Editor's Note: This article was originally published on www.pulse2.com.
Prevalent is a company that takes the pain out of third-party risk management (TPRM). And companies use Prevalent’s software and services to eliminate the security and compliance exposures that come from working with vendors and suppliers throughout the third-party risk management lifecycle. Pulse 2.0 interviewed Prevalent’s CSO and COO, Brad Hibbert, to learn more about the company.
Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. And Hibbert said:
“I joined Prevalent from BeyondTrust, where I provided leadership as COO and CSO for solutions strategy, product management, development, services and support. I joined BeyondTrust via the company’s acquisition of eEye Digital Security, where I helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies.”
“Prior to eEye, I served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years, I have attained many industry certifications to support my management, consulting, and development activities. I have a Bachelor of Commerce, Specialization in Management Information Systems, and an MBA from the University of Ottawa.”
How did the idea for the company come together? Hibbert shared:
“Prevalent came about to solve the soul-crushing process of assessing third-party vendors or suppliers, which is typically performed using manual, spreadsheet-based methods. We offer a solution that includes pre-built questionnaire templates that vendors can answer and upload evidence to, risk-scoring thresholds based on answers, automated document risk and validation analysis, workflow capabilities to route risks to owners, sharing networks, and built-in remediation requirements to suggest to vendors. Plus, we add external cyber, business, operational, reputational, and financial risk insights to validate assessment findings and add a real-time and proactive element to third-party risk management.”
“Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors and suppliers throughout the third-party risk management lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.”
What has been your favorite memory working for Prevalent so far? Hibbert reflected:
“There are three memories that stand out. First is the day we acquired 3GRC to provide the foundation for our next-generation TPRM approach. Second is the day we achieved our leadership position in the Gartner Magic Quadrant for IT VRM. And third, the day our NPS first surpassed +50, where it has remained. These milestones represent a lot of hard work, innovation, and an unrelenting focus on delighting our customers. We live for that!”
What are the company’s core products and features? Hibbert explained:
“1.) The Prevalent Third-Party Risk Management Platform is our solution that automates vendor risk management lifecycle – sourcing/selection, intake, and onboarding, inherent risk scoring, assessments, monitoring, remediation, SLA monitoring, and offboarding.
2.) Vendor Threat Monitor complements the Platform, providing real-time insights into cyber, business, reputational, and financial risks.
3.) Vendor Risk Assessment Services are managed services provided by our Risk Operations Center that manage the vendor lifecycle on the customer’s behalf, from onboarding and management of vendors to assessment design, collection, analysis, and remediation.
4.) Global Vendor Intelligence Networks include on-demand access to 15,000+ constantly updated vendor intelligence profiles backed by continuous cyber, business, reputational, and financial insights on 500,000+ companies.”
What challenges has Hibbert faced in building the company? Hibbert acknowledged:
“As the TPRM market evolves, we’re seeing more teams involved in managing a third-party relationship. Your view of a third party has to change as more teams get involved, so we see this as the evolution from third-party risk management to third-party lifecycle management. From a program perspective, I would say the three top barriers, or bottlenecks are:
1.) Departmental Coordination: Primarily between Procurement and Security teams. Security teams can be delayed getting lists of vendors to assess and monitor. Procurement teams might not have the relationship insights to refine profiling and tiering to right size the diligence. Diligence might be done after contracts are signed. All of this happens when Procurement and Security teams aren’t in sync.
2.) Volumes of Data to Analyze: Between completed assessments; ISO, SOC 2 and other security documentation; monitored events and more, you need tools like NLP, advanced data analytics, and large language model support to automate a variety of TPRM processes to make sense of it all. This automation is required for companies to move beyond identifying risks to doing the most important task – remediating them.
3.) Availability of Skilled Resources: Despite talk of “economic uncertainty” we really haven’t seen a huge economic slowdown – the economy is growing, there’s a healthy labor market, etc. That being said, with a healthy labor market there’s always the challenge of finding skilled resources – and this is especially pronounced in IT security. Customers look to us to help fill that skills gap in third-party risk.”
How has the company’s technology evolved since launching? Hibbert noted:
“Since we came to market 20 years ago, we became the first company to introduce the concept of vendor risk sharing networks; an integrated, native, continuous monitoring and assessment approach (instead of siloed tools); comprehensive end-to-end in-house managed services; and an AI virtual third-party risk advisor. We have also expanded our lifecycle-based managed services and introduced third-party incident response, contract lifecycle management, and RFx management to expand our value proposition beyond TPRM.”
When I asked Hibbert about the company’s funding and revenue metrics, he pointed out:
“Our private equity partners are Insight Venture Partners and Fulcrum Equity Partners. Because we are privately held we do not share our revenue metrics.”
What total addressable market (TAM) size is the company pursuing? Hibbert assessed:
“According to Future Market Insights, the TPRM market was valued at $5 billion in 2022, growing at 14.7% per year.”
What differentiates Prevalent from its competition? Hibbert affirmed:
“When companies choose us, they say that we are differentiated by:
1.) Flexibility: The widest choice of products, networks and managed services available to meet you wherever you are in your program maturity; and the greatest number of pre-built questionnaire template options available in a vendor risk management solution.
2.) Expertise: Prevalent’s Global Risk Operations Centers employ Certified Third-Party Risk Professionals (CTPRPs) ready to do the hard work of vendor onboarding, assessment and remediation management for you.
3.) Breadth: The largest network of completed, industry-standardized vendor surveys and intelligence, combined with the world’s first – and only – vendor marketplace for self-assessments accelerate the vendor risk assessment process.
4.) Unified & Proactive solution: Prevalent is the only vendor risk management solution to natively integrate continuous cyber and business monitoring with assessments to provide a complete view of vendor risks.
5.) Innovation: We were the first TPRM solution to embrace AI to automate business processes and analytics through our virtual risk advisor, Alfred.”
What are some of the company’s future company goals? Hibbert concluded:
“We will continue to embrace AI pragmatically to help customers address real-world TPRM challenges where there is a clear benefit and use case.”