Lately, all you can hear about is cybersecurity, as more and more frequently this sensitive field is being publicized in the media.
Corporations tend to share their experience of a third-party data breach to show how much damage a hacker can actually cause with minimal access to an organization’s systems. Therefore, it is crucial to remember that there are other cybersecurity protection methods, tools, and services than just picking a VPN provider or creating a strong password.
To find out more about the importance of picking the right business partners, we invited Todd Boehler, Senior VP of Strategy at ProcessUnity, a platform that allows organizations to effectively manage and monitor risk from third-party vendors.
How did ProcessUnity originate? What has your journey been like?
From its inception, ProcessUnity has delivered configurable solutions for organizational risk and compliance. When we started selling made-to-order software, however, we quickly realized that the platform we had developed was powerful enough to be expanded into a full-featured SaaS solution to help companies mitigate third-party risk.
In my time at the company, I have seen ProcessUnity mature from the GRC industry’s best-kept secret to a widely recognized leader in third-party risk and cybersecurity performance management. The two biggest risks faced by any organization come from their vendors and their internal cybersecurity posture. By fine-tuning our software to address these sources out-of-the-box, we have come to provide the most intuitive, scalable, and secure risk solution on the market.
Can you introduce us to what you do? What are the main challenges you help navigate?
As the Senior Vice President of Strategy at ProcessUnity, it is my job to help organizations transition out of a manual third-party risk strategy and into an automated program that will scale with their organization’s growth.
When you track risk in spreadsheets, your organization is liable to lose information in a redundant stream of documents. In these cases, there is very low visibility across the organization – it’s impossible to get a complete picture of the organization’s risk, and what visibility you do have is hard-won through time-consuming manual processes.
When an organization decides to work with ProcessUnity, our Customer Success team helps evaluate their risk posture and configure our platform to fit their specific demands, so what was once an onerous process can now be completed in minutes.
Why do you think some organizations might not be aware of the security risks they are exposed to?
Organizations that manage their third-party risk manually lack the visibility necessary to build a comprehensive awareness of their security posture. Where ProcessUnity provides a platform for integrating third-party risk management into an organization’s business functionality, manual risk management siloes important information into a scattered series of documents.
Or, the organization struggles to manage risk on a legacy platform that has failed to keep pace with its growth. In these cases, it is just not feasible for a company to connect the dots and identify all sources of security risk. In fact, recent analyst research from GRC20/20 found that it might take an organization up to two hours per vendor to produce a risk report.
By contrast, ProcessUnity can produce the same kind of reporting in under a minute. The visibility that comes at the cost of expensive man-hours is neither comprehensive nor up to date.
How do you think the recent global events affected the way people perceive cybersecurity?
The war between Russia and Ukraine has highlighted the dramatic necessity of resilience across both vendor risk and cybersecurity risk management systems. Russian cyber warfare has compromised the security of multiple government systems in Ukraine, and experts warn that Russia could respond to sanctions with cyberattacks on American banks. Such attacks could have cascading consequences throughout an organization’s vendor population.
Even an attack on a vendor at the far reaches of the supply chain could negatively impact operations. Whether one looks at the economic effects of American sanctions or at the instability caused by Russian cyber-attacks, this conflict has made it startlingly clear that organizations whose risk management solutions do not provide real-time visibility and flexible configurations are not prepared to handle the challenges of our increasingly global future.
Out of all cyber threats floating around nowadays, which ones do you think have the potential to cause the most damage?
A new company falls victim to a ransomware attack every eleven seconds. While the reality of work-from-home has opened up a variety of insecurities in organizations’ security postures, ransomware attacks have become easier to execute. Instead of taking the time to develop their own software, hackers can exploit the vulnerabilities in trusted providers to access lucrative data. This means that these attacks have become more common, with cheaper operating costs and higher payouts than ever.
To stay on top of this growing risk, organizations need a solution that provides full visibility into their cybersecurity posture. By automating and consolidating key security processes, ProcessUnity’s Cybersecurity Performance Management gives organizations the tools they need to mitigate the risk posed by ransomware attacks.
What issues can an organization run into if it doesn’t have appropriate compliance certifications in place?
As the risk landscape expands, so does regulatory response to it. Mandatory breach disclosure policies and data privacy laws have been a strict focus lately. These regulations call into question both an organization’s compliance and that of its third parties. If compliance is breached, organizations stand to face steep financial and even criminal penalties.
On top of that, they may have a tarnished reputation on their hands. The trends lately have indicated that compliance must be a baseline for risk prioritization and third-party engagements. Bare-bones compliance with regulations and standards such as HIPPA, SOC, GDPR, and more is not enough for organizations to develop a truly impermeable security posture. Instead, organizations should focus on regulatory compliance as a starting point for well-rounded security practices throughout their vendor population.
In your opinion, which industries should be especially concerned with implementing quality risk management solutions?
Organizations in every industry can benefit from the implementation of a high-quality risk management program. While a comprehensive risk solution is absolutely imperative for industries like healthcare and finance, which necessitate both strict adherence to complex regulatory guidelines and the maintenance of a large vendor network, ProcessUnity has shown that even small organizations can see a return on their risk management investments in a little over a month.
With that in mind, the question is not, “Which industries should be concerned with risk management?” Instead, the question is whether your organization’s risk management solution is flexible enough to meet your industry’s needs. ProcessUnity is dedicated to configuring our solutions to meet our customers’ needs in as precise a manner as possible.
How can organizations make sure they pick a secure third-party vendor?
Vendor onboarding is an essential process for the maintenance of a healthy third-party risk management program, but it can also be expensive and time-consuming. One ProcessUnity customer counted 89 steps in their manual onboarding process before adopting ProcessUnity Vendor Risk Management—that means countless hours and an array of team members evaluating the security posture of a single vendor.
These manual assessments waste valuable time for both the organization carrying them out and the vendor being evaluated. Redundant or irrelevant questions clog the workflow on both ends and the complexity of carrying out such a process by hand heightens the risk of human error.
By contrast, the ProcessUnity Vendor Risk Management solution lightens the load for organizations and vendors alike: Its intelligent questionnaires add and drop items to reflect the vendor’s proximity to key systems and its security posture. Questionnaires are then scored automatically, increasing visibility across the onboarding process and enabling reporting for both organizations.
Would you like to share what’s next for ProcessUnity?
We are very excited about the future. The ProcessUnity vision is to eliminate all manual procedures for gathering and evaluating third-party and cybersecurity risks. We currently offer an industry-leading platform that makes these risk management processes less labor-intensive and more cost-effective.
As we continue to develop our platform, we are incorporating cutting-edge technologies like artificial intelligence and machine learning into our risk solutions, helping organizations get to risk decisions faster with less effort.
These developments, along with our investments in additional use cases for helping both procurement and cyber functions, will mature our product into a frictionless, integrated, framework-agnostic platform that continuously analyses data across all key risk domains.