Packaged assessments of third parties - yay or nay?

How useful and “value-for-money” do you find packaged third party assessments such as SecurityScorecard, UpGuard, RiskRecon and ISS Cyber Risk Score (among others)?

Does anyone have an example of sunshine and rainbows or buyer’s remorse to share?

In my case I’ve used UpGuard, SecurityScorecard, and Control Risks, and looked at the other two above, but the results haven’t changed my life.

EDIT: my question was with cyber security in mind, but noting the potential value of these in other “know your 3rd party” areas such as trade sanctions, modern slavery, ESG creds etc.


I have not gone the path of using these assessment tools for our Third Party Risk Management nor as an assessment of us. Instead, we publish our own information using CSA and ISO27001 control alignment. I don’t see the cost/benefit that they offer.

Further our customers when they do a risk assessment of us, they either use their own vendor platform or accept our information. Another negative to using these platforms, is if customers dont accept these as a valid or alternative to their own assessment, they are useless.

1 Like

I’ve used Black Kite and SecurityScorecard.

To my mind, there’s no doubt that empirical data about the state of the attack surface of a company provides great insight into how effective that company’s cybersecurity program is. Third-party risk questionnaires give insight into which activities a company performs in its cybersecurity program, but not how effective the outcomes are. It is outcomes that are most important. One can have a good cybersecurity program but poor outcomes by reason of environmental or organisational factors outside the program. So, these scorecard tools are in theory a great way to assess a company’s security.

However, I’m sad to say that their accuracy is in question. The data they scour from the web is often outdated or wrong attributed. I believe this is not necessarily due to a fault in the tools but due to the data they gather being of poor quality. Due to poor accuracy, there seems to be a prevalent view in the cyber practitioner community that they are not good value for money and are over-hyped.

1 Like