Voice of the Assessor
Post Summary
It shares the journey of a Censinet risk assessor and how automation is revolutionizing third-party risk management in healthcare.
The assessor struggled with manual processes, outdated tools, and inefficiencies in third-party risk management.
Censinet automates risk assessments, reducing completion times from months to days and ensuring accurate, real-time risk visibility.
Automation eliminates manual errors, accelerates assessments, and enables continuous risk monitoring across the vendor lifecycle.
The hybrid model combines automation with managed services, ensuring 100% risk coverage for all third parties.
Censinet’s cloud-based risk exchange allows providers, payers, and vendors to securely share data and strengthen mutual risk posture.
Voice of the Risk Assessor
Part 1. My journey to cyber risk automation:
My cybersecurity journey began in early 2020. Up until then, I had worked only in Sales since college. And while I liked helping to solve hard problems for customers, what I really wanted was a career that combined my love of technology with my passion to help people.
So my new career began at a tech startup that provided managed services for third-party risk management to the healthcare industry. Working closely with hospitals and health systems on a daily basis in a client engagement role, it wasn’t long before I realized how painful the third party risk process is for health systems:
- Vendor risk assessments take way too long – up to 2 months or more, which frustrates both clinical and business leaders at the health system as well as the vendor
- Nothing is automated. Health systems have to manually collect and manage a significant volume of vendor data using only emails and spreadsheets
- Vendor data is often incomplete, out-of-date, and there is often no visibility into the risk of all the discrete products and services offered by vendor
The entire process is broken. So, as 2020 began, I was eager, excited, and hopeful that I would be able to help fix this process and make a difference in my new role. Working in both client-facing and technical roles, I was responsible for getting the vendor to complete risk questionnaires, analyzing responses and assessing the risk, creating corrective action plans based on the risks identified, and presenting summary reports to health system executives.
While I loved working with hospitals, it wasn’t long before I became frustrated. I knew in my heart that I wasn’t delivering on our promise to my customers, and, increasingly, I felt powerless to really ‘move the needle’ on third party risk for my customers. As I look back now, it’s no wonder why I struggled to make a difference at that company:
- There was no automation or meaningful technology at my disposal. Managing third party risk manually with spreadsheets and legacy applications was extremely time consuming and laborious. Many times, it felt more like I had a job in data entry, rather than cybersecurity. It was almost impossible to move faster for my customers, even when I wanted to be more productive and responsive. And, to be honest, I never felt quite comfortable that I had an accurate and complete understanding of a customer’s true exposure to third party risk.
- Project management was outsourced to lower-performing consultants. Very often, this practice slowed down the vendor data collection process and delayed assessment completion times. These consultants, based offshore, would often make multiple mistakes in the data collection process and would routinely ask vendors for the wrong type of data (e.g., sending a questionnaire for IT software to a medical device manufacturer). The whole process was uncoordinated, siloed, and prone to human error. I spent a lot of mornings correcting mistakes.
- The lack of automation made continuous risk reduction extremely difficult. Best practice dictates that third party risk management is not a one-time activity – vendors (and all their products and services) must be routinely re-assessed across their entire lifecycle with updated data and documentation. But this is nearly impossible with only manual tools and processes. My team and I often felt like we were always one-step behind and simply didn’t have the resources to sufficiently assess, reassess, and mitigate the risk for a large portion of a customer’s key vendors.
As my frustrations grew, so did my concerns – an increasing number of ransomware attacks were targeting hospital operations, putting patient safety at direct risk. So after two years at that company, I wanted to do more to help hospitals and health systems face these malicious cyber threats and deliver on their promise to patients.
This brought me to Censinet.
What stood out first about Censinet was the network. Providers, payers, and vendors all collaborate inside in a cloud-based “risk exchange” to share data and strengthen mutual risk posture. So, when prompted, vendors can securely share that cyber risk data with providers instantly – no need for outside consultants to badger vendors to fill out questionnaires, and no delays in kicking off the assessment.
