If you’re running a third-party risk management program, you’re probably no stranger to pressure. Between business owners demanding vendors be onboarded ever faster, to the ever present threat of a data breach, there is a lot to worry about. One of the biggest concerns in today’s security environment is the constantly evolving threat of a breach-- especially with vendors.
Traditionally security teams have tried to understand the ongoing risk posed by their vendors by using annual assessments. However, this method poses several challenges to security teams.
- Assessments only capture a single point in time. This means that in between vendor risk assessments potentially major security incidents or changes to cybersecurity posture may have happened without your knowledge.
- Assessments are only as good as the person filling them out. Let’s face it, security assessments are a chore. What guarantee do you have that the assessment has been filled out accurately, honestly and objectively?
- Assessments are slow and costly. With some questionnaires approaching thousands of questions, and many organizations working with hundreds or thousands of vendors, assessments can take a great deal of time and resources to both put together, fill out, and review and analyze once they are returned.
These issues are not just nuisances, but can have a critical impact on both the business and your security program. Lags in assessments may delay contract renewals which can hamper critical business operations, the time and cost associated with assessments can be a drain on resources, and the inherent limitations of assessments can raise the risk posed by vendors.
Does that mean that assessments no longer have a place then? Hardly. Assessments are still one of the most powerful tools for gaining in-depth insight into a vendor’s security posture.
What’s needed however is a way to continuously monitor vendors in near real-time throughout the life of the vendor relationship.
How Continuous Monitoring Changes Third-Party Risk Management
Continuous security monitoring of your vendors helps your program run more efficiently by increasing the scalability of your ability to do assessments, and the lower the time and cost to execute them. By giving you indispensable data insights into the activity and security posture of your vendors, you can take a much more targeted approach to assessments. Here’s how.
- Enabling a Proactive Approach: As the name suggests, continuous monitoring gives a near real time insight into your vendors. By looking at movement against risk thresholds, such as a Bitsight rating, or changes to risk vectors, you can trigger the need for assessment based on changes to security posture instead of calendar date. This ensures that assessment is triggered by the need to conduct one, and prevents potentially unacceptable risk from being introduced into the third-party ecosystem simply because it isn’t time for reassessment yet.
- Tailored Assessments: No two vendors are the same, so why are they all assessed the same? Using the same assessments for all vendors can be a drain on resources and increases the time and cost to getting an assessment done. Instead, using data like Bitsight ratings and risk vectors, assessments can be tailored to the vendor as well as to address certain focus areas if there has been a significant drop in score or change to risk vectors. This can save significant time and resources, especially if you work with hundreds or thousands of vendors.
- Timing of Assessment: How often should you assess your vendors? That’s a great question, and one that criticality can help answer. If you tier your vendors (Tier /critical-Tier 4/non-critical), continuous monitoring can help you set reassessment policies that can significantly save time and money. Some critical vendors may need to assessed more than once a year if they have a significant change to security posture, even if their last assessment was just a few months ago, while a Tier 3 vendor with no change to their rating or risk vectors may not need to be reassessed at all, or once every few years. This can significantly reduce the amount of work in the pipeline for your security can, as well as reduce risk to the organization.
- Objective Context: Continuous monitoring of your third-party cybersecurity posture can also give valuable objective context to the assessments you receive back from vendors. Are they really patching regularly? Do they regularly scan for malware? Are their SSL really certifications up to date? Security ratings and risk vector grades can give you objective, externally observable information to verify those answers and easily determine the accuracy of an assessment, or flag areas for follow up.
The world at large and the cybersecurity threats it presents are changing faster than ever. Businesses are working with more vendors than ever not only to address the changes to business climate 2020 presented, but also to become more nimble, adaptable and profitable as digital transformation takes hold. In an ever-expanding third-party ecosystem, relying solely on manual self-assessments that take a one-size-fits-all approach is no longer feasible or realistic. Continuous monitoring introduces a true game changer to any TPRM program by increasing the operational efficiency of your program, decreasing the risk lingering in your ecosystem, and increasing the scalability of your program. In other words you can do more, do it faster and do it cheaper. What does that add up to? A program that enables the larger business, which is dependent on vendors, to be more efficient and profitable.