At a recent BitSight Roadshow, a customer with an advanced third party risk management program declared “assessments are not risk reduction.” The statement was not meant to convey that assessments are useless for third party risk; rather, that assessments themselves don’t inherently drive risk down.
Assessments may lead risk managers to findings that can in turn drive risk reduction, but the path to remediating security issues is not always straightforward. There may be a lot of back and forth between the first and third party on the validity of the finding, the risk it actually presents, or the way in which to remediate the issue.
BitSight customers now have the ability to collaborate with third parties to get to a clear, quick path to risk reduction. Leveraging the Enable Vendor Access feature, which grants third parties access to the BitSight portal and customer success team free of charge, customers can pinpoint and share specific areas of risk that their third parties should look into. This makes feedback provided to third parties about their cybersecurity both manageable and actionable.
For example, customers can be alerted to new infections or malware that appear on a third party’s network, and then reach out to discern whether or not that infection may put their own data at risk.
Share specific records of botnet infections with third parties.
Share and dig into certain security controls gaps on a company’s network, such as risk services being run on unsecured ports.
Third parties who receive this free access will understand exactly which issues are of concern, and can access the BitSight platform for remediation resources and context needed to resolve issues.
This process takes the path to potential risk reduction down to hours and minutes — a feat that is not possible with more manual, traditional vendor risk management exercises. Moreover, this kind of automation is key for organizations looking to bring scale and greater efficiency to their vendor risk management programs.