How and When to Reassess Your Vendor’s Cybersecurity Posture
Kim Johnson | May 11, 2020
From a security perspective, your work isn’t done when a new vendor signs on the dotted line. After the onboarding process is complete, you must implement continuous monitoring practices to ensure your new third-party maintains the desired security posture — and doesn’t expose your organization to unwanted risk.
As the rise in the remote workforce introduces new and evolving security threats into your vendor network, performing reassessments is more critical than ever. But, while continuous monitoring is essential to the health and well-being of your business, it can be challenging to implement if you don’t have the right tools in place. Read on for our tips and best practices on how to monitor your vendors’ cybersecurity postures and identify evolving risks in your supply chain that need to be addressed.
Create a communication plan
First things first: Before you begin working with third parties, you must partner with your internal teams — from legal to finance to compliance — to determine how your vendors will be evaluated, monitored, and measured. Make sure you clearly define your thresholds of acceptable risk, how you will communicate security shifts that require remediation, and any mandates or timelines for addressing these issues that you’ve identified.
Once you’ve outlined the above internally, you must communicate this information to your third-party network. Establish these security expectations at the onset of every new vendor relationship, so you can ensure that you’re on the same page when it comes to protecting your ecosystem.
Leverage security ratings to track performance
In order to determine if and when a particular vendor needs to be reassessed, you must have a standard KPI through which to track and measure any shifts in their security posture. Security ratings — a data-driven, objective, and dynamic measure of security performance — can do this in real time, making it easier than ever for you to achieve visibility into a vendor’s inherent risk. Unlike a point-in-time snapshot, BitSight Security Ratings are updated daily, so you can easily track how your vendors’ security posture is changing over time.
Set up alerts to notify you of critical shifts
As security ratings are assessed continuously, you can leave manual monitoring processes — such as those involving spreadsheets and calendar reminders — behind for a more efficient, automated approach. To ensure you’re acting on any inherent threats right away, create separate alerts for different groups of vendors so that you’re immediately notified of an important change in their security posture. For example, you may choose to receive alerts when your critical third parties experience a drop of any kind. In the case of vendors that are less critical, it might make more sense to create alerts for significant performance drops or for the specific risk vectors that are of the greatest concern to your organization.
Make data-driven reassessment decisions
One of the main value drivers of the continual monitoring process is having the ability to compile data-driven insights as to when a vendor reassessment may be necessary. Instead of always doing these reassessments on a specified incremental basis — such as annually — you can save time and resources by only doing them when you really need to.
As a best practice, you should create rules as to which thresholds require a vendor to go through the reassessment process. For instance, you may determine that a third-party partner that goes below a specific security rating always needs to go through the reassessment process. While more critical vendors should certainly have more stringent rules in place, the ultimate decision regarding your triggers for reassessment falls on your team — from security to legal to finance — to decide what you deem to be an acceptable threshold of risk. Just make sure you have the necessary contract language in place to confirm your unique rules are enforceable from the onset of your vendor relationship.
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...