by Hannah Trum Senior Marketing Specialist
Article filed in
An interview with Anders Norremo: Current state of third-party risk management
by Hannah Trum Senior Marketing Specialist
ENCRYPTED INTERVIEW SERIES
The Paubox Encrypted Interview Series allows us to chat with leaders in healthcare IT, compliance, and cybersecurity to pick their brains on trends and best practices.
In this Encrypted Interview, we chat with Anders Norremo, CEO & Founder at ThirdPartyTrust.
Sierra Reed: Anders, thanks so much for joining us today.
Before you founded ThirdPartyTrust, what was your role at Firm58?
Anders Norremo: Hey, Sierra! Thank you so much for having me. I appreciate it.
Well, I’ll give you a little bit more about my background. I was born and raised in Stockholm, Sweden, and I came here in 1999. That was the height of the.com boom era, where many cool ideas and different businesses were getting started.
I wanted to be where the action was, so I packed my bag and went to the US. I studied computer science and information systems at Purdue University.
After that, I took a job at Accenture for several years. I did a lot of traveling, learned a lot about systems integrations, the development lifecycle, and so forth.
Really what I wanted to do was, that’s why I came to the US, I wanted to start a business. The next logical step for me was to join a really early-stage company.
Firm58, it was a great company. We had a lot of success, selling to banks, broker-dealers, and exchanges. We were a SaaS vendor, so we were handling a lot of their sensitive data.
My role was on the management team there, and I led two teams. One was the customer support team, and the other one was the team to implement the technology to our customers.
Sierra: Okay, great.
What drove you to pursue entrepreneurship and create ThirdPartyTrust?
Anders: That’s a tough one. Why did I want to do it? I don’t know. I just had the itch very early.
My dad was part of starting a company. He had a lot of success back in Sweden. So, I kind of just had that drive very early on. That’s something that I wanted to do.
I’ve always been a builder. I like working on things. I enjoy working on my house. I like working on my car, even. So, those things are fun to me.
I always wanted to build something, and this was a very natural outlet for that.
Sierra: Nice, that makes sense.
I know you mentioned you’re from Sweden! I’ve been to Sweden, love Sweden. It’s a very, very beautiful place.
Anders: Yeah, yeah. Thank you.
Not that many people have been, but it’s a unique place, very beautiful, friendly people. I encourage you, if you are traveling in that area of Europe, stopping by.
So Sierra, let me just go back to the second part of that question.
The first was what drove me to pursue entrepreneurship, and I didn’t have a great answer, but again, I can’t even explain it.
Creating ThirdPartyTrust, that’s that’s a different story. That’s an easier thing to explain.
So at my time during Firm58, I was having a great time, but again, I did always want to start my own business. What I started doing was making small angel investments in companies, just a handful. What that meant was, I was seeing a ton of new, brilliant people and new businesses starting.
I got to meet a lot of entrepreneurs, hearing kind of what they were going through. I invested in some of them, but for me, it was just fascinating to hear kind of what they were doing and what people were working on.
For me? I was in pursuit of a good idea. Whatever company you build, it’s got to be big enough for a business, right? There’s a lot of ideas, but there’s no scale to them. I was pursuing this “Hey, what can I do that could be a business?” and I kicked around a few ideas.
And the one that stuck was this idea about ThirdPartyTrust.
In my role at Firm58, I was leading the customer-facing aspect of the company. What that means is the customers would come to me with issues, questions, whatnot.
If you think about the nature of Firm58 and what we were doing, we were taking very sensitive data, which is common to a lot of SaaS companies. We’re handling very sensitive data, we were analyzing it, and we added value to it. We were, maybe, billing customers.
But what that means is these banks and broker-dealers would hand off a tremendous amount of data to us. It’s very sensitive, due to regulation or whatnot. These banks and broker-dealers had to do third-party risk management. They had to do the due diligence to ensure that we were safeguarding their information correctly according to their standards.
