Security Ratings

Managing Vendor Security Risk Between Annual Assessments

Melissa Stevens | June 9, 2015

In the majority of organizations, vendor risk management is still a highly manual process, making risk assessments a labor intensive exercise for all parties that are involved.  This is why, at best, most vendor management programs only assess third parties on an annual basis or during contract negotiation. However, risk managers know from securing their own networks that annual assessments tell us little about how effectively they are responding to emerging threats or addressing new vulnerabilities. So, how are annual vendor risk assessments making us more secure?

To get a more comprehensive view of vendor security risk, organizations still need audits and assessments, but these methods can be supplemented with ongoing views into the security performance of vendors' networks over time. Complementing vendor questionnaires with automated, outside-in assessments allows us to shift from focusing on point-in-time results and instead, move towards verifying the effectiveness of controls on a daily basis.

While this level of oversight may seem to complicate an already complex and resource heavy process, there are several ways that security performance monitoring with BitSight Security Ratings can actually simplify your vendor risk management program and make it more effective.

Global Financial Firm Reduces Risk of Third Party Breach 1) Identify and prioritize your highest risk vendors for deeper analysis

According to the Information Security Forum (ISF), its member organizations have approximately 2,030 external supplier relationships. Whether you have 10, 100, or 1000+ vendors, identifying who is the highest risk can take a lot work. Especially since security posture can change at the drop of a hat (or a change in configuration). That said, BitSight Security Ratings can be immensely helpful by allowing you to quickly and easily assess a large number of vendors and determine who presents the most risk to your organization. Furthermore, because Security Ratings are generated on a daily basis, your vendor risk assessments can happen much more frequently. With this information, your risk management team is able to focus resources where they are most needed and address vendor risk more efficiently.

2) Verify that identified issues have been remediated

What if, during an assessment, you identify security risks in your vendor's network? Until now, the only way to verify that the issue has been resolved is to either take their word for it, or go check it out yourself. Verification can take time and resources that you simply don't have, but with BitSight Security Ratings, you can confirm that security events have been remediated and configuration errors have been updated just by logging into our SaaS platform and reviewing the performance of your vendor. BitSight provides grades on 13 risk vectors and tracks more than 600 risk indicators (which are subsets of risk vectors -- read this blog post to learn more about what goes into a Security Rating). Ratings are updated on a daily basis, meaning you can trust and verify your vendor's security performance.

3) Be alerted when new events and vulnerabilities affect network security performance

We've already established that security risk is an ever-evolving landscape and that annual assessments can't provide you with the ongoing visibility you need. Since BitSight collects vast amounts of security data in order to continuously update our ratings, you can gain some relief knowing that when your vendor's security rating changes, BitSight will be there to tell you. Our automatic alerts and detailed analytics give you the ability to rapidly address concerning issues with your vendors. We'll even provide your vendors with secure, private access to their rating and event forensics to assist in remediating these issues. 

Managing vendor security risk can be a tricky and time consuming practice, but luckily, BitSight Security Ratings are an easy and affordable way to augment the insight you gain from audits and assessments. Today, more than 100 organizations are using BitSight Security Ratings to manage third party risk, benchmark performance, and assess and negotiate cyber insurance premiums. To learn how easy it is to get started with BitSight, register now for a personalized demo with one of our reps.

Suggested Posts

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...


Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...


Subscribe to get security news and updates in your inbox.