Biomedical Sciences

A biomedical startup that relies heavily on outsourced service providers wanted to ensure they had a scalable third-party risk management program while they were still small and nimble. With the Mitratech Third-Party Risk Management Platform, the company implemented a fully automated vendor risk assessment workflow and continuous monitoring of their critical suppliers and vendors for new issues without labor-intensive manual processes.

The Challenge

The information security director of a small biomedical startup needed a scalable third-party risk management solution that could grow as the business developed. He had previously worked at much larger organizations with legacy governance, risk, and compliance (GRC) solutions, which he knew were far too unwieldy for his small company.

The company heavily uses third-party providers throughout its operations. For instance, they leverage cloud-based software for internal needs and use clinical research organizations (CROs) to manage their clinical trials. Any vendor who needs access to sensitive data undergoes a security posture assessment and examination for data privacy risks.

When the information security director started at the company, the process was manual and ad hoc. He knew that this would need to change, and he sought a solution that would scale TPRM while also enhancing collaboration between internal departments.

“It was very important for me to understand which teams had accepted the most risk throughout the business. Understanding where the biggest risks were in the company meant that I could counsel the leaders who had accepted more risk on how to mitigate those issues and limit the potential impact on the organization,” the director said.

The Solution

The biomedical startup chose the Mitratech Third-Party Risk Management Platform for vendor risk assessment and continuous monitoring. With Mitratech’s self-service TPRM platform, the company was able to standardize vendor risk assessments across the organization while gaining continuous visibility into emerging technology and data privacy risks between periodic assessments.

Prior to implementing Mitratech TPRM, individual teams at the company sent and managed their own risk assessment surveys. Now, the company accesses a centralized library of standardized questions curated by Mitratech TPRM. This has empowered them with consistent vendor assessments and a far better understanding of inherent risk.

Mitratech TPRM is interwoven into the startup’s vendor due diligence process. Each new vendor receives a risk assessment when they need access to sensitive data, and the information security director can easily triage technology or data privacy issues throughout the company.

The Results

The ability to have a unified source of vendor risk information has empowered the information security director to clearly communicate IT security and privacy risks throughout the organization. It also means that he can see which departments have looser risk tolerance than others and work to mitigate those risks more programmatically.

“I can use Mitratech TPRM to educate anyone who hasn’t been through a breach yet about the risks that each vendor presents, while also ensuring that the company’s sensitive information is protected throughout the entire vendor lifecycle,” the director said.

Mitratech has made this biomedical company’s third-party vendor risk management process more consistent and efficient than their previous, manual approach. At the same time, they now have a TPRM program that can easily scale as the company expands into new geographies and becomes subject to new regulatory regimes.