Benchmarking

3 Ways Industry Benchmarking Data Can Be Used in VRM Programs

Melissa Stevens | September 29, 2015

Assessing the security performance of your vendors and third parties is crucial considering the amount of access to sensitive information we grant to these partners. However, for those assessments to be effective, and for you to actually know what the results mean, you need to know what performance trends you should be looking for and to be able to contrast and compare the results. This is where benchmarking comes in.

Benchmarking provides context that is missing when metrics are presented on their own, and helps to translate these measurements into the language of the business. The inability to benchmark our security performance against competitors and peers is what has lead us to the current confusing state of security awareness -- reports showing the number of incidents handled or patches installed does little to show actual improvements in performance or reduction of risk, and leave people scratching their heads when they try to figure it out.

Furthermore, with boards citing concern about third party risk, it’s becoming increasingly more important that we are able to benchmark performance to gain a fuller understanding of cyber risk in vendor networks. Vendor Security Assessment Guide

Earlier this month, BitSight released it’s Third Annual BitSight Insights Industry Benchmark Report which looks at the security performance of 6 key industries: Federal Government, Healthcare, Retail, Finance, Education and Energy/Utilities. Within this report, you can see how performance varies across these industries in areas like their response times to remediate security events and their susceptibility to high profile SSL vulnerabilities like POODLE and FREAK. 

While the information in this report does not cover every industry, it does provide a good example of ways that organizations can begin to use industry data in their vendor risk management programs. Below, I have outlined three ways that the industry and peer data found within the BitSight Security Ratings Platform can help with this critical aspect of vendor management.
 

1) Contract Negotiation & Vendor Selection

Whether you are selecting a new vendor or renewing a contract with an existing vendor, it’s never too late to introduce security performance metrics into the conversation! Naturally, when you are considering who to begin/continue doing business with, you want to enter the negotiations with knowledge of their performance and make sure you are choosing the safest partner possible.

Comparing a vendor’s performance against others in their industry will give you insight into important factors such as: is this vendor more or less secure than others in their industry?  Does this vendor have reliable, consistent performance over time?  Is this vendor responsive in addressing known security vulnerabilities?  Use this information to negotiate contract terms with your vendors and set standards for what you expect for security performance in a third party relationship.

2) Drive Performance Improvement & Acknowledge Good Results

If you have an existing relationship with a vendor, performance benchmarking can also be a helpful tool for driving more frequent, data-driven check-ins.  With access to continuous performance data, you no longer need to wait for annual or periodic assessment results. When you are monitoring performance on a continuous basis, you can immediately be alerted to issues facing your vendors, and see how they are faring in performance against the rest of their industry.

Additionally, if you have a “problem” vendor, you can more easily determine where to assign additional resources to help remediate the risks in this relationship. When a vendor demonstrates noticeable improvements in performance, you can also reward them with acknowledgment and appreciation for their efforts to protect your data.

3) Communicate Performance in Business Terms

More and more often, security professionals are being asked to explain security performance with metrics that are easy for the rest of the business to understand - i.e. are we more or less at risk than we were before?

With board members also wanting visibility into third party security performance, security benchmarking enables these discussions to enter the boardroom. Industry standard metrics allow you to benchmark vendors and assess the performance of your entire vendor portfolio, organized and tiered based on your own designations.  Reports show performance changes over time for vendors and industries, and can shine light into the events and vulnerabilities putting your data at risk. Your leaders will finally be able to understand how third party relationships are impacting your security posture and decide whether risk thresholds for the business are being exceeded.

There are many other ways that industry data can be used in a comprehensive vendor risk management program, but these options represent a few of the ways our customers have found value from BitSight Security Ratings and the benchmarking data they provide. Through this understanding of industry trends, organizations can see how their specific vendors are doing relative to their peers and focus on the vendors that pose the greatest risks, thus improving their overall security performance.

40 Questions Your Vendor Security Assessment

Suggested Posts

What Are Security Ratings?

Security ratings are a data-driven, objective and dynamic measurement of an organization’s security performance. Thousands of organizations around the world use BitSight Security Ratings as a tool to address a variety of critical,...

READ MORE »

Advanced Security Benchmarking with BitSight Peer Analytics

On March 4th, BitSight released  Peer Analytics, the newest advanced analytics module from the leader in security ratings. This allows organizations to better understand and manage their security performance in relation to their industry...
READ MORE »

6 Cybersecurity KPI Examples for Your Next Report

While many IT, security, and risk professionals have developed good metrics and visuals for communicating internally about cyber risk, such as the safety cross and pareto charts, reporting on cybersecurity to non-technical individuals...

READ MORE »

Subscribe to get security news and updates in your inbox.