Okay, and as Firm58 grew, I found myself on the receiving end of more and more of these. So, when we hit 50 customers, I would get in my inbox on any given week, this email with a gigantic spreadsheet. It ranges anywhere from 40 to 400 questions around our security policies and procedures.
Immediately I knew that my week was shot because we had to respond to these questionnaires that were a key part of the agreement with our customers, but they’re very time-consuming.
I quickly realized that all these different requests from our customers had a tremendous amount of overlap in what they were looking for.
Bottom line, what do they want? They wanted to make sure that we were safeguarding their data and handling it the right way, and that they weren’t exposing their company to a potential data breach.
So, it comes in the form of 40 questions or 400 questions. There’s so much redundancy in that process because it is so manual. As a vendor, I could experience that pain point of being on the receiving end of those questionnaires.
That was kind of where I was sitting.
So, what I did is I went to my customers and asked them, “Hey, this 400 question spreadsheet that you’re emailing me, how many of these do you do per year?” and I was shocked that they were sending it to maybe 3, 4, 5 hundred different vendors yearly.
That’s where I kind of realized, “Hey, this is not just a pain point for me. My customers are struggling with getting this done.” And the tooling, they had like these big, heavy GRC tools that didn’t do an excellent job of scaling this process or automating much of it at all.
So I started doing more and more research around this problem that I had just stumbled upon. What I realized was a few things: it was a massive market, it was early, and it was mostly banks back then, like five years ago.
It was early, and again I felt that this was against something that could be a global issue, which turned out to be true. It wasn’t just the big fortune 100 companies. It went down to much, much smaller companies.
If you’re looking at a business, you need a big TAM or total addressable market. When you have something that is industry agnostic, that’s size agnostic to a certain point, and then that’s geographically agnostic to a certain point. That’s when you have a really, really big business.
So, what we ended up doing because of that was pursuing this and looking at it in a little bit more detail.
Sierra: That’s great.
You found a challenge, and then you found a solution.
What’s the biggest challenge that you faced personally starting ThirdPartyTrust?
Anders: I think it’s prevalent with early-stage companies, but there are a few things that go into different stages.
The first thing that’s really tough is finding the right co-founders.
I didn’t; I did not do that. So, I had to pursue this on my own. That was really, really difficult.
The second part was, okay, now you have an idea. Partially, what you need to do is you need to convince someone to put money into an idea. So, raising the initial 150 or so thousand dollars that started the business took a very long time and is very time-consuming and challenging.
Now you have the money, and now you need to convince some developers to join a team that’s going to: a) not make the market salary and b) believe in the vision, c) that’s willing to work on this brand new project d) have relatively low job security, I would say. Again, that stage was different, difficult.
Then once you’ve got the developers, you have to start getting to work. Now you have to build something. It was me and two developers who spent the first year heads down trying to bang out an “MVP,” trying to figure out what we can take to market as quickly as possible, get some revenue in the door. Then continue this idea, bring in revenue, raise a little more money, hire more people, and get that spinning wheel going.
That stage was challenging. Just building to the next stage, which, nearly impossible, is finding the first customer. I was lucky because I had made some friends along the way that raised their hand and said, “Hey, I will pilot this.”
So, that’s how I got my first customer, which is difficult.
Then repeating that sales cycle beyond the “friendlies,” that’s also really difficult.
I would say, every stage is unique. Every stage is very difficult. It’s kind of in aggregate. It’s where you look at it, and you say, “Hey, you know, what’s the hardest?” I don’t know. They’re all challenging.
I would say the one superpower that I have is that I could shift and work throughout all those phases. I had to learn how to sell. I had to be a better developer. I had to recruit. I had to do all these different things.
Up until pretty recently, I wore 15 hats on any given day.
I would come home at night and just be exhausted. I couldn’t even open my eyes because I’ve been context switching so much. I would sit with a developer looking at code, then immediately back to back into a demo for a sales meeting, then switching off to something else.
