Challenge
Riskonnect was looking to improve their current third-party assessment and questionnaire management process, especially in respect to evaluating prospective vendors.
Key Results
With FortifyData, Riskonnect was able to reduce the time to assess and onboard new vendors by more than 33%, as well as efficiently build and deploy custom questionnaires as a response to new threats.
About Riskonnect
Riskonnect is a leading software provider that enables organizations to address, manage and respond to strategic and operational risks across the enterprise. Riskonnect has more than 2,000 customers across six continents that utilize their solution to accurately gain insights on key business indicators.
The Challenge
Riskonnect was looking to improve their current third-party assessment and questionnaire management process, especially in respect to evaluating prospective vendors. They have a high volume of vendor assessments in their queue, with approximately 3-4 third-party assessments that need to be completed per week. Historically, their spreadsheet-based process aggregated internal tool information and combined a traditional email back-and-forth with third parties for questionnaire completion. In all, with this process it took 3 weeks to complete the assessment and review before onboarding a new vendor.
The Solution
Riskonnect turned to FortifyData’s Integrated Cyber Risk Management platform to fill gaps in their third-party review process with active assessment data. FortifyData’s Third-Party Cyber Risk Management capabilities provides active scanning of third-party external attack surface and allow users to send questionnaires based on major frameworks, like PCI-DSS, HIPAA, SIG, etc., or upload a custom questionnaire. It also allows respondents to answer the questionnaire directly within the FortifyData platform, eliminating the need to email everything back and forth.
Another benefit, according to John Casazza, Chief Information Security Officer at Riskonnect, is the ability to quickly send questionnaires in response to new and critical threats.
“We can now create multiple assessments with a level of velocity because zero-day threats are out there – we see them all the time. Now we can do, for instance, a Log4j assessment, and very quickly we can build, deploy and have our vendors respond to those questions.”
Riskonnect is also running their vendor assessments with FortifyData, as part of their review process. Scans and re-scans are requested right in the platform, and the results are incorporated into a cyber risk score that you can monitor for changes.
“The scoring posture for our vendors has proven very helpful for us,” said John. “We basically set our thresholds and then watch our vendors over time and see how they increase or decrease as threats develop.”
In the past, once a vendor received a score, they did not have the ability to change that score based on a rigid algorithm that legacy scoring companies put into place. FortifyData allows Riskonnect to customize these scores based on the company they are assessing. Having a score that is tailored to a specific industry or company ensures Riskonnect the accuracy of findings.
“FortifyData helps the technical operations group at Riskonnect complete security reviews for either product-based or internal vendors that we need to work with to ensure that the security posture of those vendor aligns with Riskonnect, so that we can continue to protect our customers data all throughout its life cycle.”
John Casazza, CISO, Riskonnect
The Results
Riskonnect now has an accurate and efficient way of assessing and monitoring their third-party vendors. The team has been able to reduce the time from assessing and onboarding a vendor from three weeks down to two weeks, and in some cases they can do it in as little as seven days, depending on the response time from the vendor. Reducing vendor assessments from 3 weeks to 2 weeks with FortifyData represents a 33%-time savings for Riskonnect.
Additionally, John and his team make use of the initial scan of a vendor as an initial filter to decide if vendors make it to the next phase of the vendor evaluation process. The data from the active assessment of the vendor’s environment can highlight showstoppers that require attention to be considered again in the future.
“FortifyData helps the technical operations group at Riskonnect complete security reviews for either product-based or internal vendors that we need to work with to ensure that the security posture of those vendor aligns with Riskonnect, so that we can continue to protect our customers data all throughout its life cycle,” said John.
They are also more able to easily monitor the security posture of their third parties on a continuous basis.
“As a whole, [FortifyData] helps with centralized tracking and also helps with continuous scanning to ensure if a vendor has any missteps along the way with zero-day exploits, or other issues that arise in the industry, that we are able to see that and speak to that vendor. Or it lets us know if we may even need to pivot to a different vendor until the issue has been remediated.
