Third Party Risk Management Tools
Manually identifying and tracking risk is tedious at best. A surprising number of companies, however, track Cyber Risk using spreadsheets and SharePoint lists. This can work well for small businesses, but does not scale. In practice, there are thousands of potential threats, which vary for each IT asset. To get a true picture of the threat landscape, automation is required.
Below is a small selection of IT Risk Management (ITRM) vendors. Larger vendors, such as Archer, offer risk management as part of an expanded suite, which may or may not be as effective as some of the dedicated ITRM vendors.
Balbix
Balbix positions itself as the “Cybersecurity Posture Automation Platform” which automatically analyzes the enterprise attack surface using specialized AI to provide a 100x more accurate view of breach risk. According to Gartner, Balbix’s product has a reputation for streamlined deployment and accurate asset identification.
A cool feature of balbix allows you to visualize the enterprise attack surface by plotting assets against associated attack vectors, where every point on this attack surface represents a potential area of compromise, and therefore risk. According to Balbix, the attack surface for a typical mid-sized enterprise with 5,000 employees has over 50 million data points, and for larger enterprises, this number explodes to 100 billion or more.
Balbix appears to have a high degree of automation in that it ingests data from various security tools such as Qualys, Rapid7, Tenable, etc. as well as through direct observation from its own specialized sensors. The information goes through multiple transformations to convert the data into actionable insights.
See also the Balbix CyberRisk Quantification: A CISO Executive Guide.
IBM OpenPages
IBM OpenPages is a Risk and Governance platform which has a centralized module for managing regulatory initiatives. It uses WATSON AI which helps in addressing the 1st line of defense and other subsequent layers of security.
MetricStream
MetricStream’s Enterprise GRC Solution provides holistic and collaborative approach to GRC, and is reputed to have a clean and user intuitive interface, which really assists user adoption. Key capabilities include: Enterprise Risk Management, Regulatory Compliance Management, Internal Audit Management, and Third-Party Risk Management.
NAVEX Global Lockpath
NAVEX Global offers four standalone products: (1) Business Continuity Management & Planning; (2) Privacy, Risk & Compliance Management; (3) Third Party Risk Management; and (4) Health & Safety Management.
SureCloud
SureCloud helps manage and mitigate risk through its combination of Governance, Risk, and Compliance (GRC) software solutions. GRC Products include: IT & Cyber Risk; Compliance; Third Party Risk; Internal Audit; IRAM2 Risk Management; and more
SureCloud is a Challenger in the 2021 Gartner Magic Quadrant and includes IT Risk Management (ITRM) capabilities as part of its broader GRC platform. It includes a diverse set of risk assessment approaches, including ISF IRAM2, ISO 27005, ISO 31000, NIST 800–30, CIS RAM, and PCI DSS and HIPAA risk assessments.
