The Silicon Review
Businesses are heavily reliant on third parties to improve competitive advantage, accelerate time to market, and increase profitability. However, there are certain risks involved in maintaining third-party relationships. Third-Party Risk Management (TPRM) solutions assess, identify, and control the risks present throughout the life cycle of your third-party relationships. Without third-party risk management initiatives, businesses are vulnerably exposed to threats and negative compliance findings. The challenge is, third-party risk management can be a very manual, time-consuming process that doesn’t scale or produce an immediate return on investment.
For many businesses, third-party vendors have become an important source of strategic advantage, so Prevalent, an expert third-party risk management company, accelerates the process by combining intelligence and automation to eliminate security exposures and potential compliance problems traced to vendors and suppliers.
Prevalent is a TPRM solution provider based in Phoenix, Arizona. The company was founded in 2004, and provides the industry’s only purpose-built solution that combines intelligence with automation of the manual tasks of vendor management, assessment, and monitoring, enabling risk management teams to focus their time on what really matters – remediating the most critical risks.
In conversation with Kevin Hickey, CEO of Prevalent Inc.
Q. Fear of the potential loss of control is typically what prevents many organizations from outsourcing aspects of risk management. How do you protect the interest of the enterprises?
You’re right. Even though you outsource the operation, you can’t outsource the risk. That’s why it’s so important for organizations like ours to work with our customers to define operational processes for how we work together from the very start of the engagement. It’s more than just shifting the burden of working with vendors to collect and analyze due diligence to us so that you can spend your time remediating risks instead. That’s an important piece for sure, but it’s also about helping organizations build and mature their programs from the ground up based on established best practices. Outsourcing can be tricky for some organizations, but we have established processes and third-party risk management experts. They collect vendor evidence, review for completeness, and provide remediation guidance for top risks while providing a foundation for building a program.
Q. How do you help organizations to reliably achieve objectives while addressing uncertainty and act with integrity?
Security professionals operate in a perpetual state of uncertainty. It’s not comfortable, but it’s expected. That being said, I’m a big believer in visibility – extreme clarity if you will – ensuring that everyone involved has agreed to the goals, scope, timing, what the outcome will be, how to measure it, and what success looks like. Once everyone is aligned with those pieces, then there should be few surprises. Interestingly, as a company, one of Prevalent’s core values is based on integrity. Exhibiting integrity in everything we do, holding ourselves accountable for our actions, and responding positively when encountering adversity is how we, as leaders and our teams, are measured and rewarded.
Q. Targeted attacks, compromised infrastructure, and cloud computing are three top risks for third parties. How do you address these challenges with your solution?
Our solution is built to enable our customers to automate the process of assessing their third parties against more than 50 industry standard or regulatory frameworks. Each of these assessments contains specific questions asking third parties to demonstrate the controls they have across dozens of physical and logical security domain areas. This helps to bring visibility into your third party’s processes for revealing and defending against targeted attacks and compromised infrastructure, and what their cloud and data security practices are. Once a third party has completed an assessment in the Prevalent platform, and the assessor has been notified, they will see the answers to all questions in a single risk register – including all the risks and deficiencies compared to the thresholds you set. That enables you to quickly zero-in on the highest-risk areas and work with the third party to implement remediation guidance to resolve the issue to your organization’s risk tolerance. All the while, there is reporting that clearly shows the level of that third party’s compliance with policies. What is very intelligent about our solution is the integrations we have with other security tools. Those integrations enable our customers to consume cyber and business risk intelligence from a multitude of sources to inform better risk-based decisions.
Q. How can third party operations directly impact the reputation of the company hiring them?
Many data breaches are the result of a third party in some way, and each of them have consequences for not only the third party but for the contracting company as well. For example, the breach at the medical collection firm that supported both LabCorp and Quest Diagnostics resulted in that firm filing for bankruptcy protection due to the fines and lost business it encountered, and there is a class action lawsuit against both LabCorp and Quest. That hurts brand value – not to mention the most important thing, customer trust. That breach also triggered Congressional inquiries. Another example is the famous Target breach, perpetuated by a phishing attack against an employee of their HVAC vendor, which resulted in millions in lost profits. Finally, bad security practices at a third-party vendor can even slow down acquisitions or introduce risk to those deals, as we saw with Marriott/Starwood.
Q. What are your trajectories for the next 5 years?
There is so much upside potential in the risk management market with no shortage of problems to solve, which makes it exciting to see the innovation and new market entrants. We see nothing but growth in the next five years, with some consolidation along the way.
Meet the leader behind the success of Prevalent
Appointed as CEO in January 2019, Kevin Hickey brings a strong history of software operations, strategy, and capital fundraising to his position as Chief Executive Officer. He joined Prevalent from BeyondTrust, where he led a successful turnaround that doubled the company’s revenue. Kevin joined BeyondTrust by way of acquiring eEye Digital Security, where he served as CEO and Chairman. Under Kevin’s leadership, eEye experienced significant growth, launched several market-first security solutions, and brought the company back to category leadership. Prior to joining eEye, Kevin was CEO of NetPro Computing, where he helped grow the business before concluding its successful sale to Quest Software. Kevin has also served as the president and CEO of Homebid.com, where he secured funding and eventually sold the business to industry leader HomeStore.com. During his seven years as president and COO at Viasoft Inc., Kevin led the company through a successful initial public offering prior to its sale. Kevin started his IT career at IBM, serving in several key marketing and executive business management roles.