risk management practices is greater.
Security teams are expected to do more than ever before. They're now tasked with not only improving security postures and information security policies but translating technical details like cybersecurity risk assessments and vendor questionnaires into terms that non-technical stakeholders can understand.
The good news is third-party risk management tools can help you do exactly that. The issue is it's hard to decide on which ones to assess, let alone what criteria to assess them against.
That's why we wrote this post to provide you with a clear comparison between SecurityScorecard, Whistic, and UpGuard, so you can make an informed decision and choose the tool that is right for you.
SecurityScorecard is a New York-based company that uses traffic and other publicly accessible data points to build SecurityScorecard ratings that can be used to evaluate vendors, price cyber insurance, among other use cases.
They also monitor "hacker chatter", social networks, and public data breach feeds for indicators of compromise.
SecurityScorecard's last funding round was a Series D from Nokia Growth Partners, Moody's, AXA Strategic Ventures, Intel, Google Ventures, Boldstart Ventures, Two Sigma Ventures, and Evolution Equity Partners.
Whistic is based in Salt Lake City, Utah and aims to help companies hold each other accountable for protecting their shared data. Whistic's CEO is Nick Sorensen.
Whistic helps its customers conduct and respond to security reviews.
Their platform has tools to help you onboard, assess, and track vendors, allowing you to compare third-parties against a set of predefined criteria based on vendor questionnaires, documentation, and metadata.
Vendors can assess themselves against one of the top vendor questionnaires and publish it to their profile, along with supporting documentation including audits and certifications.