BitSight Helps Scale the Current Vendor Risk Assessment Approach
Dave Fachetti | June 5, 2017
While your current Vendor Risk Management (VRM) or Third-Party Risk Management (TPRM) program may have areas of strength, there is most certainly room for improvement. These programs are a significant driver of both internal and external advisor time, extremely costly, and limited in scale. How can you harness more actionable insight to scale your program and truly and continuously understand the cybersecurity of your third parties? Using BitSight Security Ratings, you can see a positive impact on your TPRM/VRM program by getting more value out of what you are already doing.
The number of vendors and other third parties in your ecosystem will continue to grow. This isn't going away — in fact, according to a recent report by Bomgar, “On average, 181 vendors are granted access a company’s network in any single week, more than double the number from 2016. In fact, 81 percent of companies have seen an increase in third-party vendors in the last two years.” The increasing popularity of the cloud, the introduction of new technologies, and increasing demands from the business ensure that your job is only growing in importance.
There are three major areas where BitSight can immediately improve the effectiveness and scale of your existing third-party vendor risk management programs. Be sure to ask yourself the following questions: Who, What, When.
Who:Which companies should I focus on for assessments or audits?
When doing an evaluation of your vendor portfolio, there is no possible way to get a clear, continuous picture of the cybersecurity for an entire range of companies with annual questionnaires. Questionnaires work well, but BitSight Security Ratings add more insight and actionable data when choosing which companies to focus on. In addition to the current considerations such as criticality of relationship, type of information exchanged (is it regulated?), and past interactions, BitSight will provide you with an easy-to-understand numerical rating, 12 months of history, and risk vector breakdown of each vendor.
Using BitSight Security Ratings, you can target companies with low ratings and examine the underlying analysis. This is an exceptional complement to the assessment measures you already have in place. Moving forward, tools are provided to collaborate with your vendors on security issues, identify what remediation measures they are taking, and determine how that will affect your working relationship.
What:What questions should I be focused on in my assessments when I engage with those companies?
Based on the data provided by BitSight, you can tailor the questions in their assessment given their rating. You can also use BitSight to validate many of the answers you receive back.
Instead of a blanket questionnaire meant to address a variety of companies with drastically different security landscapes, BitSight helps you get more out of your existing process by customizing your assessments to specific vendors based on their individual rating and history. For instance, you may notice a pattern of evidence that a security control is either absent or not effective in the third party you are preparing to visit. When onsite, focusing in on these areas first can both help you understand how they are approaching their control framework and processes implementation for this specific area and why this might lead to what you have observed. This can also give you better context for the team you are engaging with and their environment when considering and evaluating the remaining areas of your assessment of their controls.
When:When should I be engaging with these companies?
You can use BitSight Security Ratings to drive your cadence of interaction with your vendors. Instead of resorting to the standard annually scheduled arrangement, the timing of engagements should be more event-driven. When you are alerted to a change in a vendor’s BitSight Rating, use that as the driver to touch base with them. Environments are dynamic, and timing your visit around a significant change to that environment can help you better understand how your vendors are addressing such changes closer to the events happening. This can add great context to how you can think about the organization and its handling of such risks.
Using BitSight Ratings can help both complement and supplement the assessment process you already have in place, enabling you to truly scale your third-party risk management program. As a company or advisor, you should be asking better, more directed questions based on elevated risk in a targeted environment that will make a positive impact on the bottom line of your business. BitSight can help you do this. To learn more, download our ebook, Creating Efficiencies in Vendor Risk Management, for insights on how to make the VRM process simpler and more effective.
See BitSight Security Ratings in action.
Request a free, personalized demo to learn how you can simplify your third-party vendor risk management and take charge of your cybersecurity with these intuitive and powerful solutions.