How to Achieve Cybersecurity Transparency Across Your Vendor Portfolio

With 62% of network intrusions originating from a partner, third parties are now the biggest source of cyber risk. Yet, many vendors are hesitant to share information about their security postures and the risks they might pose to their customers and partners.

In this blog, we explore why cybersecurity transparency matters and how you can achieve it across your supply chain – with or without your vendors’ participation.

Why cybersecurity transparency matters

Worry about supply chain cyber risk is growing. According to Gartner, 56% of B2B and B2C customers express frequent concerns about the cybersecurity posture of their vendors and business partners. However, most organizations do not have stringent measures in place to identify these risks. In an earlier study, Gartner found that only 23% of security and risk management leaders monitor their third parties in real time for cybersecurity exposure.

Meanwhile, regulations such as the U.S. Securities and Exchange Commission incident reporting rules and European Union’s General Data Protection Regulation (GDPR) mandate that businesses are transparent about cyber incidents.

Given these developments, organizations are using cybersecurity risk as a determining factor when doing business with third parties. These parties should take note of Gartner’s warning: “You can no longer expect to keep the failures and successes of your cybersecurity function a secret.”

Gartner Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem

This report from Gartner reveals cybersecurity predictions about culture, the evolution of a leader’s role, third-party exposure, and the board’s perception of cyber risk. Download the report to learn key findings, market implications, and recommendations.

Download Gartner Report
Button Arrow

How transparent should you expect your vendors to be about cyber performance?

Many industry analysts encourage maximum transparency for cyber attacks and vulnerabilities – even beyond that required by regulators. For example, in 2020, when SolarWinds experienced a massive supply chain hack, the company quickly went public with a security advisory and disclosed as much information as possible about the attack. Since then, SolarWinds has continued to discuss its plans to make the SolarWinds and customer communities safer and has been a strong advocate for helping other organizations reduce risks in third-party networks.

In spite of SolarWinds' example, many companies still avoid cybersecurity transparency due to legal liability or reputational concerns. 

For others, transparency could prove detrimental. For instance, when a cyber incident is discovered, organizations often quietly implement incremental fixes to protect themselves and their customers. If they share their findings while discovery is ongoing, the threat actor may find a way out or, worse, become more destructive.

Despite this, industry analysts agree that a lack of transparency about cybersecurity and a failure to help others fill knowledge gaps means that the bad guys will keep winning.
 

5 Ways to Evaluate the ROI of your Cybersecurity Program eBook Cover

Cybersecurity ROI isn’t about cost savings. It’s about how your cybersecurity program helps you achieve your goals while managing risk to a level that your executive team is comfortable with. Learn the five steps to measuring cybersecurity ROI in our eBook.

Download eBook
Button Arrow

In the absence of transparency, security ratings can help

What are your options if you lack transparent insight into a potential vendor's or partner's security posture?

Gartner reports that organizations will increasingly rely on publicly available information – particularly security rating services – to inform their assessments of organizations’ security postures.

Ratings, like BitSight Security Ratings, are trustworthy, data-driven, and dynamic measurements of organizational cybersecurity performance:

  • BitSight Security Ratings range from 250 to 900 and provide an objective, outside-in view of your third-party business ecosystem. 
  • Unlike traditional one-and-done assessment practices, ratings are updated daily to provide unprecedented transparency and visibility into a vendor’s security posture.
  • With the context and visibility that security ratings provide, it becomes much easier to make risk-based vendor onboarding decisions.  

At BitSight, we are also transparent about our methodology and data: 

Learn more about our commitment to cybersecurity transparency and why BitSight Security Ratings are trusted by thousands of businesses and government institutions worldwide to help inform third-party risk management and internal security performance management programs.