It’s challenging. I would say entrepreneurs who make it have a knack for figuring out and doing many these different things, not so specialized in one area.
Sierra: Right. As a consumer, I always wonder what transpires and how you get to the point that you are in today. So, thank you for sharing all of this great information.
How has the platform itself evolved since you started?
Anders: Oh, gosh. I remember some of the first demos I did. I built the dashboard, and it was just hardcoded. We couldn’t switch accounts. It was just a hardcoded dashboard. You know that by the time we got through contracting, this thing would be real if that ever happened.
Initially, it was kind of a half-built product with some things that were kind of in flight. We were missing some core functionality, I would say.
I think over time, we just never stopped. It’s been five years now. Every day, the team and I wake up, and we’re working on just evolving it.
It’s different from yesterday, it’s very different from how it was a year ago, and it’s almost miles apart from what it was two years ago or so.
Anders: The core mission is the one thing people ask, “Have you thought about pivoting?” or “Did you pivot?” For me, the answer’s no. I never pivoted the core idea of what ThirdPartyTrust is. It hasn’t changed.
We spent a lot of time doing it the right way the first time. We did not build a platform that we then had to throw away and build a new one from scratch. We built it somewhat the right way the first time. We’ve been able just to maintain it and keep building on it from that point until now.
A significant change, I guess.
If I think about what changed, we have some great integration partners that have changed the value prop.
So we have a core offering around third-party risk management, questionnaire management, lifecycle management around that use case, but what we do is we start fitting in all these different puzzle pieces. It’s part of that due diligence that companies are doing.
We have the big cyber rating providers all integrated, like BitSight and RiskRecon. We have financial vendor viability, automatically integrated. This year, we also did a partnership with the yield geopolitical risk provider called Supply Wisdom. Now we have put geopolitical risk information around vendors.
We did one around credential exposures, and we just did one around privacy, scoring companies’ privacy posture automatically.
What we’ve done is we’ve created almost like a single pane of glass around the use case of third-party risk management. I would say it’s been a significant change, and if you look at where we started, I didn’t think that I was going to be doing as much as we are doing today.
Also, our partnerships with Optiv and GuidePoint for delivering managed services around third-party risk management, we power that offering. That’s another that’s not necessarily a product change. Still, it’s a significant change in ThirdPartyTrust in our go-to-market strategy and how we reach customers because Optiv and GuidePoint have significant sales forces, so we’re kind of leveraging them to get the customers.
Assessing third-party risk management
Sierra: Okay, great.
Let me ask you, what do you see organizations struggling with the most when it comes to assessing third-party risk?
Anders: Sure, yeah.
I’ll take a step back then.
Again, when I started the business, I looked at a couple of things: “Hey, all right. The problem today as it sits, how big is it? Will it be big or smaller tomorrow or in the future?” There were three key factors that I identified that were going to drive this up.
One was the sheer number of third-parties.
The second one was the breaches due to third-parties. A lot of the examples out there happen to be third-parties that have gotten breached, and their customers, the big enterprises, end up in the news.
The third one is regulation.
We saw regulation early in banking like I mentioned, which then crept into insurance, which went into energy and utilities. That went into privacy into different states; you name it. So regulation is really pushed.
So what that means for companies is a bigger and bigger need. They all face those three same factors. They have more vendors. The risk of a breach keeps going up, and regulation is forcing companies to take action.
Where companies really struggle is, “How do I start and scale a program? What tooling can I use to get through this without having to add bodies to the process?”
Budgets are minimal, and even if you had the budget, how do you find people with expertise that could do this?
Companies are struggling with that to figure out, “How do I find people? What do I do?”
Companies’ natural inclination is to just do it manually with the tools they have: emails and spreadsheets. Well, that doesn’t scale; it’s extremely time-consuming. It’s frustrating for both parts.
Also, it doesn’t get you great results. You get through a process, and you might be gathering data, but the critical thing that we always talk about is what are you doing with that data.
