Discover Hidden Portfolio Vulnerabilities and Evolve Your Cyber Risk Management

7 minute read

March 2023

Portfolio Risk Findings highlights the risk hidden inside your portfolio when analyzed through a specific framework or profile, reporting the vendors with the most ungapped controls plus common ungapped controls across your portfolio. 

Here’s how it works: By weighing the controls and sub-controls of the CyberGRX assessment, the values are then compared with frameworks or profiles of your choosing to return a simple framework score. The lower the score, the more risky the vendor. This level of insight helps you make quick, confident decisions so your team can properly allocate resources and secure your organization. 

Portfolio Risk Findings solves many risk identification and management challenges. Let’s look at a few common scenarios where Portfolio Risk Findings can bolster your cyber risk intelligence to help you move swiftly through your day-to-day responsibilities. 

Use Case 1: Gain Context of the Risk Inside Your Portfolio

Gain context of your risk
Whether your portfolio consists of hundreds or thousands of vendors, you need to gain “context” of where your most significant risks are. After all, without knowing what’s happening in your portfolio, how can you develop a strategy to tackle the most significant vulnerabilities that can lead to complications? 

Portfolio Risk Findings gives you the power to choose the “lens” through which you want to analyze your portfolio. Choose from our library of frameworks, such as NIST, HIPAA, NERC, PCI-DSS, or a threat profile built on real-world attacks, or use one of your own. If you don’t know where to start, use one of CyberGRX’s go-to frameworks. 

View a ranking of your riskiest vendors

Once a relevant framework or profile is selected, the results offer two ways to interpret the risk in your portfolio. First, you can view a ranking of your vendors with the most ungapped controls related to the “lens” you chose to view your portfolio. The ranking allows you to determine which vendors need the most attention, whether restricting their access to data, requesting an assessment, or replacing the vendor altogether. With this information, you can begin to systematically work your way down the list of the most vulnerable vendors and begin to secure your organization. 

List of most common unmet controls

The second way to interpret the results is to view the list of the most common unmet controls across your entire portfolio and which vendors share the unmet controls. With this information, you can understand what areas of your organization are most susceptible to vulnerabilities and develop internal mitigation strategies with your security team to have defenses in place should you experience an exploit.  

Gaining the context of your portfolio is a foundational element of your cyber risk management program. With trusted data to make confident decisions, you can begin developing internal or external game plans to tackle your biggest problems. 

Use Case 2: Develop a Proactive Risk Management Program

woman working on computer

A 2020 Ponemon study surveyed nearly 900 respondents and discovered that organizations currently average 5800 third parties. Additionally, that number is expected to grow by 15% each year. With so many vendors to manage, it’s no surprise that most security teams are forced to be reactive instead of proactive. To stop being on the defensive and go on the offensive, you need to know where the hidden problems exist in your portfolio, prioritize your risks, and devise a strategy to analyze and address your biggest concerns, moving down the list from the highest to the least risk. 

By selecting the frameworks or profiles important to your business or industry, Portfolio Risk Findings analyzes all your vendors and provides you with a list of your riskiest vendors, along with the controls that leave your organization vulnerable.

With this level of cyber risk intelligence at your disposal, you’re well on your way to developing a proactive cyber risk management program. Imagine viewing each control associated with a vendor that conflicts with the relevant framework or profile you’ve selected. By evaluating each vendor control, you can:

  • Reduce data access. Take note of the control in question, visit the vendor’s profile page, and dig into the level of data access granted to that vendor. If you can reduce their access, you’re also reducing your risk. But if their level of data access cannot be reduced, your options include requesting proof of coverage, requesting an assessment, or replacing the vendor. 
  • Request proof of coverage. Ask the vendor to upload documents providing evidence of coverage regarding the specific control, completing your diligence in securing the control.
  • Request an assessment.  If the vendor is critical to your operations and must maintain a high level of data access but have too many unmet controls for your liking, request an assessment for deeper evaluation. 
  • Replace the vendor. If a vendor, whether critical or not, is not cooperating with the above, an alternative would be to replace the vendor altogether with a less risky vendor who aligns with your standards.  

Portfolio Risk Findings also offers a breakdown of the most common unmet controls and all the third parties associated with that control. With the ability to see which controls are creating foundational cracks in your current risk program, you can proactively seek out these areas of concern and begin to implement strategies with your security team, including:

  • Develop an internal mitigation strategy.  While all third parties won’t necessarily fix a potential vulnerability on their end, you can develop an internal mitigation strategy to have a response ready if a vulnerability is ever exposed.
  • Leverage risk alerts. Where Portfolio Risk Findings illuminates which vendors and controls leave you vulnerable, risk alerts, built into the CyberGRX platform, provide near-real-time vulnerability notification. Now that you know the risky vendors and controls, you can actively watch them to secure yourself from a potential breach.
  • Make confident decisions. Once you know what problems hide inside your portfolio, you know the vulnerabilities your existing vendors pose and the faults within your organization’s infrastructure. As a result, your organization can re-evaluate your relationship with certain vendors, propose limiting critical business processes, or recommend an alternative (and less risky) vendor instead. 

Use Case 3: Make Faster Vendor Decisions Confidently

man assessing cyber risk
The goal of the procurement process is to select a vendor that provides the service you need, at the right price, with little to no risk to your organization. Because Portfolio Risk Findings uncovers hidden vulnerabilities and gapped controls across vendors, the feature can help your team make confident decisions to keep your business moving forward.

To vet vendors, simply add them to your portfolio, and if they are already in the Exchange with attested data– fantastic! But if they do not exist, leverage the power of predictive data with up to 91% accuracy to evaluate these vendors. 

Once all the vendors are in your portfolio, add a custom tag to each vendor. For this example, we will use the tag, “Vetting.” 

Let’s use a hypothetical example to illustrate. Let’s say you have five potential vendors you are evaluating. Your organization wants to make a decision quickly, but you want to ensure the incoming third party does not pose new threats to your company. To start, navigate to Portfolio Risk Findings and select a framework or profile relevant to your business, industry, or specific to the vendor relationship. Next, use the “Filters” drop-down, click on “Tags,” and select the custom tag “Vetting.” 

In the results, you will see a ranking of which vendors have the most unmet controls with their respective framework score. Of your five potential vendors, three returned a score of 50 or below, while the other two scored 75 or higher. Remember, the lower the score, the more risky the third party. Thus, you can eliminate the three riskier third parties and focus your conversations on the two other vendors. 

With your new cyber risk intelligence, you and your team can avoid countless email correspondences and hours of meetings with vendors who don’t meet your requirements. Instead, focus on the vendors you know are compatible with your security standards. 

Do More Than Just Manage Risk

While Portfolio Risk Findings is a powerful tool to point your team in the right direction, the benefits continue beyond analyzing vulnerabilities in your portfolio. Use it to secure your organization with trusted data, speed up vendor procurement, and evolve your risk strategy into a proactive cyber risk management program. We invite you to book a demo to learn more about how Predictive Risk Findings can help you make risk management decisions confidently. Book a demo now.

About the author: Ahmed Siddiqui is a Sr. Product Marketing Manager at CyberGRX and loves everything about the platform, from how it’s built to discovering unique ways it can help solve customers’ daily problems. He is passionate about helping others and providing a fun environment. When he’s not cooking up a product-focused blog, he enjoys spending time in the kitchen.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit