Third-Party Security Risk is an Inevitable Pressing Frontier in Cybersecurity
Written by Avery E. Schwartz - Partner
The rise in attack surface area vulnerable to third-party breaches is a natural outcome of the direction that digital advancements have taken in recent years. The “as a Service” model, for example, has unlocked key gains in productivity and innovation, but by definition this model requires granting access to and sharing data with third parties. And with an average of approximately 500 third-party relationships for even a typical midsize enterprise, these exposures add up.
It’s no surprise then that the Ponemon Institute found that over half of organizations have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information.
We see third-party security risk as a next major frontier in cybersecurity, as legacy tools for managing third-party vendors and risk – Excel spreadsheets, rigid questionnaires, one-and-done assessments – are simply not doing the job. Meanwhile, third-party breaches are rising in prominence (SolarWinds, Accellion, Kaseya, Codecov, etc.), coming under increased regulatory scrutiny within GDPR and NYDFS, and consequently becoming a board-level threat vector and priority for organizations.
Tackling Third-Party Security Risk Starts with Intuitive Table Stakes
Panorays ’platform for tackling third-party risk is built on providing a set of table stakes that are a basis for a next-generation solution:
(i) Cloud-based platform – all records and correspondences are conducted via and/or saved on a SaaS-delivered product that navigates workflow, can be queried and produces reports with one click
(ii) Smart questionnaires – Adapting questions according to the context of a vendor’s business relationship enables more granular probing of areas of interest and ignoring others, as opposed to solving for the “least common denominator”
(iii) Continuous monitoring – After the initial assessment at onboarding, vendor security posture should be continuously scanned for any changes that may constitute a meaningful change in risk that should prompt further assessment
Panorays Takes It to the Next Level
When we reviewed and spoke with customers about the Panorays solution in the context of the broader market, we understood first of all that many other players in the market were not even providing the table stakes; however, we were particularly impressed by several differentiating elements:
(iv) Risk context – Panorays layers into its assessment both the nature of the relationship with the third party (e.g. what data is being shared) as well as the evaluating company’s own cybersecurity posture
(v) 360 degree risk score engine – unlike others who may provide elements such as the questionnaire or scanning as independent SKUs, Panorays has built an integrated engine that combines the inputs from the scanning, questionnaire and risk context into a risk score, making it a much more informed abstraction that can be a guiding KPI, tracked over time, and shared at the board level
Breaking the Security/Trust Tradeoff
Typically, greater security means less trust, which often means increased friction in business processes. At the top, we highlighted that increased third-party security risk is a function of digital advancements that are boosting productivity. And so the founding team at Panorays has been forward-looking from inception about ensuring not only securing the enterprise, but also reducing the onboarding friction that typically delays important commercial relationships.
This has made Panorays a favorite of vendors, who benefit from the modernized platform, increased transparency, and speed of the process. In addition, the more companies work with Panorays the more efficient they become, avoiding the repetitive work of filling out the same questions on every new questionnaire. Evaluation times for vendors typically go down dramatically for enterprises using Panorays (from 9 weeks to 9 days), a true win-win!
Because Panorays is providing value at the intersection between companies, in every deployment the platform is organically touching additional companies that may not be customers. This results in exponential exposure of the company’s brand as it grows, as well as usage on its platform by many potential customers (almost all vendors are also evaluators for their own company’s third-party security program).
The company is pressing the gas on this strategy by offering vendors a free way to present their security posture in an easily consumed “Security Passport,” which can effectively start the evaluation process from the midway point rather than from zero.
The Holy Grail
By facilitating transparent communication to both sides of the evaluation, Panorays is taking meaningful steps towards the holy grail – becoming the “universal dial tone” for the complex communication that needs to happen between a vendor and the onboarding enterprise.
While it is difficult at this point in time to envision what the big winners of this next frontier of breach vulnerabilities (coming from third-party risk) will look like (such as Crowdstrike in endpoint, arguably the preceding frontier of breach vulnerability), we believe that becoming the standard platform for how security posture is communicated and evaluated can have powerful effects in helping to contain third-party security risk, with even broader potential applications.
Keys to Success
While Panorays has positioned its product superbly to date, there is still significant execution to be done between now and when some of the company’s lofty goals are realized. That’s just the (beautiful and exciting) nature of the stage.
The challenges for the company have clearly shifted from “zero to one” to “one to n” in nature, as it aims to continue its incredible traction (500% growth in client base).
As an early growth fund, we at Greenfield Partners invest almost exclusively at or around this stage, and so we are familiar with, and aim to be helpful around, the scaling of the business, particularly the “go-to-market” elements.
However, we nonetheless place a significant emphasis on quality of leadership and company culture. The style and balance of leadership between CEO Matan Or-El,
CTO Demi Ben-Ari, and COO Meir Antar gave us confidence in their ability to navigate the high-level strategic questions as well as the inevitable bumps at the ground level, and made us want to be a part of their journey.
The team culture they set the tone for is positive and robust – there is a great energy in the Panorays offices that we believe will allow them to continue to attract top flight talent to join the good fight.
We could not be more excited to work with Matan, Demi, Meir, and the Panorays team, as well as Eden Shochat from Aleph and Dan Petrozzo from Oak HC/FT on the company’s board, to support achieving the company’s vision, and we look forward to the journey ahead.