Gathering data for the sense of gathering data is like a rocking chair. It gives you something to do but doesn’t really get you anywhere. So this should be about risk reduction.
What you need to do is quickly be able to get data, then make decisions and push for changes for the better at that third-party and be targeting what you do. Have them change things that will materially change and improve their security posture. That’s how you lower risk.
What companies mostly struggle with is starting up a process and scaling that process. They might have an approach that scales to let’s say, 20 or 40 vendors a year, but in reality, they need to do 400.
Well, they can’t 10x the resources, that’s impossible. They don’t have the tooling to do this. We try to come in with a platform and a new approach to how this should be done. We’re using data-driven decisions for when you go deeper in your assessment, when you can step back and say, “the data that our partners provide to us is good enough, I’ve assessed it”.
The critical thing that we really stress is: don’t use a one size fits all approach.
Every vendor type needs a different approach, like SaaS vendor versus someone developing code for you. That’s two completely different vendors. The controls that you need to worry about are really, really different.
Another one would be law firms.
With law firms, I would say, look at email security. Do they have Paubox or something like that? Something installed that’s really securing their email communication? That’s important for law firms.
For a SaaS company, how are you encrypting data in transit? At rest? What are your development practices? Again, these are entirely different controls that you want to look at and make sure that they have in place.
Companies right now are taking a one size fits all approach. That’s kind of a shooting side of the barn with the shotgun. It doesn’t really do much, you get really widespread but doesn’t do much.
Our focus is always to change your approach and go really deep in the areas that matter. That requires you to be much more agile with your assessment because every vendor or vendor type is different.
Do you have the tooling? Do you have the means to go about ten different assessment types and get to the same kind of outcome? Which is to assess the gaps and drive that remediation quickly.
Sierra: What can third-parties do to cut down on the number of requests they get for security questionnaires?
Anders: Great question.
I can mention my sort of business. This was my pain point.
I was a vendor. I was getting inundated with these requests, and it felt like death by 1000 cuts, where it’s just one more, one more, one more event. You just end up dying, right?
The goal of ThirdPartyTrust was always not just to help the enterprise do it more efficiently, but also can we add value? Can we solve the vendor use case? Which is, “I keep providing the same data over and over again.”
The approach that we took with ThirdPartyTrust is the application itself; it’s almost like LinkedIn, but for B2B. The idea being companies have security profiles inside ThirdPartyTrust. Vendors build a profile that has answers to standardized questionnaires. It has SOC reports, HITRUST certification, cyber liability insurance, their pen test, etc. All these different artifacts explain to an outside party what your security posture is.
Of course, all the things I mentioned, all the other rating providers, are part of that package, too.
What we encourage our vendors to do is now that you’ve completed an assessment for one customer, get some mileage out of the work you do.
In ThirdPartyTrust, you can build that profile, and you can start sharing it out with other customers.
So when they send you maybe that one-off Excel spreadsheet that doesn’t pertain, you can say: “ThirdPartyTrust this is great, let me first share what I have built already. It has up-to-date information around our security posture; it’s very detailed, check that out; if there are any questions, let me know.”
What we found is that it works in the majority of cases, not all cases. It’s not a silver bullet, some companies will say, come hell or high water, you better fill out my custom questionnaire, and that’s okay. If that happens, you’re kind of back to where you started.
When companies do accept it, alright, you just saved yourself a tremendous amount of time, and it’s so much more of an efficient way of going about it.
The critical thing that we always talk about, too, is that as they build this profile, the vendors can maintain it over time as things change.
They can update it, just like your LinkedIn profile. “I got a job with Paubox!” boom, and you update it, everyone can see it, everyone can give you a thumbs up or congratulations.
Again, the core of what we thought was why we couldn’t take the same concept applied to third-party risk management that will help the vendors. It will help them with the initial onboarding and again, security review, and the ongoing thing that happens typically yearly where you have to update the information and provide it back to your customers.
Sierra: Okay, great.
