We're building the future of Supply Chain Security. View Roles

What are 3rd party risk management tools & how do I know which is right for me?

Most CISOs and security teams are well versed in understanding and implementing internal measures to keep their company secure. However, some businesses are a lot more relaxed when it comes to asking the same of their suppliers - but should they be? In 2020 the Ponemon Institute found that 51% of companies have suffered a data breach caused by a third party and that the average cost of a breach was $3.92 million.

So what can you do about it? The good news is that there are plenty of tools that are built to help you ensure that your suppliers are maintaining the security posture, policies, insurances, certifications, audits and operating procedures that you expect of them. The bad news is that it can be hard working out which one is right for your needs.

In this article, we’re going to be discussing the main types of third party risk management/supplier assurance tools, tell you what their strengths are, what their weaknesses are and give some suggested tools that you may want to check out. If you find this article useful, share it with your network.

Tool type 1: Questionnaire

Overview: A security compliance questionnaire is a document that companies use to see if their suppliers are following particular security guidelines. They’re usually sent out at the beginning of a contract or annually and are filled out by the vendors/suppliers themselves. Traditionally this would be done via spreadsheets or word documents, but there are now tools that will automate this process for you.

How does it work: A company curates a list of questions they’d like their suppliers to answer, either bespoke questions designed by them, or by using more ‘off-the-shelf- questionnaires such as the SIG or CAIQ. These are then sent to the 3rd parties via an online form or portal. Once the supplier has completed the questionnaire, it is sent back to the client to review. Often there will be reporting functionality for the client to assign some kind of score, or compare supplier results.

Strengths:

  • Faster and has more reporting capabilities than a regular excel document
  • Allows each organisation to tailor their question set and ask specific, detailed questions.
  • Often the cheapest TPRM tool type

Weaknesses:

  • Point-in-Time Assessments - the security questionnaire is only relevant for that moment, anything can change over the following months and as soon as it does, the information is incorrect.
  • Out of date questions - If the question set itself is not kept up to date with latest trends or changes in best-practise, you will not be gathering the most useful information.
  • Manual Work - For many tools the burden is on you to remember who has and has not filled in the questionnaire, chase any documentation/certification and ensure that any discrepancies or remediations are followed up on.
  • No Capacity Efficiencies - although these tools are quick and easy to use they are not scalable, the more suppliers you have the more complex your operation becomes and the more the manual work issue is exacerbated.
  • Bad supplier experience - Suppliers have to complete a new questionnaire for every client they engage with, taking their valuable time away from real security improvement activities.
  • Poor quality data - because they are so time-consuming for suppliers, suppliers will often give you the minimum information they can get away with. Questionnaires are often completed by sales teams or relationship managers rather than the security team themselves.

Examples: Onetrust, Prevalent, Upgaurd

Conclusion: If you’re looking for a quick and often cheap way to check your suppliers' security credentials - use a security questionnaire. However, please bare in mind they only provide a point-in-time understanding of a 3rd party’s security and are unable to scale. This can make them less useful to larger organisations. They give good efficiency savings in comparison to manual spreadsheets, but they’re plagued by the same effectiveness problems - they serve mostly to give you a one-off, quick compliance view, not to help you prevent supply chain breaches.

Tool type 2: Vulnerability scanners

Overview: External scanning tools or vulnerability scanners are a tool that allows companies to quickly understand the security strength of public-facing systems belonging to a company that they are potentially going to work with. They are usually run automatically and highlight any potential vulnerabilities in public IP addresses, domains or other externally facing services.

How they work: The tools scan the outer perimeter of a supplier’s digital infrastructure, allowing you to understand what systems they are using, services running and potential vulnerabilities. The scanners then check a list of known vulnerabilities related to the aforementioned systems. This information is compiled into a report which can tell an organisation where an attacker might look to exploit an external vulnerability to gain an initial entry foothold.

