Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.
Businesses are becoming increasingly reliant on outsourced IT services to support day-to-day operations.
- Businesses are relying on more individual IT vendors
- IT vendors are becoming more involved in their clients’ success
- IT vendors are increasingly expected to cooperate with one another
As these trends continue, IT vendor monitoring becomes an important piece of a company’s security strategy. Vendor management teams must keep an eye on each of their IT vendors to ensure that they’re delivering services correctly, and, most importantly, not introducing cyber risk into the business.
Effective IT vendor monitoring involves three key activities: (1) tiering and classifying IT vendors by the type of relationship or data they handle with your business, (2) continuously collecting and analyzing security performance data, and (3) leveraging that data to improve vendor collaboration in order to remediate issues quickly when they arise.
Frequent, data-driven conversations are the ideal way to standardize positive vendor management.
What Types of Data are Most Useful for Vendor Monitoring?
IT vendor monitoring teams should be analyzing a wide variety of data points on the security performance of their third parties. Some of this data will come from vendor cyber risk assessment questionnaires and continuous monitoring tools. For many IT vendors, there will also be operational data to analyze when assessing potential risks.
Taking every data point into a conversation with a vendor will probably not be very productive. The point of contact at your vendor may not know how to interpret every detail you’ve gleaned from your analysis, and even if they do, having a large dataset thrown at them is likely to cause more confusion than clarity.
For these reasons, it’s best to choose just a few data points that:
- Represent a potential risk, given the relationship with the vendor
- Can be tracked over time
- Are accurate and objective
Security ratings, like those offered by BitSight, are one example of a good data point to bring into a conversation with a vendor. A BitSight Security Rating is an objective indicator of the overall security posture of the vendor. These ratings are updated daily, so performance can be tracked in near real-time. And, if the vendor has questions about how the rating was calculated, they can dive deeper into the platform to understand the underlying data.
How Much Information Should You Share with Vendors?
As vendors become more important to a business, information silos become more problematic. Obviously there will always be sensitivities when sharing information outside of the organization. However, vendors who understand why their client is demanding more from them are more likely to deliver.
Consider your vendor as an employee. As managers know, a paycheck does not always buy exceptional work. However, if an employee understands why they’ve been assigned a certain task and is invested in the success of the department and the business, they might just go above and beyond.
Using this way of thinking, you might consider these frequent data-driven conversations to be analogous to employee performance reviews. Enough information should be shared to help the employee get invested in the business’s initiatives. In addition, good work should be rewarded, weaknesses should be identified, and cyber risk remediation plans should be put in place.
How can you Encourage Vendors to Change?
Presenting strong, easy-to-understand data is an important step in improving vendor relationships. Sometimes, just making a vendor aware of how exactly they’re falling short is enough to inspire change.
If you’re using a technology platform to gather vendor monitoring data, check to see if your point of contact at the third party can have access to the platform as well. BitSight allows customers to share access with their vendors, enabling vendors to take a good look at their security posture and see which specific areas require remediation. One BitSight customer was able to improve the security posture of over 50% of their vendors in just six months by granting them access to the BitSight platform.
If exposure alone is not enough to solve the issue, IT vendor monitoring teams must incentivize change. These incentives can either be carrots or sticks. For example, you might present an opportunity for increased business with the condition that the vendor’s security performance must be improved first. Conversely, you may have to choose another vendor to work with if the current one presents an unacceptable risk to your business.
The real challenge of IT vendor monitoring is that “monitoring” is only half the battle. Truly effective teams will become excellent at using the data they gather to improve overall vendor relationships, and data-driven conversations are the mechanism that will drive this improvement.