Third Party Risk Management

How and When to Reassess Your Vendor’s Cybersecurity Posture

Kim Johnson | May 11, 2020

From a security perspective, your work isn’t done when a new vendor signs on the dotted line. After the onboarding process is complete, you must implement continuous monitoring practices to ensure your new third-party maintains the desired security posture — and doesn’t expose your organization to unwanted risk.

As the rise in the remote workforce introduces new and evolving security threats into your vendor network, performing reassessments is more critical than ever. But, while continuous monitoring is essential to the health and well-being of your business, it can be challenging to implement if you don’t have the right tools in place. Read on for our tips and best practices on how to monitor your vendors’ cybersecurity postures and identify evolving risks in your supply chain that need to be addressed.

Create a communication plan

First things first: Before you begin working with third parties, you must partner with your internal teams — from legal to finance to compliance — to determine how your vendors will be evaluated, monitored, and measured. Make sure you clearly define your thresholds of acceptable risk, how you will communicate security shifts that require remediation, and any mandates or timelines for addressing these issues that you’ve identified. 

Once you’ve outlined the above internally, you must communicate this information to your third-party network. Establish these security expectations at the onset of every new vendor relationship, so you can ensure that you’re on the same page when it comes to protecting your ecosystem.

Leverage security ratings to track performance

In order to determine if and when a particular vendor needs to be reassessed, you must have a standard KPI through which to track and measure any shifts in their security posture. Security ratings — a data-driven, objective, and dynamic measure of security performance — can do this in real time, making it easier than ever for you to achieve visibility into a vendor’s inherent risk. Unlike a point-in-time snapshot, BitSight Security Ratings are updated daily, so you can easily track how your vendors’ security posture is changing over time.

Set up alerts to notify you of critical shifts

As security ratings are assessed continuously, you can leave manual monitoring processes — such as those involving spreadsheets and calendar reminders — behind for a more efficient, automated approach. To ensure you’re acting on any inherent threats right away, create separate alerts for different groups of vendors so that you’re immediately notified of an important change in their security posture. For example, you may choose to receive alerts when your critical third parties experience a drop of any kind. In the case of vendors that are less critical, it might make more sense to create alerts for significant performance drops or for the specific risk vectors that are of the greatest concern to your organization.

Make data-driven reassessment decisions

One of the main value drivers of the continual monitoring process is having the ability to compile data-driven insights as to when a vendor reassessment may be necessary. Instead of always doing these reassessments on a specified incremental basis — such as annually — you can save time and resources by only doing them when you really need to.

As a best practice, you should create rules as to which thresholds require a vendor to go through the reassessment process. For instance, you may determine that a third-party partner that goes below a specific security rating always needs to go through the reassessment process. While more critical vendors should certainly have more stringent rules in place, the ultimate decision regarding your triggers for reassessment falls on your team — from security to legal to finance — to decide what you deem to be an acceptable threshold of risk. Just make sure you have the necessary contract language in place to confirm your unique rules are enforceable from the onset of your vendor relationship.

Interested in learning more? Check out our new guide, 4 Ways to Optimize Your Vendor Onboarding Process With BitSight Security Ratings.

New call-to-action

Suggested Posts

What Does a Successful Third-Party Risk Management Program Look Like?

As digital transformation picks up pace, companies are working with more vendors than ever. According to Gartner, 60% of organizations now work with more than 1,000 third-party vendors — including partners, sub-contractors, and suppliers.

READ MORE »

Best Practices for Managing Third-party Risk in the Energy Sector

Back in May this year, President Trump issued an executive order banning US energy sector entities from acquiring electric equipment from foreign adversaries, citing potential cybersecurity threats.

READ MORE »

How To Mature Your Vendor Risk Management Program

There are layers of uncertainty plaguing security professionals when it comes to the time, money, and energy they spend focusing on their third-party risk management systems. Without the proper tools and analysis, it is hard to know if...

READ MORE »

Subscribe to get security news and updates in your inbox.