Vanta’s new offering aims to help customers streamline third-party security with automated workflows for vendor security reviews and compliance. Credit: CIS SaaS-based security and compliance solution provider Vanta has launched a Vendor Risk Management (VRM) offering to help organizations streamline third-party vendor security reviews and due diligence.The company claims that the new offering will automate vendor discovery, vendor assessment, and remediation workflows to significantly reduce the time and cost associated with third-party vendor risk reviews and management.“Organizations are more reliant on third-party vendors than ever, with most companies using more than 100 SaaS vendors on average,” said Christina Cacioppo, CEO of Vanta. “The bulk of these vendors are adopted directly by employees, bypassing security reviews.”Vanta’s VRM will be available to customers at launch as an add-on to its flagship and namesake trust management platform. Vendor risk analysis catches on with cloud proliferationThe vendor risk management segment has picked up with the proliferation of cloud-based applications, which has resulted in third-party applications emerging as a common attack vector for hackers, with a reported contribution of 60% to overall data breaches.It takes companies, on average, 280 days to discover a third-party data breach, according to a report by IBM and the Ponemon Institute. The global VRM market, which is a smaller segment of the governance, risk management, and compliance (GRC) market, is expected to grow from $4.60 billion in 2020 to $13.98 billion by 2028, at a compound annual growth rate (CAGR) of 14.6% during the forecast period, according to a report by Verified Market Research.The leading players in the market include IBM, MetricStream, RSA Security, Lockpath, OneTrust, and BiSight Technologies, providing a range of VRM solutions and services such as risk assessment and scoring, third-party due diligence, compliance monitoring, and vendor performance management.VRM consolidates vendor onboarding and evaluationVanta’s new offering is designed to combine the entire vendor management process within a single, automated workflow with necessary integrations with third-party applications, identity providers, and database systems. This, the company said, reduces review costs by 90% as opposed to siloed point solutions.Vanta can automatically discover any vendors — cloud providers, identity providers like Auth0, databases, CRM systems, and more — and the employees using them via integrations with the company’s single sign-on, and identity providers (IdP) systems, according to Cacioppo.It also employs a vendor ranking system through a risk rubric that provides better visibility into vendor-based risks. This evaluation combines a score of metrics derived from “business critical” factors that customers can adjust based on their requirements.“Vanta provides a default risk rubric out-of-the-box that considers a number of factors like the type of data being processed by the vendor, business criticality, and scope of access to internal systems and other vendors to automatically assign a risk score to each vendor,” Cacioppo said. This ranking capability is defaulted with the VRM and applies to all vendors as and when they are onboarded.Vanta automates VRM with procurementApart from signing up Vanta’s VRM to scan, rank and manage onboarded vendors at default, “customers can also manually upload a list of vendors and users if needed and connect Vanta to their procurement process to automate requesting security reviews from new vendors,” Cacioppo added.This automation will include transforming the traditionally manual process of answering security questionnaires into an automated library of up-to-date, web-based spreadsheets and forms with added features such as auto-complete and one-off questions with a browser extension.Additionally, Vanta’s VRM gives insight into duplicative/redundant applications, enabling organizations to make informed commissioning and de-commissioning of applications efficiently, thereby saving costs, according to Cacioppo. The automated workflow also streamlines tracking compliance reports and installs periodic reminders to request updated reports. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe