Vendor Risk Management

Third-Party Risk Management Insights: 2015 Gartner Security & Risk Summit

Debbie Umbach | June 16, 2015

Last week I attended the annual Gartner Security & Risk Management Summit in beautiful National Harbor, MD. The below photo was taken just before a big storm, but otherwise it was perfect weather.

FullSizeRender (11).jpg

Vendor Risk and Security Metrics were hot topics and every session I went to that covered them was very well attended (my favorite sessions are listed below). Security and risk professionals are eager to learn how they can effectively prioritize and manage third party vendors. They also want ideas for how to present to their executives and Board on not just their own security posture, but also their extended ecosystem.

Third Party Vendor Risk:

  • How to Know If Your Vendor Is in Trouble (Chris Ambrose)
  • Vendor Intelligence: Using Data Analytics to Monitor and Mitigate Vendor Risk (Chris Ambrose)
  • Vendor Risk Management (Khushbu Pratap)


  • Business, Not Bytes – A Practical View of Security Metrics (Jeffrey Wheatman, Rob McMillan)
  • Building Advanced KRIs: Risk Metrics That Influence Business Decisions (Paul Proctor)

While assessments / questionnaires continue to be the primary form of assurance for New Call-to-actionthird party security (57% of the audience in a live poll during Khushbu Pratap’s presentation1) they have plenty of challenges. Chris Ambrose said during one of his talks, “What people are putting in them is essentially garbage,” and they are “paper-pushing exercises that deliver no value to the organization.” It seems that organizations are gathering a whole lot of data, but it’s hard to analyze and make sound decisions based on this information. Khushbu noted that based on her research, nearly 50% of security compliance teams spend up to 25% of their time assessing third-party security controls. People are looking for more standardized options, such as SOC2 (adoption has grown over the past 2 years) and Shared Assessments. They are also looking for ways to continuously assess their vendors, which is time- and cost-prohibitive with current methods, even for the largest organizations.  

Continuous monitoring enables trending, which can give insight into how a vendor has performed and what they may be likely to do in the future. However, “Analytics and Trending” are, not surprisingly, the least mature discipline in IT Vendor Management, according to Gartner (see below).

Screen Shot 2015-06-16 at 7.25.05 AM.png

Chris Ambrose recommends that organizations move toward more proactive forms of vendor management, including analytic analysis, automated alerting, and advanced dashboards.

Solutions to enable analytics and continuous monitoring are emerging on the market today from GRC tools such as RSA Archer and Brinqa to security ratings for vendor continuous monitoring. In fact, Gartner recently named BitSight as a Cool Vendor in Vendor Management. Organizations have embedded security ratings into their vendor risk management business processes and are gaining increased visibility, the ability to focus on the most pressing issues, and more productive vendor interactions. BitSight Security Ratings also have built-in dashboards and KPI’s to leverage for executive presentations.

All in all, the 2015 Gartner Summit was highly informative and provided a great way to both learn from the experts and network with security and risk professionals.  I am already looking forward to next year’s event!


1n=53 respondents

 New Call-to-action

Suggested Posts

Can Your Vendor Assessments Be More Efficient?

If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...


Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...


Subscribe to get security news and updates in your inbox.