News, news analysis, and commentary on the latest trends in cybersecurity technology.

Where Can Third-Party Governance and Risk Management Take Us?

Part 2 in our series addressing the top 10 unanswered questions in security: How will TPGRM evolve?

Will Lin, Managing Director, Forgepoint Capital

November 15, 2022

3 Min Read
Abstract photo of overhead view of green rice field in Thailand
Source: Jes2ufoto via Alamy Stock Photo

Sophisticated breaches like SUNBURST (aka the SolarWinds hack that made headlines in late 2020) make the risk associated with third-party platforms abundantly clear. Modern organizations are increasingly depending on a variety of third parties for SaaS — everything from finance to supply chain to IT service management (ITSM).

From an operations perspective, this is great. Organizations focus less on "keeping the lights on" and more on their core value propositions. However, there's also an uncomfortable security tradeoff. If you don't control the platform, you don't completely control your — or your customer's — data, which has security and compliance implications. Similarly, the availability of critical business functions often depends on multiple external platforms, many of which can be a single point of failure.

For many organizations, simply navigating the complex dependencies and clearly defining risk appetites and mitigations are real challenges. Third-party governance and risk management (TPGRM) aims to solve this problem by analyzing and performing due diligence on risks stemming from third-party relationships.

While there are plenty of TPGRM/TPRM tools, effective risk management takes more than just tech. Deloitte's three-step process for TPGRM provides a realistic breakdown of the transformation required to leverage a TPGRM framework. To summarize the steps:

  1. Change risk and governance positioning: This step deals with the reframing of risk in an organization. Traditionally, risk has been something we eliminate. It needs to become something we manage.

  2. Understand risk appetite and lines of defense: The next step is broken into quantifying an organization's risk appetite in different contexts and identifying lines of defense against those risks.

  3. Establish a TPGRM framework: This is where the rubber hits the road. Organizations must implement strategies that leverage people, processes, and tech to help manage risk and deliver value.

Clearly, a large part of TPGRM will require qualitative input from humans, such as developing strategies or conducting detailed audits. That said, we can expect a shift toward more automation thanks to drivers like cyber insurance that are actively developing standards and measurable ways to quantify risk with analytics platforms like CyberCube.

Quantifying TPGRM Metrics

With that in mind, I expect to see the use of security portals and dashboards that quantify TPGRM metrics spike in the coming years. These portals will do for risk management what uptime monitoring platforms like Uptime Robot and Pingdom do for website monitoring: roll up the most important metrics in an easily digestible way. Like the website monitoring world, we'll see a varying level of sophistication and depth across solutions, but a standard baseline of "table stakes" metrics will emerge.

We're already seeing platforms like SafeBase make substantial progress here by automating security questionnaires and enabling vendors to share security posture across multiple categories. Risk management company Prevalent is solving similar problems with a focus on providing both IT solutions and services.

Additionally, solutions with a narrower focus are already leveraging automation to solve TPGRM problems in specific industries. For example, SignalX is addressing the problem space of financial and legal analysis in India to enable organizations to perform better due diligence before entering contracts or partnerships with vendors.

Fundamentally, these solutions demonstrate the broader trend toward standardization and automation in the TPGRM space. Tools alone aren't going to solve third-party risk management, but there is an emerging need for automated visibility into third-party risk, and that's where TPGRM tech can make a real impact.

In the years to come, I expect the winners in the space to be the tools that provide visibility into the "headline" TPGRM metrics required for cyber insurance and compliance for organizations with relatively immature TPGRM framework implementations, as well as those that can "go deep" and provide detailed analysis using AI/ML for enterprises.

Read part 1, which asks: What will replace EDR.

About the Author

Will Lin

Managing Director, Forgepoint Capital

William (“Will”) Lin is a Managing Director and Founding Member at Forgepoint Capital (FPC)

Forgepoint was founded in 2015 and is investing $770M dedicated to startups protecting the digital future; FPC is currently the largest and most active team in the category.

Will is honored to be a coach for entrepreneurs at multiple companies including: Attivo Networks, Bishop Fox, Concourse Labs, Cyberhaven, LoginRadius, Remediant, Sphere, Symmetry Systems, Uptycs and a Stealth Investment.

Will is also a Co-Founder & President of the Security Tinkerers, a non-profit organization that brings together information security professionals to share learnings, provide mentorship, and generate opportunities for the security community and its next generation of leaders. He is a Visiting Fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School. He also is a regular contributor to SecurityWeek, was named a Venture Capital Journal Rising Star, and is an avid connector in the cybersecurity entrepreneur, investor, and practitioner ecosystems.

Will holds a BA from the University of California, Berkeley, and found his calling at the intersection of IT and entrepreneurship after starting businesses to help pay for college. When not in the office, you’ll find Will on the hunt for up-and-coming restaurants or talking about startups at home with his VC spouse.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights