Demand for RiskRecon’s cyber risk ratings and insights continues to grow as the number of cyberattacks connected to third-party risk rises. A recent Dark Reading poll of IT and cybersecurity professionals found that more than half (52%) of respondents say incidents like the SolarWinds breach have caused changes in their evaluation and vetting processes for third-party app providers and 53% believe these types of apps now put them at great risk of a data breach.
To understand the business benefits and cost savings RiskRecon delivers its customers, Forrester Research recently interviewed six organizations with experience using RiskRecon and combined the results into a three-year composite organization financial analysis. The study highlights the main client use cases leveraged to achieve success with RiskRecon:
- New Vendor Selection
- Vendor Assessment
- Monitoring and Response
- Own Enterprise
- Mergers & Acquisitions
- Supply Chain Management
New Vendor Selection
Vendor selection is complicated but instrumental to business success. Historically, procurement departments relied on the security team to assess vendors through a routine security questionnaire. This is increasingly problematic for third-party risk (TPR) analysts in today’s dynamic business landscape as standard questionnaires are typically difficult to validate, tedious to process for both the organization and vendor and only capture a single point in time.
With RiskRecon, TPR analysts and/or security professionals can pull a Risk Priority Report during the vendor selection process that shows a vendor’s publicly facing risk posture. This empowers vendor management teams and/or security teams to actively identify threats or noncompliance with security and IT requirements and achieve better vendor selection security,
Traditional questionnaire-based assessments are not built to address today’s business climate. According to research from RiskRecon and Cyentia Institute, while 81% of enterprises report that at least 75% of their vendors claim perfect compliance to their security requirements, only 14% are highly confident that vendors actually perform those requirements.
Security and IT teams need a risk-driven approach to managing cyber risk based on up-to-date data that reflects their current environment and third-party ecosystem. RiskRecon enables TPR analysts to prioritize vendors with the highest inherent risk and other issues flagged by RiskRecon, target questionnaires to the specific areas of known risk, and proactively work with vendors to improve their risk scores. The company enables analysts to identify and remediate open cybersecurity threats for their organization, resulting in analyst efficiency improvements of up to 150%. In addition, organizations using RiskRecon avoided, on average, hiring 4.5 additional TPRM resources. A cybersecurity manager from a telecommunications organization quoted in the TEI study said, “The risk prioritization enables us to narrow down the highest risk suppliers based on the vulnerability of their perimeters.”
Monitoring and Response
Most security and risk professionals struggle to gain risk visibility into their organization and its extended ecosystem. Static questionnaire-based assessments that assess vendors at a fixed frequency do not give an accurate view of risk exposure nor do they offer an effective route for requesting remediation from third-party vendors. A breach could happen, and the security team may not find out about it until months later.
RiskRecon enables organizations to continuously monitor critical vendors and proactively respond to breaches and other security incidents in their extended ecosystem. Benefits include targeted audit efforts on critical vendors and a 70% elimination of external audits. According to the TEI study, a VP of third-party risk for a financial services firm said, "If there is a specific vulnerability out there that we’re concerned with, we can look at our portfolio of critical vendors and identify those that could potentially be affected based on what RiskRecon has gathered."
Additionally, if a vendor’s cyber risk degrades or an element falls out of policy, the organization will be notified instantly. Customer interviewees from the TEI study also shared that their organization “uses the data within RiskRecon as a starting point for initiating conversations with those vendors with a lower than satisfactory risk score to address any security gaps.”
The rapid shift to remote work driven by the pandemic has created a new array of security challenges. Many workers turned to their personal devices to help them work from home, creating a surge of security issues related to shadow IT.
Many customers use RiskRecon to evaluate their own organization's domain, which identifies web presence that IT was previously unaware of. By removing shadow IT instances, interviewees increased their organizations’ own cybersecurity scores, improved IT’s the ability to maintain architecture standards, and minimized exposure to security breaches. The TEI study found that organizations’ own self-score increased by an average of 62%. In addition, TPR analysts and security professionals were able to cite their own score improvements to measurably justify the RiskRecon investment and demonstrate a tangible risk reduction to other business leaders.
Benchmarking is an essential executive tool embraced by other corporate functions, yet many organizations lack cybersecurity benchmarking. RiskRecon Benchmarking delivers data-driven, objective analytics that enables TPR analysts and security professionals to baseline and compare their organization's performance against their peers. A director of information security for a healthcare organization quoted in the TEI study said, "We benchmark against other healthcare organizations, discuss our RiskRecon scores, and track each other’s performance.”
Mergers & Acquisitions
It is difficult to conduct due diligence into an organization’s IT landscape while remaining both confidential and objective. RiskRecon alleviates this challenge by providing a comprehensive understanding of a company’s internet-facing IT infrastructure, as well as insight into the software the systems they are using. According to the TEI study, Forrester found that using RiskRecon saves 80 hours of manual due diligence efforts per M&A event. This enables customers to gain an objective understanding of any company’s IT environment and security risk.
A big obstacle for security and IT teams during the M&A process is a lack of visibility. You cannot protect something if you do not know it exists. With RiskRecon, security and/or IT teams can compare the acquisition's asset inventory with systems discovered through RiskRecon’s proprietary method and know precisely how well they’ve been tracking their digital systems.
Supply Chain Management
As our digital ecosystem expands exponentially and grows increasingly connected, the challenge of managing an organization’s risk surface multiplies. As part of our continued commitment to driving product innovation and helping organizations get ahead of attackers, we recently enhanced its leading cyber risk platform with extended supply chain visibility to address the uptick in supply chain attacks.
RiskRecon’s new supply chain visibility feature enables security and IT teams to identify potential access points for attackers in their organization’s supply chain, mitigate vulnerabilities, and communicate cyberattack control and mitigation plans with key company stakeholders. The supply chain visualizer builds on RiskRecon’s best-in-class cybersecurity risk ratings solution to automatically pinpoint and prioritize extended supply chain risk, enabling security and IT teams to streamline their organization’s supply chain environment, including fourth-party software dimensions, hosting providers, and other relationships, as well as address critical issues faster.
RiskRecon is the only security rating solution that delivers risk-prioritized action plans custom-tuned to match customer risk priorities, enabling organizations to efficiently operate scalable, TPRM programs for dramatically better risk outcomes. Continued product enhancements like the new supply chain visibility feature and the benefits outlined in the TEI study affirm RiskRecon’s commitment to helping customers easily understand and act on their cybersecurity risks.
For more information and quantifiable business benefits of RiskRecon, download the full study “The Total Economic ImpactTM Of Mastercard RiskRecon” here: https://www.riskrecon.com/forrester-riskrecon-total-economic-impact-study.