Vendor risk management (VRM) technologies offer the means to measure, monitor and manage risk exposure from third parties, whether they’re IT vendors or those that have access to enterprise information. Products in this group should deliver the management, assessment, monitoring/response and reporting capabilities needed to ensure vendors and third-party providers are performing effectively, efficiently and in compliance with an organization’s various agreements and requirements.
These technologies help customers identify cyber risk that may be hiding inside the supply chain or with critical data trading partners. These tools focus on highlighting the risk factors associated with top-rated organizations as well as customized reporting for some of the obscure companies. Solutions in this space often will track common organizations, actively monitoring them for risk then reporting back to subscribers.
While a lot of data is gathered from surveys and public exposure, some VRM providers will leverage network assessments and crowdsourced solutions to gain valuable insight into the targets, others will take an extra step and scrutinize hacker threat analysis and dark web scans for factors that could affect risk down the road.
Most technologies in this space report risk in a standardized format such as ISO 27001 or NIST 800-53, but some tools offer other formats as well. While this reporting is great, another popular feature is to push the reports directly to existing governance, risk and compliance (GRC) toolsets through an API call.
As governance and industry compliance requirements evolve and exert their influence on the business world, eventually all organizations may need to take a long look at these technologies. This month SC Labs takes a quick look at a few leaders in the space.