Vendor Risk Assessments in 60 Minutes

When  information security teams are overburdened, evaluating vendor and enterprise risks can quickly consume far too much time and budget. Many organisations rely on a one-size-fits-all assessment, delivering a selection of PDF’s, MS Word documents, Excel spreadsheets, and emails linking to a variety of online portals. These assessments are inflexible and time-consuming, allowing for only a limited amount of data to be processed. The review process also ends up frustrating both staff and vendors, the makings of an efficiency nightmare.

Assessing vendors for cyber risk is important and necessary, particularly if you share data with an external party, currently taking 4 weeks on average per entity to complete cyber risk assessments. The good news is that it doesn’t have to be that way. This article shows how cyber risk assessments can be completed to the same level of detail in as little as 60 minutes, radically improving the efficiency and effectiveness of vendor risk assessments.

An Efficient Solution – Does It Exist?

Everyone can agree that in 2021, organisations are no longer single entities, but rather interconnected networks of third parties. While third party relationships are critical for businesses to succeed, they also leave more data vulnerable to breach. Hence the reason due dilligence must be completed thoroughly and completely.

Traditional vendor risk management tactics are no longer enough to keep your data safe. Questionnaires and risk assessment documents are often subjective. Because vendors have most likely completed tens, hundreds or more assessments, they may subjectively be comparing different questionnaires to one another. It is also human nature to want to answer in the affirmative, hence questionnaires are often returned with mostly positive responses. It is the answers to assessment questionnaires that are important, not the questionnaire process per se.

When having to respond to complex assessment questions, recipients will often refer to existing content and documents, like security policies, audit reports and regulatory report submissions to respond to questions. Black Kite takes this further by providing the first solution that auto-completes cyber risk assessment questionnaires simply by requesting the third party to upload existing policy and audit documentation to the Black Kite Portal.

Black Kite’s Universal Parsing Engine

Black Kite gives you a complete view of your organisations cyber risk across three assessment dimensions: technical, financial and compliance.

Figure 1: Black Kite dashboard

The Universal Parsing Engine uses advanced pattern matching algorithms to parse and extract unstructured text from policy documents and then automatically applies them to the relevant questions in security questionnaires (Figure 2 & 3).

Figure 2: Black Kite Universal Parsing engine – extracted content


Figure 3: Black Kite automatically extracted text from policy and mapped to risk assessment question in questionnaire

The process takes around 5 minutes and generally auto-responds to 70%+ of questions, providing significant time and effort savings for the recipients and for the company assessing the vendor’s risk. Furthermore, responses are then automatically cross-referenced to 10+ risk and compliance frameworks (like ISO 27001, NIST CSF, GDPR, etc) for cross regulatory comparison.

In Figure 1, Elasticito’s Black Kite dashboard can be seen. The top right “Compliance Rating” of the company is 97%. In Figure 4 below, the Black Kite software indicates that the Completeness level of the Compliance Rating is 33%. Figure 5 illustrates the positive difference in % uploading a single policy document makes to the overall rating.

Figure 4: Elasticito compliance rating completeness

Figure 5: Elasticito compliance rating completeness after uploading a single policy document

The Bottom Line

The current way of assessing third party risk with questionnaires that need to be completed by human beings is slow, inefficient and cumbersome. The truth is that it does not have to be that way.

As a result of Black Kite’s innovative software, what once took weeks now only requires an hour. Imagine the valuable time you will be returning to not only the information security department, but also sales, legal, IT and other departments throughout your organisation.

Elasticito will be hosting an informative webinar on Thursday 18 March 2021 where the innovative Black Kite software will be demonstrated live. Register here – we look forward to assist you in your journey towards efficiency.