SaaS-based security and compliance solution provider Vanta has launched a Vendor Risk Management (VRM) offering to help organisations streamline third-party vendor security reviews and due diligence.
The company claims that the new offering will automate vendor discovery, vendor assessment, and remediation workflows to significantly reduce the time and cost associated with third-party vendor risk reviews and management.
“Organisations are more reliant on third-party vendors than ever, with most companies using more than 100 SaaS vendors on average,” said Christina Cacioppo, CEO of Vanta. “The bulk of these vendors are adopted directly by employees, bypassing security reviews.”
Vanta’s VRM will be available to customers at launch as an add-on to its flagship and namesake trust management platform.
Vendor risk analysis catches on with cloud proliferation
The vendor risk management segment has picked up with the proliferation of cloud-based applications, which has resulted in third-party applications emerging as a common attack vector for hackers, with a reported contribution of 60% to overall data breaches.
It takes companies, on average, 280 days to discover a third-party data breach, according to a report by IBM and the Ponemon Institute.
The global VRM market, which is a smaller segment of the governance, risk management, and compliance (GRC) market, is expected to grow from $4.60 billion in 2020 to $13.98 billion by 2028, at a compound annual growth rate (CAGR) of 14.6% during the forecast period, according to a report by Verified Market Research.
The leading players in the market include IBM, MetricStream, RSA Security, Lockpath, OneTrust, and BiSight Technologies, providing a range of VRM solutions and services such as risk assessment and scoring, third-party due diligence, compliance monitoring, and vendor performance management.
VRM consolidates vendor onboarding and evaluation
Vanta’s new offering is designed to combine the entire vendor management process within a single, automated workflow with necessary integrations with third-party applications, identity providers, and database systems. This, the company said, reduces review costs by 90% as opposed to siloed point solutions.
Vanta can automatically discover any vendors — cloud providers, identity providers like Auth0, databases, CRM systems, and more — and the employees using them via integrations with the company’s single sign-on, and identity providers (IdP) systems, according to Cacioppo.
It also employs a vendor ranking system through a risk rubric that provides better visibility into vendor-based risks. This evaluation combines a score of metrics derived from “business critical” factors that customers can adjust based on their requirements.
“Vanta provides a default risk rubric out-of-the-box that considers a number of factors like the type of data being processed by the vendor, business criticality, and scope of access to internal systems and other vendors to automatically assign a risk score to each vendor,” Cacioppo said.
This ranking capability is defaulted with the VRM and applies to all vendors as and when they are onboarded.
Vanta automates VRM with procurement
Apart from signing up Vanta’s VRM to scan, rank and manage onboarded vendors at default, “customers can also manually upload a list of vendors and users if needed and connect Vanta to their procurement process to automate requesting security reviews from new vendors,” Cacioppo added.
This automation will include transforming the traditionally manual process of answering security questionnaires into an automated library of up-to-date, web-based spreadsheets and forms with added features such as auto-complete and one-off questions with a browser extension.
Additionally, Vanta’s VRM gives insight into duplicative/redundant applications, enabling organisations to make informed commissioning and de-commissioning of applications efficiently, thereby saving costs, according to Cacioppo.
The automated workflow also streamlines tracking compliance reports and installs periodic reminders to request updated reports.