Managing Vendor Security Risk Between Annual Assessments

In the majority of organizations, vendor risk management is still a highly manual process, making risk assessments a labor intensive exercise for all parties that are involved. This is why, at best, most vendor management programs only assess third parties on an annual basis or during contract negotiation. However, risk managers know from securing their own networks that annual assessments tell us little about how effectively they are responding to emerging threats or addressing new vulnerabilities. So, how are annual vendor risk assessments making us more secure?

To get a more comprehensive view of vendor security risk, organizations still need audits and assessments, but these methods can be supplemented with ongoing views into the security performance of vendors' networks over time. Complementing vendor questionnaires with automated, outside-in assessments allows us to shift from focusing on point-in-time results and instead, move towards verifying the effectiveness of controls on a daily basis.

While this level of oversight may seem to complicate an already complex and resource heavy process, there are several ways that security performance monitoring with BitSight Security Ratings can actually simplify your vendor risk management program and make it more effective.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

1) Identify and prioritize your highest risk vendors for deeper analysis


According to the Information Security Forum (ISF), its member organizations have approximately 2,030 external supplier relationships. Whether you have 10, 100, or 1000+ vendors, identifying who is the highest risk can take a lot work. Especially since security posture can change at the drop of a hat (or a change in configuration). That said, BitSight Security Ratings can be immensely helpful by allowing you to quickly and easily assess a large number of vendors and determine who presents the most risk to your organization. Furthermore, because Security Ratings are generated on a daily basis, your vendor risk assessments can happen much more frequently. With this information, your risk management team is able to focus resources where they are most needed and address vendor risk more efficiently.

2) Verify that identified issues have been remediated

What if, during an assessment, you identify security risks in your vendor's network? Until now, the only way to verify that the issue has been resolved is to either take their word for it, or go check it out yourself. Verification can take time and resources that you simply don't have, but with BitSight Security Ratings, you can confirm that security events have been remediated and configuration errors have been updated just by logging into our SaaS platform and reviewing the performance of your vendor. BitSight provides grades on 13 risk vectors and tracks more than 600 risk indicators (which are subsets of risk vectors -- read this blog post to learn more about what goes into a Security Rating). Ratings are updated on a daily basis, meaning you can trust and verify your vendor's security performance.

3) Be alerted when new events and vulnerabilities affect network security performance

We've already established that security risk is an ever-evolving landscape and that annual assessments can't provide you with the ongoing visibility you need. Since BitSight collects vast amounts of security data in order to continuously update our ratings, you can gain some relief knowing that when your vendor's security rating changes, BitSight will be there to tell you. Our automatic alerts and detailed analytics give you the ability to rapidly address concerning issues with your vendors. We'll even provide your vendors with secure, private access to their rating and event forensics to assist in remediating these issues.

Managing vendor security risk can be a tricky and time consuming practice, but luckily, BitSight Security Ratings are an easy and affordable way to augment the insight you gain from audits and assessments. Today, more than 100 organizations are using BitSight Security Ratings to manage third party risk, benchmark performance, and assess and negotiate cyber insurance premiums. To learn how easy it is to get started with BitSight, register now for a personalized demo with one of our reps.