Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

TAG Cyber Interview: Managing Third-Party Risk Using Prevalent

An interview with Brad Hibbert, Prevalent CSO & COO, from the latest TAG Cyber Quarterly Report.
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer
July 14, 2022
Blog tag cyber quarterly interview 0722

Editor's Note: The following interview with Prevalent's Brad Hibbert was originally published in the TAG Cyber 2022 Security Annual - 3rd Quarter and is reprinted here with permission.

Significant cybersecurity challenges have emerged for enterprise teams, which include operational concerns and compliance issues. A fundamental problem is that enterprises cannot expect perfect visibility into the security ecosystem of suppliers and partners, resulting in risks to data, systems and shared resources.

Prevalent is a leader in providing commercial solutions for managing third-party risks to security and compliance exposure. TAG Cyber wanted to learn more about how this third-party security capability could be deployed to reduce cyber risk.

What are some of the key risks that enterprise teams experience with third-party vendors, suppliers and partners?

Our customers see risks across six broad categories. First, there is cybersecurity, which includes risks to data and systems via outside intrusions through a third party. Next are business risks, such as a third party’s lack of resilience when faced with operational challenges or disruptions due to pandemics or natural disasters. Financial risks are when third-party vendors and suppliers experience financial troubles, bankruptcy or have a poor credit rating. Examples of Environmental, Social and Governance (ESG) risks include a supplier having a poor environmental record, being accused of using illegal labor or not practicing overall effective corporate governance. Reputational risks—such as negative news, product recalls, executive misconduct and sanctions—can also be cause for concern. Finally, compliance risks comprise things like GDPR findings, failed audits, bribery, corruption or ethical problems. While cybersecurity and data-protection risks garner the most attention, many of the other risk types carry regulatory weight behind them, too.

How does your platform work during the Third-Party Risk Management (TPRM) lifecycle?

We start by automating the RFP process by adding demographic, fourth-party, ESG, business, reputational and financial insights to help procurement teams incorporate risk intelligence to vendor selection decisions and pre-contract due diligence. Next, we automate the migration of a selected vendor into contracting by centrally tracking all contracts and attributes with workflow and version control. Once a vendor is selected and contracted, we issue profiling and tiering assessments to calculate inherent risk scores. With this data, companies can categorize vendors and make decisions on the scope of further due diligence.

We also offer a library of more than 100 questionnaire templates and custom surveys to assess third parties on a wide range of criteria—from InfoSec and data privacy to ESG and financial solvency. We take the answers from these surveys and populate a central risk register that can be used to view and act on risks. We also provide reporting by regulation and frameworks to simplify how data is presented, as well as manage remediations down to an acceptable level of residual risk.

Because a lot can happen in between regular assessments, we continuously track and analyze externally observable threats to vendors and other third parties. We help organizations through centralized dashboards that manage and track third-party performance to contractual requirements. Finally, we automate contract assessments and offboarding procedures to reduce an organization’s risk of post-contract exposure.

TAG Cyber Security Annual - Q3 2022

The TAG Cyber Quarterly includes original works from TAG analysts, including interviews with icons in the cybersecurity industry. Get complimentary access to the 112-page report.

Read the Report at
Feature tag cyber security annual q3 2022

What is the role of visibility in third-party risk management and how does your platform optimize such visibility?

The old maxim is true: You can’t manage what you can’t measure. And I would add: You can’t measure what you can’t see. Enterprise risk visibility is at the core of our platform. It starts with procurement—gaining pre-contract visibility into risks like vendor finances, data breaches or compliance problems—and extends to offering a single role-based platform that multiple enterprise teams can use to view the risks that matter to them. We do this through customized, role-specific dashboards and reporting.

Tell us more about how you support TPRM through the use of your vendor risk network.

Our networks are on-demand libraries containing thousands of vendor risk reports that are continuously updated and backed by supporting evidence. Customers use the networks—Exchange, Legal Vendor Network and Healthcare Vendor Network—to get a jump start on their vendor due diligence process by gaining immediate access to completed assessments, helping them scale their programs so they can shift their time and energy from hounding vendors to identifying and remediating exposures.

Can you share some insights into the future of TPRM in the coming years?

We see TPRM moving towards greater levels of outsourcing, involving more enterprise teams and risk types, as well as evolving to a more continuous model and going deeper in certain industry verticals. First, enterprises rely on an ever-widening network of third parties, while also facing an expanding web of geopolitical risks, regulatory requirements and cybersecurity threats. Unfortunately, most companies manage these risks by using manual processes that place a greater emphasis on risk identification than risk remediation. Over the next several years, organizations trying to scale effective TPRM risk programs will hit a wall, causing them to adopt more automated and proactive approaches, such as leveraging external business process outsourcing firms and/or dedicated purpose-built external TPRM software.

Next, enterprises are being pressured by a range of stakeholders—including regulators, investors and consumers—to improve visibility and oversight of their exposure to third-party risk. While organizations may begin by focusing primarily on cyber threats, they will see the need to enable risk-based decisions by proactively assessing and monitoring a more comprehensive risk profile throughout the third-party relationship. This will require the rationalization and harmonization of technology, processes (workflow) and people.

Departments and teams will need to consider risk in all activities and decision making, including activities that are currently more focused on operational efficiency. Teams responsible for everything from sourcing and onboarding new vendors to managing their performance over time will continue to consume risk intelligence from similar data sources (e.g., a comprehensive risk profile) and begin to leverage insights from their peers in supporting contract negotiations and discussions related to their respective workstreams.

Enterprises will also continue to enhance third-party programs by utilizing integration, automation, intelligence networks and analytics to continuously assess and monitor their extended supply chains more closely. Finally, enterprises in certain verticals will continue to adopt sharing networks to accelerate risk identification and place a greater focus on risk remediation. These sharing networks will evolve beyond assessment sharing to intelligence sharing as enterprises and third parties design, embrace and enforce open communication to proactively share insights related to cyber, compliance, incidents, performance and more.

2014 04 10 Headshot Brad Suit
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer

Brad Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. He comes to Prevalent from BeyondTrust, where he provided leadership as COO and CSO for solutions strategy, product management, development, services and support. He joined BeyondTrust via the company’s acquisition of eEye Digital Security, where he helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies.

Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years Brad has attained many industry certifications to support his management, consulting, and development activities. Brad has his Bachelor of Commerce, Specialization in Management Information Systems and MBA from the University of Ottawa.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo