New! The Security Ratings report is now the Executive Report. Request your report to see enhanced analysis such as your rating, likelihood of ransomware incidents, and likelihood of data breach incidents.
In today’s world, organizations must be extremely conscientious about their vendors. It is just as important to be aware about the security of third-party networks as it is to be aware of their own. In April 2017, Netflix’s new season of the hit show “Orange is the New Black” was stolen and leaked after they ignored several ransom requests by a hacker. The agent was able to breach Larson Studios, a third party postproduction company for Netflix. It’s critical that organizations have a vendor risk management (VRM) program in place to address the risk posed by third parties. As outsourcing and the use of cloud services continues to grow, it’s even more crucial that the strategy can scale to meet the rising demands to increase the number of vendors. This is where many companies are falling short today.
So, why can’t existing VRM programs efficiently scale to meet the current demand that organizations are facing? Typically, companies are only scaling, or adjusting, their security programs in one of these areas: volume of vendors, volume of risk vectors, or currency of diligence information. In reality, they need to be scaling on all of them.
First, organizations need to scale in terms of volume. Qualitative, episodic risk assessments are the first step in establishing a strong VRM program, but this process is costly and time intensive. Organizations can have hundreds or thousands of vendors that they do business with, and that number only increases each year. Volume is a linear problem: executives need to ask themselves if they have the capacity, or staff, to handle assessments for their growing number of vendors and have vendors that are receptive to this time-consuming collaboration. Handling security assessments for a large number of vendors is time intensive. It’s important to make sure there is a willingness on the vendor side to schedule on-site visits or receive any information organizations may choose to send over. And, as the number of risk vectors grows, there is an increasing amount of work required by each vendor to assess the risk of these potential attack points.
Second, with the increasing frequency of changes to technology and its implications on the vendors’ IT environment and the controls they have in place, it is important that an organization’s security assessments are current. While most assessments take place annually, the issue is that security environments are extremely dynamic and change daily. Point-in-time assessments might have passed as sufficient ten years ago when environments were more static, but not today.
So, how do security teams handle both their existing number of vendors and those they want to take on? Without any change to their approach, the best they can do (given their team’s bandwidth) is to assess their their vendors more frequently. The likelihood of the vendors being open to this will depend on the reasoning presented; most likely, vendors will be highly resistant to increasing the assessment frequency. Even with this approach, it’s highly costly (and the cost is linear) to the scale and the frequency of the assessments and the volume of vendors. Instead, vendors should update the questionnaire — this will help give context to their security posture and provide visibility into areas where remediation is necessary. The increased frequency of the assessments or check-ins will give the first party organization comfort knowing that their vendor is putting people and processes in place to make their VRM program more accurate.
However, what this process needs is the addition of a more continuous, non-intrusive collection of information to help inform organizations of their vendors’ changing risk posture. Since our founding in 2011, Bitsight was designed to address this problem.
In addition to using security assessments, security executives can use Bitsight and continuous monitoring to make decisions based on Security Ratings. For example, when looking at a “Tier 2” vendor with a high Bitsight Security Rating, security teams have the ability to put them on “Alerts Only” and simply receive notifications when their rating changes. In contrast, security executives and their teams can continuously monitor their “Tier 1” vendors whose networks might need more serious, constant attention.
From a volume standpoint, this provides greater coverage and helps develop a set of vendors with a low risk level, positive questionnaire, and strong Bitsight rating that organizations can feel comfortable about. These vendors will continue to have “Ratings only” monitoring. If any of these vendors’ ratings changes drastically and there is a security event, organizations will know to become involved with the vendor remediation process. The vendor assessment should help companies pinpoint the weaker areas that may have allowed the event to occur.
It’s simple: creating a vendor risk management program and processes that are dynamic allows organizations to have a current, updated view of both qualitative and quantitative assessments. In the end, the scale and efficacy of the program saves organizations time and puts their mind at ease.