Security Experts:

CyberGRX Partners With BitSight to Address Supply Chain Risks

Partnership Integrates BitSight’s Security Ratings Capabilities With CyberGRX Third-Party Cyber Risk Exchange

The iconic Target breach of 2013 brought attention to the threat from third-party suppliers -- the supply chain. Target was breached after its HVAC supplier, Fazio Mechanical Services, had itself been breached and had the credentials for accessing its customer stolen.

This threat has become more difficult and more complex as digital transformation has increased and cloud service providers have boomed. A single enterprise can now use several thousand different cloud services. According to Gartner research, a large enterprise's network of vendors, partners, contractors and customers all with access to the corporate network can easily run into the tens of thousands. Any one of these can potentially introduce an unseen risk.

Managing this risk manually is impossible to do effectively -- and several specialist companies have evolved to provide various degrees of automation. SecurityScorecard and BitSight are two companies that provide analyses of third-party vendors by analyzing their external face.

CyberGRX (GRX stands for global risk exchange) takes a different approach -- it provides a 'risk exchange' based on a storehouse of validated third party risk assessments. According to CEO Fred Kneip, the firm is the brainchild of Jay Leek -- then at Blackstone. "Jay was thinking about the inefficiencies of third party risk management across his portfolio. In an ad-hoc survey of his portfolio companies, he found that 90 of his 115 portfolio companies were using the exact same vendor. Fifty of those were doing a full blown assessment of that vendor every year."

CyberGRX is the result of that observation. Rather than do 50 risk assessments of one vendor, do one assessment and share it across fifty companies. Where CyberGRX differs from SecurityScorecard and BitSight is that its risk assessments are internal rather than external affairs -- the former looks at processes and controls in relation to vulnerabilities, while the latter looks at the third-party's internet face.

CyberGRX and BitSight have now recognized the potential synergy between the two approaches.

On Monday they announced a partnership. "BitSight is a leader of the security ratings market, and their ability to continuously rate the security performance of third parties from an outside-in perspective will strengthen the CyberGRX Exchange," said Kneip. "Combining their proven non-intrusive approach to evaluating risk and security performance with the inside-out view our platform provides is a powerful proposition for customers: a comprehensive, continuous, 360-degree view of third-party cyber risk exposure."

"Enterprises today require access to accurate, continuous and actionable information about third-party cyber risk," added Jacob Olcott, VP of strategic partnerships at BitSight. "CyberGRX helps to solve that problem for companies across the world, and our security ratings provide the unique, objective data that organizations need to scale their third-party risk programs and make more informed business decisions." 

CISOs now have somewhere to go to rate the risk associated with their supply chain without having to spend hours every day pouring over vendor-supplied spreadsheets or questionnaires; or ignoring the risk altogether through lack of time and manpower.

BitSight has raised more than $90 million in funding to-date, including $40 million in Series C financing in September 2016. Headquartered in Cambridge, Massachusetts, it was founded in 2011.

CyberGRX closed a $20M Series B funding round in April 2017. Headquartered in Denver, Colorado, it was founded in July 2016.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.