Ellis Rosenzweig – CyberGRX

You’re not the weakest link

That data breaches are invasive, expensive and frightening is not news. What’s less known is that some of the worst breaches—including the 2013 theft of data from the Target retail chain—are not a result of direct hacks.

Instead, hackers can work their way into a corporate network or database through their vendors or third parties. In the case of Target, hackers gained access to payment card information and other data belonging to 41 million people, and the retail chain paid $18.5 million to settle a multistate claim. The hack? Target network credentials were stolen from a HVAC company–a third-party–that worked with Target.

As general counsel at Denver-based CyberGRX, Ellis Rosenzweig is not only attuned to the nature and cause of cyber breaches, he handles the legal affairs for a company devoted to enabling businesses to manage their third-party cyberrisk.

“We are helping companies solve a problem that no one really has a handle on,” Rosenzweig explains. “A company CISO likely has a full plate dealing with their own data security, and when you add an expanding ecosystem of third parties, your risk profile increases exponentially as your attack surface grows.”

Tracing the links

Third-party cyberrisk management is a critical component of any organization’s security, but many third-party programs are plagued with the outdated and inefficient process of filling out manual and laborious spreadsheets, which Rosenzweig says drains resources and provides little insight.

CyberGRX brings efficiency, scalability, and accuracy to third-party programs with its Exchange concept, which also adds assessment data and analytics.

Simply put, by identifying gaps that exist in a vendor’s data security controls, and the likelihood that those gaps could be exploited, CyberGRX’s solution enables businesses to quickly identify which of their vendors pose the greatest risk so they can apply the appropriate level of due diligence to determine what areas require remediation.

“Most of our customers are large companies, Fortune 500 types,” Rosenzweig says. “We’ve found they have the resources and budget to allocate time and money to this problem.”

Third-party cyberrisk management was not invented by the company, but Rosenzweig says CyberGRX is changing the way this ever-increasing risk is managed. A key component of the solution, the CyberGRX Exchange allows the company to gather benchmarking data on both customers and their vendors while streamlining the third-party cyberrisk assessment.

The Exchange eliminates any need to send out static spreadsheets to be filled in every year. The innovative delivery model provides a variety of benefits, including scale, speed and shared costs, Rosenzweig adds. Once an assessment is on the Exchange, customers can simply request access to it, without having to wait for the traditional spreadsheet process. Third parties can control that access as well as share their completed assessment with upstream partners, in both cases reducing time spent on redundant assessment requests.

“The Exchange is a force multiplier,” Rosenzweig says. “It makes the third-party cyberrisk management process more efficient and effective for businesses and their third parties.”

There from the start

CyberGRX was a lure for Rosenzweig because he has always enjoyed working with early stage companies needing legal advice to scale their businesses.

“The startup scene in Denver is thriving,” he says of the local business culture. “There is ample opportunity for people interested in learning and growing in their careers.”

CyberGRX launched in early 2016 and in May 2017 Rosenzweig was the first attorney hired. He went to work standardizing contracts by creating templates, handling company transactions, structuring the corporate governance, and taking part in overall strategic decision-making.

Protecting intellectual property has been an emphasis, too, he adds, but a big initial challenge was negotiating agreements that struck a balance between growing the company and not giving away the store to large-scale clients.

While structure is needed as startups and early stage companies burgeon, Rosenzweig says it is not always welcomed.

“When you come into an early stage company, nobody wants process,” he says. “You are starting with an idea, and the first rule of business is to stay in business. You may take risks initially that you may not take when you reach $100 million in annual recurring revenue.”

Rocky Mountain home

It never seemed a risk for Rosenzweig to make Colorado his home, he says.

“I came and stayed because of the outdoors culture and the business culture,” he says.

Born in Chicago, Rosenzweig, 45, earned his bachelor’s in English literature and political science from Bucknell University in Pennsylvania. In 2003, he earned his Juris Doctor from the Sturm College of Law at the University of Denver.

His father and grandfather were also attorneys, and while he considers himself a logical thinker, Rosenzweig said he wasn’t initially sure he’d pursue a law career.

His affinity for early stage companies began when he was an associate attorney at Holland & Hart in Denver, where he helped early stage businesses, advising on all matters from formation to exit, raising money from investors all the way through to a buyout or initial public offering.

“You help solve issues, and they are not always legally related,” he says. “The other thing I like is the ability to mentor other people. I’ve been doing this for 15 years or so, and I enjoy passing the knowledge and experience on to others.”

The energy and vibe of a startup culture provide excitement, and Rosenzweig says the uniqueness of the product offered at CyberGRX is why he wanted to be part of the company’s growth.

“The thing that strikes me the most is the problem-solving nature of the job; the company is solving a problem for our customers and what I do is help solve problems for the company,” he says. “It’s a fulfilling way for me to spend my time every day.”

Published on: December 7, 2019



Showcase your feature on your website with a custom “As Featured in Vanguard” badge that links directly to your article!

Copy and paste this script into your page coding (ideally right before the closing tag) where you want to display our review banner.


As promised in advance, my feature in Vanguard has increased my visibility within the profession and prompted more than a few people I have not communicated with recently to reconnect. One of the Italian law firms I have used in the past is now in the process of interviewing me for an article on their website and tweeting out the feature story. Activity and the number of people connecting with me on LinkedIn has soared, which is great. The Vanguard writers and editorial staff were great to work with—highly professional and made the effort to make the experience both fun and rewarding (they were also respectful of the time pressures and demands all lawyers face). I was very pleased with the experience and the final outcome. Needless to say, I have been very pleased. All in all working with Vanguard has been a very positive experience which generated good publicity for both Shawcor and myself. My sincere thanks.
– Tim Hutzul, General Counsel, ShawCor Ltd.
I was honored to be the subject of an article. I enjoy reading Vanguard articles and seeing how other attorneys got to their positions and see their jobs. It's also interesting to see how different law firms partner with the subjects of the articles.
– Henry Marquard, in-house counsel, Stanley Consultants Inc.
The piece highlighting my company, Bob Baker Enterprises, Inc., came out fabulous. Our company is in the new and used car sales and service industry. Everyone was great to work with and extremely professional. They produced a high-quality product and have provided expert assistance and guidance post-production of the article.
– Wade Poulson, General Counsel, Bob Baker Enterprises Inc.
It was a great honor to be featured in Vanguard Law. Working with every member of the team, from the initial interview with Erin Clark, through production with Victor Martins, writing the article with Taryn Plumb and creating the final content with Dave Gushee, was a true pleasure. Everyone was very professional, enthusiastic and supportive, and their creative approach and positive attitude clearly came through in the final product.
– Kevin C. Rakowski, Senior Vice President, Deputy General Counsel, Compliance with Radian Group Inc.


Spring III 2024



  • * We’ll never share your email or info with anyone.
  • This field is for validation purposes and should be left unchanged.