RISK MANAGEMENT

Third-Party cyber risk automation

A customer faced challenges in assessing the cyber risks of their third-party vendors due to a manual and time-consuming process.
February 22, 2023

Introduction

As businesses increasingly rely on third-party vendors and partners for critical services, it has become essential to assess and manage the associated cyber risks. However, traditional manual methods of third-party risk assessment can be time-consuming, expensive, and error-prone. To address these challenges, our cyber risk automation platform provides an innovative solution for third-party risk assessment and management. In this case study, we'll examine how our platform helped a company automate their third-party risk assessment process, reduce costs, and improve overall cyber posture.

Client

A large multi-brand and omnichannel retailer.

Challenge

Our customer's Cyber Security team faced significant challenges in understanding the potential cyber risk exposure from their 3rd party agencies. The process was manual and time-consuming, and they were using risk-scoring methods that did not provide sufficient visibility into the practices of storing customer PII data. Furthermore, they lacked the level of business engagement and transparency they needed to make sound, calculated business decisions about which agencies to use while protecting themselves from risk exposure. This lack of visibility and engagement hindered the team's ability to partner with business teams and executive leadership to identify the best cost and quality options.

Solution

Alfahive's cyber risk automation platform is the solution for third-party risk assessment and automation. The platform's pre-curated control questions can be tailored to meet the specific needs of an organization. The platform offers a simple and easy-to-use workflow for third parties to answer the control questions and provide evidence. It also supports multi-threaded responses from multiple individuals. Machine learning techniques are used to validate responses and rank control maturity. The platform continuously ingests cyber risk ratings and contextualizes them with internal control assessments. It provides a comprehensive score and detailed remediation recommendations based on an outside-in and inside-out view. The entire process is standardized and repeatable, and the platform can be used to schedule, repeat, and monitor the assessment on an ongoing basis.

Implementation

Our customer was able to implement cyber risk automation for all the selected 3rd parties on the Alfahive platform within a short timeframe of just 4 weeks. With the platform's recommendations and planning modules, they were able to quickly implement changes and improve their overall cyber risk posture. The dashboards and reporting from the platform allowed them to collaborate with their vendor management and business teams to evaluate control criteria for their existing 3rd party agencies, as well as establish a process for onboarding new agencies using the automated score from the Alfahive platform.

Results

  • Improved speed and reduced cost : After implementing the Alfahive platform, our customer was able to improve their speed by approximately 60% and reduce costs by around 50%. The platform performed the assessments on the third parties in a matter of a couple of weeks, which demonstrated actionable insight and value. This is in contrast to the months-long process that the team had previously spent on assessments. Additionally, the customer is able to project a reduction of headcount needed for the assessments from 5 to 2 by using the Alfahive platform.
  • Comprehensive cyber risk view with inside-out and outside-in analysis : As a result of the implementation of the Alfahive platform, the customer was able to gain a comprehensive view of the cyber risk exposure from their third-party agencies. Prior to this, they were only able to view the risk from an inside-out or outside-in perspective, but not both together. The platform was able to identify a case where an agency was rated A+ by an external attack surface monitoring tool but did not have basic controls such as an information security policy or background checks for employees with access to customer PII data. This new level of visibility provided a significant advantage to the customer, enabling them to take meaningful actions to address these issues and improve their overall cyber risk posture.
  • Improved business engagement through Alfahive planning and reporting dashboards : The Alfahive planning and reporting dashboards were instrumental in enabling our customer to improve their business engagement score. The platform provided a comprehensive view of the risk exposure. This allowed the customer to collaboratively work on a solution and vendor evaluation criteria with the business team, resulting in buy-in from the board and executive leadership.

Summary

In this case study, a customer faced challenges in assessing the cyber risks of their third-party vendors due to a manual and time-consuming process. They chose the Alfahive cyber risk automation platform to assess and automate the internal controls of their third parties. The platform used machine learning techniques and pre-curated control questions to validate responses and rank control maturity. As a result, the customer was able to improve speed by approximately 60% and reduce costs by approximately 50%, while gaining comprehensive visibility into their cyber risks based on both inside-out and outside-in views. Additionally, the customer was able to use the platform's planning and reporting dashboards to collaboratively work on solutions and vendor evaluation criteria with business teams, resulting in an improved business engagement score.

We invite forward-looking organizations to take advantage of our free-of-charge two-week value discovery pilot with our platform and join us in our approach to automate the cyber risk assessment for third parties.

Michael Rasmussen
The GRC Pundit & Analyst
24th May
Wednesday
1500 GMT
Book a FREE DEMO session
See how our security management enables a holistic assessment of your business operations and controls for each modeled event with precise financial repercussions and reporting that executives can quickly understand.