Outside of assigning the questionnaires and performing on-site audits, what are other services or technology that allow organizations to digest third-party risk?
Anders: Yeah, so I kind of mentioned a few of them.
On sites, I think this will not happen for a very long time because of COVID. I don’t think anyone wants to be liable for sending employees on site. I don’t think the vendors want that liability either having people come in. I think on-sites are mainly in the past, we’ll see.
Then you’re talking about remote assessments. Again, I mentioned this because questionnaires are useful. They’re self-attestations, and they’re not always appropriate. Why? Because a questionnaire can produce a lot of information.
We’d like to take what we preach, this risk-based approach to third-party risk management. The idea being first, measure inherent risk. What that means is how critical this vendor is to us? What if there was a breach? What would the impact be beyond the business?
We always stress that it should be quantified.
You should look at that vendor and say, how much data? What type of data? Is there any regulation around this relationship that we have?
Quantify impact first. Then based on that, make a decision. How deep do I want to go?
If it’s a low impact vendor, use our partners’ data sources to make an assessment. If that information looks good, then maybe that’s enough.
Maybe you take that data and say, “Based on the posture of the impact to this vendor, and what BitSight is telling us, this data is enough. I feel I’ve made an assessment or risk-based decision that I’m not going any deeper based on the impact.”
In another case, maybe the bits of data don’t look that great. Then you send out a questionnaire to go deeper.
No matter what, you want to do that deep dive for your really critical vendors, and you want to understand much more detail around how they’re securing their infrastructure, their processes, and procedures.
Sierra: Anders, I know you mentioned that your platform does remove some of the administrative tasks such as spreadsheeting.
Does your platform help information security teams eliminate administrative tasks associated with third-party risk management?
Anders: A key problem in the industry, or how this happens, is a lot of the data gathering, it’s kind of put on the infosec team.
So infosec teams at enterprises spend a tremendous amount of time just gathering data. Well, data gathering is a very low-value activity. It’s necessary for a proper TPRM process. To run, you need data. Without data, you can’t run the TPRM process. The act itself is a very low value add.
A critical thing that we’ve always thought about is how do we make it easier for vendors to do the deck data gathering? How do we enable vendors to build and maintain these profiles? How do we enable them to bring in the entire team at that vendor site quickly?
A critical thing that we try to do is the low-value activities of gathering data, what needs to live with the vendor anyway.
If you move that away from the enterprise, now all of a sudden, the employees have a lot more time to spend on high-value activities. What we mean by that is reviewing the information in detail, opening, and discussing findings with your third party, then driving those findings to remediation.
That’s really where we want these highly skilled folks to be working on. We don’t want them working on gathering data or sending follow up emails or checking in. All those things can be automated.
Every day what we’re thinking about is taking each of those administrative tasks and building automation around it and intelligence. We know that there’s always a follow-up or people asking, “What’s my due date?”
The platform can do that for you. It can tell the vendor when it’s due; it can remind them. It can provide training on how to use a tool or what’s not needed. The platform can easily do that. You don’t need a person.
So, with a lot of these low-value activities, what we’re looking to do is to say, “How do we take that off the hands of the infosec team?” and “Has the tool automated the task?” or “How do we enable the vendor to do more on their own without being directed by the infosec team at the enterprise company?”
Sierra: Okay, great. Thanks so much for sharing that.
Anders, what sets your platform apart from your competitors?
Nine times out of 10, when we are in the sales cycles, we’re competing with a homegrown solution. We’re competing with manual spreadsheets and emails. All the things I just said, we’re leaps and bounds ahead of anything like that.
When I look at other tools out there, many are the same players that, when I started five years ago, were already there. The big GRC providers: Archer, Rsam/Galvanize, and a few others.
A lot of the same players I saw when I started are still in business, and the main issue with their solution is still there. The number one differentiator that we do is how we approach this whole problem.
A GRC tool like Archer or Galvanize is what we call silo.
A silo means that the enterprise has to gather all this information on their own, put it in the tool for producing value reports, etc.