It’s been only a few months, but it’s a night and day difference in performing assessments. I am the senior risk assessor supporting Censinet’s hybrid delivery model – where customers can choose to mix utilization of our automated platform and our managed services offering to ensure 100% risk coverage of all third parties.
Here, third party risk management is totally automated – so the risk assessment process is highly efficient, effective, and incredibly fast. In fact, I can get a first-time assessment done in days, not months. Censinet lives and breathes best practice (and then automates it), so we perform reassessments for all third parties across the entire lifecycle. With new automation capabilities, these reassessments are done in hours, not days.
My favorite part of the risk assessor role is interacting with customers – not only to ensure we deliver value as a company, but to help them to continuously manage and mitigate third party risk. With Censinet’s automated corrective action plans (CAPs), risk scoring, and risk summary reporting, I can spend time on analysis – not data entry – and provide customers with real, actionable insights to maximize risk reduction every day. Human errors, duplicative work, and spreadsheets are a thing of the past, so both the customer and I can trust we have complete and accurate risk visibility across the entire third party ecosystem.
My journey to cyber risk automation has only just begun, but I like what I see 🙂
Key Points:
What is the "Voice of the Assessor" blog about?
- The blog highlights the journey of a Censinet risk assessor and their transition from manual, inefficient processes to automated third-party risk management.
- It provides insights into how Censinet’s platform is transforming healthcare cybersecurity by automating risk assessments and improving operational efficiency.
What challenges did the assessor face before joining Censinet?
Before joining Censinet, the assessor encountered several challenges, including:
- Manual processes: Reliance on spreadsheets and emails made risk assessments time-consuming and error-prone.
- Outdated tools: Legacy systems lacked automation, leading to inefficiencies and incomplete risk visibility.
- Project delays: Offshore consultants often made mistakes, slowing down vendor data collection and assessment completion.
- Inability to reassess risks: Continuous risk monitoring was nearly impossible due to resource constraints and manual workflows.
These challenges hindered the assessor’s ability to deliver timely and accurate risk assessments, impacting healthcare organizations’ cybersecurity resilience.
How does Censinet’s platform improve risk assessments?
Censinet’s platform automates the entire third-party risk management process, offering:
- Faster assessments: Reducing completion times from months to days.
- Real-time risk visibility: Providing accurate, up-to-date insights into vendor risks.
- Automated corrective action plans (CAPs): Streamlining remediation efforts for identified risks.
- Lifecycle reassessments: Ensuring continuous monitoring and risk reduction across the vendor lifecycle.
By eliminating manual errors and inefficiencies, the platform enables assessors to focus on analysis and actionable insights.
What is the role of automation in third-party risk management?
Automation plays a critical role in:
- Eliminating manual errors: Reducing the risk of human mistakes in data collection and analysis.
- Accelerating assessments: Completing first-time assessments in days and reassessments in hours.
- Enabling continuous monitoring: Ensuring vendors are reassessed regularly with updated data and documentation.
- Improving accuracy: Providing complete and reliable risk visibility across the entire third-party ecosystem.
Automation allows healthcare organizations to stay ahead of emerging cyber threats and maintain operational resilience.
What are the benefits of Censinet’s hybrid delivery model?
- Censinet’s hybrid delivery model combines:
- Automated platform capabilities: Streamlining risk assessments and reporting.
- Managed services: Offering expert support to ensure 100% risk coverage for all third parties.
- This approach allows healthcare organizations to:
- Scale their risk management efforts efficiently.
- Address resource constraints by leveraging Censinet’s expertise.
- Achieve comprehensive risk visibility and mitigation across their vendor ecosystem.
How does Censinet enhance collaboration in healthcare?
Censinet’s cloud-based risk exchange fosters collaboration among providers, payers, and vendors by:
- Securely sharing cyber risk data: Enabling instant access to vendor information without delays.
- Strengthening mutual risk posture: Promoting transparency and trust across the healthcare ecosystem.
- Eliminating silos: Streamlining communication and data sharing to improve efficiency.
This collaborative approach helps healthcare organizations build a more resilient and secure environment for patient care.