Strengths:

  • Provides the client with an easy-to-digest indication of the external security posture of the supplier
  • Good range of integrations available with most tools
  • Can identify threats from 3rd and 4th party suppliers without having to engage with the supplier directly
  • Easy ‘plug in and play’ option - don’t always need to contact the supplier (though you might need permission for some types of scans)

Weaknesses:

  • Can generate large numbers of false positives, which impacts the overall ratings given - fixing this requires manual intervention from the users
  • The rating given is usually decreased for past breaches, but only if this is disclosed, so the scanner can simply miss any non-disclosed breaches
  • Doesn’t measure the internal controls of an organisation - it only looks at surface-level information. This can give a false sense of security. The supplier may not have any known vulnerabilities in their externally facing systems, but that doesn’t mean they are difficult to attack. Do they have MFA & password lockouts on their user accounts? No? I’ll exploit that instead then!

Examples: BitSight, Security Scorecard, Panorays

Conclusion: Scanning tools are a great (although more expensive) plug-in and play tool that allows you to quickly gain a light understanding of an external attacker’s view of your supply chain. It’s worth noting that many of the tools currently available also offer an assessment module, combining the questionnaire tool with a scanner. This shows that a scanner alone is not enough, you should also be checking the internal security posture of an organisation. In addition, the tools can often return false positives, this creates manual effort for the end-user to tidy up the reports into something meaningful. Most dangerously, results from scanning tools can often give a false sense of security - a perfect picture of an organisation that appears to have no issues, when in fact, a simple phishing email could lead to total compromise of their internal systems.

Tool type 3: Shared assurance providers

Overview: Shared assurance providers or risk assessment brokers will offer a managed service in which they compile supplier assessments, clients can then purchase these assessments. Although there may be exceptions, these risk assessments are typically static and are not managed or owned directly by the supplier.

How they work: The provider gathers and sometimes validates security information provided by suppliers to create a single pool of accurate and up-to-date supplier information.

Strengths:

  • Offer an objective approach to assessing third parties as the independent party (broker) collects and (often) validates the information
  • Provides suppliers with certification once they have been approved by the broker
  • Validation is done for you, so as a client you know that this information has been verified

Weaknesses:

  • Traditional point-in-time approach to assurance - the same issues as questionnaire tools
  • Suppliers can take up to 6 months to complete
  • Some tools charge suppliers
  • Can be very expensive - often a ‘pay per assessment’ model

Examples: CyberGRX, Hellios, OneTrust Vendorpedia

Conclusion: Shared assurance providers are good if you don’t want to do the evaluation yourself, however, they have many of the same issues that point in time questionnaires have and are usually more expensive. Their utility is also heavily dependent on the number of suppliers that they have on the platform.

Tool type 4: Risk Ledger

Overview: Risk Ledger is an online platform where suppliers and clients work together to get a comprehensive overview of their entire supply chain (including 5th and 6th-party suppliers). Clients and suppliers work together to ensure that the community is protected from cyber-attacks.

How does it work: Risk Ledger works like a social network, suppliers create a free profile, structured around a standardised framework, they then share this with clients who approve or reject based on their risk appetite. Supplier profiles are being continuously monitored by many clients simultaneously, meaning the information is always under scrutiny, maintaining quality, accuracy and timeliness.

Strengths:

  • Profiles are continuously kept up to date by suppliers
  • Able to see a complete map of your extended supply chain and identify potential concentration risks
  • Easily scalable regardless of the size of the organisation
  • Discussion function built-in
  • Easy to set up
  • Solves both supplier and client problems, meaning supplier engagement is high

Weaknesses

  • No external scanning function
  • Relies on information provided by the suppliers themselves

Conclusion: Risk Ledger is helping organisations work together to improve the security of the global supply chain for consumers and companies alike. The supply chain map growing organically within the platform is a game changer for identifying systemic risk, understanding how threats can spread through the supply chain, and improving response capabilities.

Conclusion

When it comes to Third Party Risk Management (TPRM) and supplier assurance tools, it’s about choosing the right one to fit your needs. Regardless of the tool that you go with, we believe that supply chain security needs to be viewed differently. Whether or not you decide to join us on the Risk Ledger platform we do hope you’ll join us in creating the future of Defend as One. No organisation is an island and we all need to work together to keep the interconnected world a safer place.

If you are interested in learning more about what we do at Risk Ledger, click here.

Ready to dive in?
See Risk Ledger in action.