Blog & Newsletter

Discover insights from the minds of the Fraction Consulting team

January 05, 2021

Cybersecurity Market Insights #5 - Third-Party Security

Trust reigns supreme in business, and ensuring your company’s data is secure with your third-party vendors has never been more critical. Let’s unpack this complex topic from a product landscape perspective.

Terms You Might Hear

  • Supplier Risk Management
  • Third-Party Risk Management
  • Third-Party Vendor Management
  • Vendor Security Management

Problem Statement

  • As a business, you have a core set of capabilities that make you successful. These capabilities give you a competitive advantage - why your customers buy what you offer vs. another company - and make you different from your competitors.
  • Businesses will often outsource or leverage third-parties for the capabilities that are not core to their business and are outside the scope of what gives them that competitive advantage. Companies have to provide essential pieces of their customer and business data to the third parties to perform a service or function.
  • The exchange of and use of that information is where the risk lies. Third-parties can represent operational, reputation, compliance, financial, and strategic risks to your business. Third-parties can have impacts on your business, your customers, and your reputation. As such, you have to trust that a third-party will take the same level of care as your business would with that same information.
  • Validation comes in the form of processes and procedures. Businesses establish third-party risk processes to evaluate a company from a financial, legal, and technological standpoint. The term “trust, but verify” rings true here.
  • Third-party evaluation processes are a snapshot that only captures a company’s practices, procedures, and risk profile to your business at a given point in time. Most small-to-medium businesses (SMBs) have tens to hundreds of third-party vendors, while larger companies are in the thousands. This volume is hard to solve without an army of people.
  • Relationships and practices with third-parties may be revisited by the business on a 1-3 year review period, depending on the nature of the relationship, but here’s the problem - organizations evolve. And so too does a third-party’s risk to your business. Evaluations and processes that take weeks-to-months can’t capture that risk correctly.

Market Solutions

Enter the Third-Party Security product market space.

  • Third-party security products can act as a proactive way to assess, quantify, and score potential third-party risk and identify areas for improvement.
  • We can summarize the third-party security product market space into a few sub-categories, and one player can cover just one or both sections:
    • Third-Party Risk Management (TPRM) Platforms - platforms designed to let you see, understand, and manage your third-party vendors’ risk to your business. These platforms are more strategic platforms and help you manage the lifecycle.
    • Security Questionnaire Management Platforms - platforms designed to handle the technical assessment portions of getting engaged with a vendor. These platforms are more tactical and can also help with requests for proposals (RFPs) and requests for information (RFIs) from third-party companies needing to know more about security and privacy practices at a company.

Players in the Space

Third-Party Risk Management Platforms

Security Questionnaire Management Platforms

Product Space Predictions

  • Managing the checks and balances of a third-party vendor security program today at even a moderate-sized organization requires multiple teams from multiple disciplines. As third-party security platforms become ubiquitous, companies will consolidate teams around this technology. Consolidated teams will lead to a different type of end-user.
  • Coordinated monitoring. What’s one big problem with third-parties? You can’t monitor them like they are in your own network space. With the number of cloud breaches that happen each year, expect larger companies to demand monitoring visibility into “areas of high concern.” That third-party S3 bucket with my customer data? I want to monitor if it ever flips to public.
In the Pro version of the section above, we cover the evolving data privacy landscape, platform partnerships, and more!

Product Space Opportunities

  • Show me the workflow. Add project and task management and tracking capabilities to the platform. Make it transparent to increase accountability, be consistent on the timing of reviews and deliverables, let people see what’s outstanding on both sides.
  • Leverage distributed ledger technologies (DLT). Use a distributed ledger to increase transparency and auditability. Improve the traceability of data transactions between third parties. DLT will also help with the workflows and accountability.
  • Visualize the Impact. The ability to visualize the blast radius, a way of measuring the total impact of a potential security event, of a vendor to your business operations and supply chain, is what auditors and cyber risk professionals have always been after.
In the Pro version of the section above, we cover continuous monitoring, operating your cybersecurity program in public, and more!

Key Insights

  • Compliance isn’t security, but compliance products always outsell security products. The majority of the players in the issue have received varying investment funding levels, and for a good reason. Much to the chagrin of security professionals, but there is still room for innovation in this space. With new regulations appearing every year, this will continue to be profitable investor space.
  • No company is an island. Engaging with third-parties is a means to scale your business and reach customers you would have otherwise not have reached. This growth comes with a price tag that needs the closest attention.
  • Companies take on monumental, and I would argue, incalculable risks to do business with third-party companies. Try to calculate it anyway. The ability to quantify the risk of a third-party relationship to your company so you can focus on the ones with the highest risk is the goal. Or better yet, in some cases, avoid the relationship at all.
  • Third-party security platforms will allow for scale for both businesses and third-parties alike. Scale will come by way of consistency, automation, and less back and forth. Contracts can get signed quicker, and companies can increase their value sooner. The entire third-party security vendor landscape hinges on achieving this state.
In the Pro version of the section above, we cover remote work, working smarter and not harder, and more!

Pro subscribers get an additional section covering who these products are right for, what makes a platform “good,” and more!

References

Want More?

Looking for more insights and analysis? Check out the Pro version of this newsletter, where you’ll find:

  • 6 Predictions for the product space (200% more)
  • 8 Opportunities for the market to capitalize on (167% more)
  • 7 Key Insights for players and buyers to win (75% more)

When you subscribe to the Pro version, you’ll get access to the pro version of this issue and all past and future issues.