Well, that’s really difficult. It’s very time consuming, and it’s hard for enterprises to do that.
So with ThirdPartyTrust, our main differentiator is that we are built more like LinkedIn for B2B. It’s a network-based approach to third-party risk management.
Now that we bring on customers, they ask, “how many of my vendors do you have in your network?” In most cases, we already have half of them on the platform. So, data for half of their vendors is readily available using ThirdPartyTrust instead of starting from scratch.
That’s the main difference between what you’ll get with these other tools out there versus what we provide.
Our goal is actually to crowdsource this information in some way across all our enterprise customers. That helps them.
It helps the vendors because they can standardize, maintain a golden source of data they can share with all their customer base. Again, that has all these network effects because now it’s even better for the enterprise, which makes it better for the vendor and so forth.
The network is our primary differentiation.
Other than that, you go to the other secondary things that we look at, making it easy to use. Making it seamless, no training required, anyone should be able to pick it up and start using it.
The other difference would be how we integrate data, how that data drives the process, and helps to speed up and provide intelligence.
In this space, our integrations are the strongest. They’re the most well defined, they’re the deepest, and they’re the easiest to use.
Sierra: How do you keep up with industry trends? Are there any good podcasts, blogs, influencers, or newsletter areas that we should be following?
Anders: For me, it’s funny. Most of my insight comes from just talking with customers, partners, and attending industry events.
Not a day goes by that I’m not talking to a customer or a prospect around their problems and understanding, listening. Why now? Why are you looking to make a move to buy the platform today? Why is that important? What’s driving this decision?
I tend to have many conversations around this topic with people in the industry responsible for this process. So, that’s probably number one.
Another one is at industry events.
I find it helpful to go to different conferences. There are a few out there, like the HITRUST conference. That’s where I met Paubox for the first time! That was really good. I’ve spoken for the last two years.
When I’m at the conference, if any of these topics interest me, I’m going to sit in on those sessions. After the sessions, if I want to speak with the presenter, I do that. That’s another great way to go about doing it.
The other one is, and this is more helpful for startups, I would say. Build a customer or an advisory board with industry experts and practitioners in the space that can help you guide the product in some ways.
I had about five when I started. The first thing I did was I went to them, and I said, tell me about your company, tell me about the pain points, what are some of the key things that you would want this platform to do. Then that relationship over the last five years is maintained.
I still have a lot of the same advisors, and we talk about what they’re seeing.
Then, I would say the last thing because of COVID, I can’t see people in person, and I can’t really go to events much. But there’s a lot of virtual webinars that I do, or I’d listen into. There’s a ton of great content that companies are creating.
At ThirdPartyTrust, we put a lot of content out around regulation, different aspects of the process, and change it if we see it in the industry.
Our partners, I mentioned a few RiskRecon, BitSight, are cyber rating providers; they produce great content. Optiv and GuidePoint are in the managed services business; they make great content.
So, I find myself reading a lot of different content from the ecosystem if you will. Then I take a lot of that back and think about “How do I incorporate this,” or “How can we be a part of solving these new problems that are on the horizon?”
What do you do to de-stress and relax?
Anders: There’s not that much time for relaxing when you start the business through! It’s a lot of long, long days.
I have two young kids, my son Soren, he’s nine, and my daughter Katya, she’s seven. I try to do as much as possible to hang out with them when I have free time. Weekends are sacred, but I try to hang out with them as much as possible.
They like to ride their bikes; they like to go to the zoo and go to Great America. What makes me happy is seeing them happy—I kind of live a little bit through them.
Another part, I think many entrepreneurs do is you have to have some sort of exercise regimen where you’re building up that energy and kind of getting your mind off work a little bit. That’s another part.
Sierra: Well, Anders, thanks so much for being on today. I appreciate it.
Anders: No problem! I appreciate you inviting me.
It was great to meet you. I hear great things about Paubox and am happy for the success that you guys have had.
Sierra: Thanks so much.