Vanta’s new offering aims to help customers streamline third-party security with automated workflows for vendor security reviews and compliance. Credit: CIS SaaS-based security and compliance solution provider Vanta has launched a Vendor Risk Management (VRM) offering to help organizations streamline third-party vendor security reviews and due diligence.The company claims that the new offering will automate vendor discovery, vendor assessment, and remediation workflows to significantly reduce the time and cost associated with third-party vendor risk reviews and management.“Organizations are more reliant on third-party vendors than ever, with most companies using more than 100 SaaS vendors on average,” said Christina Cacioppo, CEO of Vanta. “The bulk of these vendors are adopted directly by employees, bypassing security reviews.” Vanta’s VRM will be available to customers at launch as an add-on to its flagship and namesake trust management platform. Vendor risk analysis catches on with cloud proliferationThe vendor risk management segment has picked up with the proliferation of cloud-based applications, which has resulted in third-party applications emerging as a common attack vector for hackers, with a reported contribution of 60% to overall data breaches.It takes companies, on average, 280 days to discover a third-party data breach, according to a report by IBM and the Ponemon Institute. The global VRM market, which is a smaller segment of the governance, risk management, and compliance (GRC) market, is expected to grow from $4.60 billion in 2020 to $13.98 billion by 2028, at a compound annual growth rate (CAGR) of 14.6% during the forecast period, according to a report by Verified Market Research.The leading players in the market include IBM, MetricStream, RSA Security, Lockpath, OneTrust, and BiSight Technologies, providing a range of VRM solutions and services such as risk assessment and scoring, third-party due diligence, compliance monitoring, and vendor performance management.VRM consolidates vendor onboarding and evaluationVanta’s new offering is designed to combine the entire vendor management process within a single, automated workflow with necessary integrations with third-party applications, identity providers, and database systems. This, the company said, reduces review costs by 90% as opposed to siloed point solutions.Vanta can automatically discover any vendors — cloud providers, identity providers like Auth0, databases, CRM systems, and more — and the employees using them via integrations with the company’s single sign-on, and identity providers (IdP) systems, according to Cacioppo.It also employs a vendor ranking system through a risk rubric that provides better visibility into vendor-based risks. This evaluation combines a score of metrics derived from “business critical” factors that customers can adjust based on their requirements.“Vanta provides a default risk rubric out-of-the-box that considers a number of factors like the type of data being processed by the vendor, business criticality, and scope of access to internal systems and other vendors to automatically assign a risk score to each vendor,” Cacioppo said. This ranking capability is defaulted with the VRM and applies to all vendors as and when they are onboarded.Vanta automates VRM with procurementApart from signing up Vanta’s VRM to scan, rank and manage onboarded vendors at default, “customers can also manually upload a list of vendors and users if needed and connect Vanta to their procurement process to automate requesting security reviews from new vendors,” Cacioppo added.This automation will include transforming the traditionally manual process of answering security questionnaires into an automated library of up-to-date, web-based spreadsheets and forms with added features such as auto-complete and one-off questions with a browser extension.Additionally, Vanta’s VRM gives insight into duplicative/redundant applications, enabling organizations to make informed commissioning and de-commissioning of applications efficiently, thereby saving costs, according to Cacioppo. The automated workflow also streamlines tracking compliance reports and installs periodic reminders to request updated reports. Related content news analysis Chinese threat actor engaged in multi-year DNS resolver probing effort The unusual and persistent probing activity over the span of multiple years should be a reminder to organizations to identify and remove all open DNS resolvers from their networks. By Lucian Constantin Apr 30, 2024 7 mins Cyberattacks Network Security news Securiti adds distributed LLM firewalls to secure genAI applications The new offering is aimed at protecting against prompt injection, data leakage, and training data poisoning in LLM systems. By Shweta Sharma Apr 30, 2024 4 mins Generative AI news UnitedHealth hackers exploited Citrix vulnerabilities, CEO to testify In the written testimony before the House Energy and Commerce Committee, CEO Andrew Witty said after gaining access, the threat actor moved laterally within the systems using sophisticated methods and exfiltrated data. By Prasanth Aby Thomas Apr 30, 2024 3 mins Hacker Groups Cyberattacks Vulnerabilities opinion Close the barn door now! Avoid the risk of not monitoring retained access before it’s a problem There’s usually a strict protocol for granting access to systems or data to a new employee or contractor. But there are perils in not keeping tabs on that access as that person moves around or leaves. By Christopher Burgess Apr 30, 2024 6 mins CSO and CISO Access Control Human Resources PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe