In third-party cyber risk management - ratings don’t work and questionnaires don’t work.

The growing reliance on third-party software and apps, plus a more interconnected supply chain means that organizations need to better manage their vendor risks, and automation can play a key role in the third-party cyber risk management process. The industry is ready for a more scalable and accurate method to assess their vendors.  

Many companies had (or have) a process that involves a manual questionnaire assessment, relying on yet another 3rd party’s “score” of a vendor, or some imperfect combination of the two. Both of those methods each have their own inefficiencies and inaccuracies – some would call them broken – yet the industry has accepted a “that’s good enough” mentality leaving many to deal with deficiencies in this process. We see it differently.

Like the Japanese art of kintsugi, which mends broken pieces of pottery or sculptures with gold, you can fix and rebuild security ratings and questionnaires, and make a better process.

By taking an innovative approach to bring efficiencies of automation by incorporating the findings from a direct assessment of a third-party and marrying that up to the applicable questions, known as auto-validation of questionnaires, enterprises can enjoy the benefits of automating those methods. 

How can third party risk management be done differently and automated? 

Our continuous threat exposure management approach involves the direct assessment of a third-party’s external assets since this will match what any threat actor will obtain too, and one of the main areas of concern in a vendor evaluation. The assessment findings are shared with any vendor and help foster a collaborative discussion on the threats associated with the findings, since both parties are “on the same page”. Done continuously this provides both parties – the enterprise and the vendor – accurate risk intelligence based on new CVEs, changes to assets, and cyber threat intelligence.  

But just obtaining external vulnerabilities on assets is only part of the equation. This information can be married to any questionnaire (and the applicable questions) so that the findings data is an auto-validating component to the provided vendor responses. The continuous assessment and interrogation between the findings and the questionnaire give you an always up-to-date view of the risks a third-party represents. 

3 Benefits of Automating the Integration of Questionnaires and Assessments 

  1. One of the key benefits of automating third-party assessment and questionnaire validation is that it can help to reduce the time and resources required to conduct these activities. With automation, we’ve seen clients find that the time to assess and onboard companies can be reduced by 33%. In short, reducing the time (and costs) associated by enabling companies to more quickly and easily view the potential risks associated with their third- party relationships. This can help organizations to proactively address these vulnerabilities as a condition of engaging in a service relationship, before they are exploited by hackers or other malicious actors. 
  2. Another key benefit of automating the assessment and questionnaire validation is that it can help to improve the accuracy and reliability of the results. Manual processes can be time-consuming and error-prone, especially when you have many vendors in your supply chain. But automated tools allow assessments to be done in a consistent and standardized manner, ensuring that the results are accurate and reliable and can help more efficiently evaluate larger quantities of vendors.
  3. A third benefit is that automation saves companies money. By using automated tools and systems, companies can reduce the need for specialized personnel and other resources, which can help to lower their overall costs. In addition, the accuracy and consistency which we discussed above can save companies money by avoiding costly penalties and fines.  


In addition to these benefits, leveraging direct assessments and incorporating them with questionnaires gives you the best of both methods that provides a workable solution to evaluate vendor relationships at scale, with accuracy.  

Automating the assessment and questionnaire validation components of third-party cyber risk management can also help companies to improve their relationships with their third-party vendors and partners. Companies can demonstrate to their vendors and partners that they are committed to protecting their assets and reputation, and that they take cyber risk management seriously helping to build trust and foster stronger relationships with third party vendors and partners, which is beneficial for both parties.  

Related Posts

Click to access the login or register cheese