A Data-Driven Approach to Vendor Risk Management

Debbie Umbach | January 6, 2015 | tag: Security Ratings

Third party risk has become a hot topic throughout 2014, with no signs of slowing down in 2015.  The WSJ highlighted high-profile breaches stemming from a vendor here and here, and the OCC issued more third party risk guidance. BitSight discussed third-party risk related to retail and how to communicate with the board, as well as in a 2014 roundup.

With this as a backdrop, ESG’s Jon Oltsik sat down with BitSight’s Co-Founder and CTO, Stephen Boyer, to discuss the challenges around third party risk — and what can be done about them.

ESG research on supply chain security reveals some troubling insights: less than one third of critical infrastructure organizations always audited the security of their strategic software vendors and only half of organizations had established formal processes for security information sharing with their 3rd party partners. While organizations recognize the security risks associated with their information supply chain, their vendor risk management (VRM) programs are still anchored to manual processes and point-in-time, paper-based audits lacking in automation and scale. Companies are looking for automated, continuous monitoring solutions to better manage cyber supply chain risk.

Watch the full video to hear about the regulatory landscape and other drivers for third party oversight — and to learn about how security ratings can help.

 

 

Suggested Posts

Use the right cybersecurity analytics to make a business case for risk management

Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a year...

READ MORE »

A response to Security Ratings - Love, Loathe or Live With Them

A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil has...

READ MORE »

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...

READ MORE »

Subscribe to get security news and updates in your inbox.