How to Set a Cybersecurity Baseline for Your Vendors – and Hold Them to It

Your supply chain is more critical now than ever. Vendors and third parties are essential to helping your organization scale to meet demand, gain access to greater resources, respond to new work models, and remain competitive.

But third-party relationships also introduce cybersecurity risk. To reduce that risk, you need to hold vendors accountable to a cybersecurity baseline. But what is an appropriate baseline, and how can you hold them to it, without exhausting your resources?

Let’s look at three methods for establishing a cybersecurity baseline for your vendors and assessing them against it.

1. Industry-standard cybersecurity baselines

The most widely adopted cybersecurity baselines are those recommended by the NIST Framework for Improving Critical Infrastructure Cybersecurity, the SANS Top 20 Critical Security Controls, and Shared Assessments (explicitly designed for third-party risk management).

Adherence to these standards is measured using cybersecurity assessments – both prior to onboarding new vendors and throughout the life of the relationship. These assessments can be conducted by internal security and risk professionals. However, because of their complexity, they are often outsourced to professional cybersecurity risk assessment firms.

While these cybersecurity baselines are a helpful starting point, they are extensive and there are literally thousands of questions you could ask a vendor during the assessment process. To help focus your discovery efforts, check out our guide: 40 Questions You Should Have in Your Vendor Security Assessment.

2. Vendor-specific cybersecurity baselines

Although helpful in discovering hidden risk in third-party relationships, traditional security assessments are often conducted with a one-size-fits-all approach where each vendor is assessed in the same way. This puts an unnecessary burden on your organization and can slow the onboarding process. You don’t want to spend time and resources doing full-blown assessments of non-critical vendors to determine if they meet your cybersecurity standards. After all, a food-service provider poses less risk to your business than an accounting firm that has access to your most sensitive data. Therefore, the standards of care they are held to should be different.

A better way to establish a workable cybersecurity baseline against which you can effectively measure security performance is to tier vendors or group them according to their criticality to your business and the inherent risk you’re willing to accept.

Bitsight for Third-Party Risk Management (TPRM) can aid this process by recommending data-based tiers. Once you’ve tiered your vendors, you can then set acceptable risk thresholds for each. For example, the higher the level of access a vendor has to your company’s data, the tighter their cybersecurity baseline must be, and the higher their Bitsight Security Rating. You can also incorporate language in your contract to ensure that your third parties meet these thresholds. Think of it as a cybersecurity SLA.

3. Quantifiable cybersecurity baselines

Another limitation of traditional third-party cybersecurity assessments is that they capture only a point-in-time view of a vendor’s performance. In between annual assessments, vulnerabilities in a third-party’s IT infrastructure can emerge and put your organization at risk.

Instead, plan to continuously monitor your vendors in near real-time from the moment they’re onboarded. For example, Bitsight for TPRM uses the Bitsight Security Ratings platform to provide you with a data-driven, quantifiable baseline – a cybersecurity benchmark – of third-party cybersecurity performance which you can monitor for the life of the relationship.

Similar to credit ratings, Bitsight Security Ratings range from 250 to 900, with a higher rating equating to a better overall security posture. 

With this baseline metric, you can quickly and automatically determine whether a vendor has deviated from pre-agreed risk thresholds (ratings can also help inform what those thresholds should be), identify specific areas that need improvement, and track progress over time.

For example, you can receive alerts when a critical third party’s security rating experiences a drop of any kind. However, for less critical vendors, or those that have a track record of maintaining a solid cybersecurity baseline, it might make more sense to create alerts for significant performance drops or drops within the specific risk vectors of greatest concern to your organization. From there, you can work with the vendor to develop a remediation plan or – depending on the criticality of the vendor or the severity of the issue – conduct an interim, in-depth assessment.

Continuous monitoring also puts security management back into the hands of your organization.  If you can independently verify your third-party security performance against a quantifiable cybersecurity baseline, you don’t need to rely on your vendors being timely, forward, and honest in their security reporting

Bitsight TPRM even provides lifecycle operational guidance based on your relationship with a vendor – whether they are a third-party, fourth-party, or competitor – and the stage of the relationship, so you can monitor and hold them to account in context. 

Successfully communicate performance against vendor cybersecurity baselines

Finally, as you consider the cybersecurity baseline that you hold your vendors to, don’t overlook the importance of communicating performance against that standard to your leadership team. The ability to discuss third-party cyber risk in a clear, non-technical way will help minimize confusion, attain cybersecurity resources, and drive consensus about third-party risk management across the organization.