A Data-Driven Approach to Vendor Risk Management

Third party risk has become a hot topic throughout 2014, with no signs of slowing down in 2015. The WSJ highlighted high-profile breaches stemming from a vendor here and here, and the OCC issued more third party risk guidance. BitSight discussed third-party risk related to retail and how to communicate with the board, as well as in a 2014 roundup.

With this as a backdrop, ESG’s Jon Oltsik sat down with BitSight’s Co-Founder and CTO, Stephen Boyer, to discuss the challenges around third party risk — and what can be done about them.

ESG research on supply chain security reveals some troubling insights: less than one third of critical infrastructure organizations always audited the security of their strategic software vendors and only half of organizations had established formal processes for security information sharing with their 3rd party partners. While organizations recognize the security risks associated with their information supply chain, their vendor risk management (VRM) programs are still anchored to manual processes and point-in-time, paper-based audits lacking in automation and scale. Companies are looking for automated, continuous monitoring solutions to better manage cyber supply chain risk.

Watch the full video to hear about the regulatory landscape and other drivers for third party oversight — and to learn about how security ratings can help.