Ideas For Incorporating Continuous Risk Assessment Software Into New Vendor Selection

Ideas For Incorporating Continuous Risk Assessment Software Into New Vendor Selection

Onboarding third-party vendors that will have access to your network and data can have dire consequences if you don’t have the ability to gauge vendor risk.
In a recent joint survey between Bitsight and IDG Research Services, more than 260 IT managers and professionals, nearly 70% said they were “extremely concerned” or “very concerned” about the security risks posed by third-party vendors and suppliers. Another study found that nearly two-thirds of breaches involve a third party.

One way to calculate risk is by using a continuous monitoring and risk assessment tool, which allows ongoing awareness of information security, vulnerability and threats that a vendor may pose. The trick is to be able to monitor vendors in real-time.

If you are not continuously monitoring vendor risk, then you’re probably performing point-in-time assessments, which are typically only snapshots of an organization's security posture. For example, if you are looking to onboard a vendor, you can have them complete a risk assessment, a penetration test or a vulnerability scan- all at considerable costs. And more costs are added if the vendor ultimately experienced a security event, and the organization is back to the start, going through another point-in-time assessment. This type of security is no longer sufficient because cyber criminals are creating new malware at an alarming rate and new vulnerabilities continue to populate the cyber risk landscape. Bottom line, if organizations are not looking at their vendor’s security before, during and after onboarding, it's likely that they may miss some sort of negative security event.

In a white paper called, “Don’t Let ‘Trusted’ Vendors Become Cyber-Breach Enablers,”Bitsight and IDG found that only 10% of respondents said that they use a dynamic, automated system to monitor security posture on a continuous basis and report results back to vendors and suppliers to demonstrate and address security gaps and analyze and determine fourth-party/subcontractor IT risks.

1. Validating Security Performance

Continuous monitoring is not a check-the-box activity like the traditional risk assessments previously described. In the past, organizations performing a risk assessment would simply check the box and say, ‘yes we have a firewall,’ and ‘yes we have antivirus software.’ Continuous monitoring takes the bias out of that exercise and provides organizations with confidence that the vendor does actually have a firewall or antivirus solution in place. It's a proof point. A company could say on their risk assessment that there are no infections on their network as of today, but a continuous monitoring tool can prove that to be right or wrong. With continuous monitoring, companies get validation regarding the truth of the security posture.

2. Keeping Up With the Security Landscape

It's not enough to use a spreadsheet to track every aspect of your vendors security anymore. Things change too quickly and most security professionals agree that a static assessment or a point-in-time assessment doesn't truly capture the security risk of the company. Continuous monitoring allows you the ability to measure security trends and get a more granular view of your vendors performance, which you can compare to yesterday, to three months ago, or even to last year. You can see how a security program at an organization is maturing or not.

A Security Managers Guide to Third-Party Risk Management guide

3. Continuous Monitoring via Alerting and Rating

When you assess vendors annually you may be able to compare the current assessment report with last years’ report. You may also be able to calculate a risk rating and the amount of change over time. This information can help derive a vendor’s security maturity but is limited by the expanse of time between each assessment. Bitsight Security Ratings provide real time alerts that update you as soon as an issue occurs. This allows you to respond immediately to a potential vulnerability or be proactive in an incident.

4. Continuous Visibility Through Pre-Assessments

With Bitsight Security Ratings, you can actually pre-assess a vendor prior to selection without any interaction with the vendor. An organization looking to onboard a vendor can start the monitoring processes and remain anonymous without engaging with them in any way. You can’t do this with a risk assessment or a penetration test, both of which typically require prior consent from the vendor. Even a one-time Bitsight report can provide a year of security history for a vendor, detailing any security events or configurations that have changed over the course of a year. This allows the organization to make informed decisions during a RFI, or just prior to completing the vendor selection process.

5. Costs Less Than Traditional Security Measurement Methods

Bitsight Security Ratings are a more cost-effective and efficient way of monitoring security risk and onboarding vendors than traditional assessments, such as vulnerability scans, audits and penetration tests.

To summarize, here’s a real world example of how continuous monitoring works and how it could help the onboarding process. Christopher Porter, CISO at Fannie Mae, discussed his experience with his company's continuous monitoring services:

“One of the nicest features around the tool set is, each week, Bitsight sends an email that shows when your vendor’s score deviates by 5 percent, whether it’s positive or negative. If I have a vendor that may have had some sort of compromise or some type of incident – malware is showing up in a cyber intelligence threat feed list – then their score may drop. Every Monday, I get an email that states which vendors’ scores have dropped or have gone up by X percentage. At that point, we can begin our process of trying to identify what the specific issue was that caused the score to go down. Once we’ve identified what that is, we can then reach out to the third party and let them know that there may have been a potential incident, and give them some information, see if they need any help and start a conversation. What I want to be able to do with our vendors is have that security conversation, making sure that they know that they’re part of our ecosystem and we can help them along in whatever way we can.”

For more information about security ratings, visit, or download its guide: A Security Manager’s Guide to Vendor Risk Management.