Voice of the Assessor

Voice of the Risk Assessor

Part 1. My journey to cyber risk automation:

My cybersecurity journey began in early 2020. Up until then, I had worked only in Sales since college. And while I liked helping to solve hard problems for customers, what I really wanted was a career that combined my love of technology with my passion to help people.

So my new career began at a tech startup that provided managed services for third-party risk management to the healthcare industry. Working closely with hospitals and health systems on a daily basis in a client engagement role, it wasn’t long before I realized how painful the third party risk process is for health systems:

• Vendor risk assessments take way too long – up to 2 months or more, which frustrates both clinical and business leaders at the health system as well as the vendor
• Nothing is automated. Health systems have to manually collect and manage a significant volume of vendor data using only emails and spreadsheets
• Vendor data is often incomplete, out-of-date, and there is often no visibility into the risk of all the discrete products and services offered by vendor

The entire process is broken. So, as 2020 began, I was eager, excited, and hopeful that I would be able to help fix this process and make a difference in my new role. Working in both client-facing and technical roles, I was responsible for getting the vendor to complete risk questionnaires, analyzing responses and assessing the risk, creating corrective action plans based on the risks identified, and presenting summary reports to health system executives.

While I loved working with hospitals, it wasn’t long before I became frustrated. I knew in my heart that I wasn’t delivering on our promise to my customers, and, increasingly, I felt powerless to really ‘move the needle’ on third party risk for my customers. As I look back now, it’s no wonder why I struggled to make a difference at that company:

• There was no automation or meaningful technology at my disposal. Managing third party risk manually with spreadsheets and legacy applications was extremely time consuming and laborious. Many times, it felt more like I had a job in data entry, rather than cybersecurity. It was almost impossible to move faster for my customers, even when I wanted to be more productive and responsive. And, to be honest, I never felt quite comfortable that I had an accurate and complete understanding of a customer’s true exposure to third party risk.
• Project management was outsourced to lower-performing consultants. Very often, this practice slowed down the vendor data collection process and delayed assessment completion times. These consultants, based offshore, would often make multiple mistakes in the data collection process and would routinely ask vendors for the wrong type of data (e.g., sending a questionnaire for IT software to a medical device manufacturer). The whole process was uncoordinated, siloed, and prone to human error. I spent a lot of mornings correcting mistakes.
• The lack of automation made continuous risk reduction extremely difficult. Best practice dictates that third party risk management is not a one-time activity – vendors (and all their products and services) must be routinely re-assessed across their entire lifecycle with updated data and documentation. But this is nearly impossible with only manual tools and processes. My team and I often felt like we were always one-step behind and simply didn’t have the resources to sufficiently assess, reassess, and mitigate the risk for a large portion of a customer’s key vendors.

As my frustrations grew, so did my concerns – an increasing number of ransomware attacks were targeting hospital operations, putting patient safety at direct risk. So after two years at that company, I wanted to do more to help hospitals and health systems face these malicious cyber threats and deliver on their promise to patients.

This brought me to Censinet.

What stood out first about Censinet was the network. Providers, payers, and vendors all collaborate inside in a cloud-based “risk exchange” to share data and strengthen mutual risk posture. So, when prompted, vendors can securely share that cyber risk data with providers instantly – no need for outside consultants to badger vendors to fill out questionnaires, and no delays in kicking off the assessment.

It’s been only a few months, but it’s a night and day difference in performing assessments. I am the senior risk assessor supporting Censinet’s hybrid delivery model – where customers can choose to mix utilization of our automated platform and our managed services offering to ensure 100% risk coverage of all third parties.

Here, third party risk management is totally automated – so the risk assessment process is highly efficient, effective, and incredibly fast. In fact, I can get a first-time assessment done in days, not months. Censinet lives and breathes best practice (and then automates it), so we perform reassessments for all third parties across the entire lifecycle. With new automation capabilities, these reassessments are done in hours, not days.

My favorite part of the risk assessor role is interacting with customers – not only to ensure we deliver value as a company, but to help them to continuously manage and mitigate third party risk. With Censinet’s automated corrective action plans (CAPs), risk scoring, and risk summary reporting, I can spend time on analysis – not data entry – and provide customers with real, actionable insights to maximize risk reduction every day. Human errors, duplicative work, and spreadsheets are a thing of the past, so both the customer and I can trust we have complete and accurate risk visibility across the entire third party ecosystem.

My journey to cyber risk automation has only just begun, but I like what I see 🙂