What's the best third party & supplier risk management software on the market today?

Governance, Risk & Compliance Risk Management

Aravo TPRM5%

BitSight Security Ratings43%

Galvanize ThirdPartyBond14%

Black Kite Cyber Risk Rating System11%

OneTrust17%

Other (please share below)6%

565 PARTICIPANTS

4.1k views3 Upvotes4 Comments

Sort by:

Chief Information Security Officer4 months ago

RiskCognizance.com a proactive approach to identifying and managing risks, not just meeting compliance. Using full third-party risk management with attack surface for third-party validation.

CISO in Softwarea year ago

Auditive.io is an interesting new one

Fractional CIO in Services (non-Government)4 years ago

There is always a lot of "it depends" in a question like this.

It depends on:

The problem you are trying to solve
The market you are in
Your requirements
Your budget.

Etc.

Associate Vice President, Information Technology & CISO in Education4 years ago

Check out UpGuard. Not a fan of Bitsight and their practices. Also Security Scorecard was quite expensive. UpGuard provided the same functionality at a tenth of the cost of Bitsight (depending on your negotiation skills hah).

Content you might like

What sorts of challenges have you encountered in adapting your governance framework to address AI adoption across business units, and how are you attempting to resolve these?

How does your cyber compliance team stay informed about new and changing regulations impacting your organization's compliance? Additionally, how are cyber compliance teams tracking, measuring and reporting on internal compliance?

How do you give access to your data sources at your organization? (i.e. Oracle, MySQL, SQL Server, MongoDB)

Internal applicaiton to share37%

Export data in excel to share55%

Direct access to data source39%

Using reporting tools to share out data34%

Other (please share below)2%

View Results

‘AI’ Business Model – With many components flowing into the AI domain (cost, data, E&C, people, value, strategy, duplication of everything, etc.), I’ve started to think about splitting out ‘AI’ from the operating model and putting it into a separate legal entity. This way, I could manage a) risk and compliance, b) cost, c) resource allocation, d) governance, e) IP, f) revenue generation, etc.

Of course, this isn’t new in general, but I’m especially interested in how this approach could help with the ongoing challenge of ensuring compliance with data privacy and regulations related to LLMs and data access/usage over time.

My question: Is anyone else thinking about this, or has anyone already done it? I know there are examples in the literature, but I wanted to float this here for general comments and discussion.

Does your org use Protection-level agreements (PLAs) when planning cybersecurity investments?

Yes, always25%

Sometimes49%

No, never17%

Not yet, but we're going to start5%

What's a PLA?2%