Many Third-Party Risk Management Programs are Missing Continuous Monitoring
Noah Simon | June 19, 2018
If you’ve done your homework as a cybersecurity professional, then you know that third-party vendors with substandard security controls and processes could be putting your organization at risk.
If your organization is like some large enterprises, then you’ve allocated considerable resources toward the development and operation of a third-party risk management (TPRM) or vendor risk management (VRM) program.
TPRM programs are tasked with assessing the cybersecurity of vendors that handle an organization’s sensitive data or have access to internal IT systems. The tools TPRM professionals use include:
However, the unfortunate truth is that many of these programs are completely missing a key component of effective third-party risk management.
That missing piece? Continuous monitoring and oversight.
No amount of point-in-time assessments can give you true confidence in the real-time security status of your critical vendors. Without continuous monitoring, your organization’s sensitive data and critical systems might be at more risk than you realize.
Here are three reasons why you should consider continuous monitoring for your TPRM program:
1. You already understand the value of continuous monitoring.
If your organization has a third-party risk management program, then chances are you take cybersecurity very seriously.
You probably have a security operations center whose responsibilities include the continuous monitoring of your IT systems. It’s likely that your cybersecurity personnel watch these systems with the help of SIEM software and other continuous monitoring tools, and as soon as a cyber threat appears, they take steps to remediate it.
So much care goes into ensuring the safety of sensitive data while it’s in your systems. However, when it leaves the premises and enters the systems of third parties like payroll providers, payment processors, consulting firms, or even HVAC technicians, responsibility for the safety of this data shifts to the third-party risk management team and the vendors themselves.
Bottom line: you already understand the value of continuous monitoring for cybersecurity, so why would you exclude it from your TPRM program?
2. Point-in-time assessments are never enough.
As we discussed, TPRM teams have a variety of tools with which they can assess the security of their vendor network. Between questionnaires, in-person site visits, vulnerability assessments, and penetration tests, it might appear like they have all their bases covered.
However, all of these exercises only reflect a company’s security posture at a single point in time.
Even if your third-party risk management team is able to assess the cybersecurity posture of a given vendor ten times a year (which would be well above average), that still leaves the majority of the calendar marked with blind spots.
What’s changing between assessments? In today’s rapidly evolving cyber risk landscape, new vulnerabilities, malware, and other cyber threats evolve daily. Ensuring that vendors are mitigating risk from newly disclosed threats and vulnerabilities is only possible with continuous monitoring.
All it takes is one weakness in one risk vector for an attacker to slip through and steal sensitive data. One phishing link clicked, one computer infected with malware, one urgent software patch missed — all of a sudden, the vendor’s systems (and whatever information you have stored there) are at risk.
3. It’s becoming an expectation.
There was a time when the addition of continuous monitoring to your TPRM program would have put you ahead of the curve. Today, however, continuous monitoring of vendor risk is quickly becoming an absolute necessity for competitive organizations.
In fact, according to a March 2018 commissioned study conducted by Forrester Consulting on behalf of BitSight, 83% of risk, compliance, and security decision makers think continuous monitoring of vendors would be “very” or “extremely valuable” to their businesses.
In an environment where major breaches are becoming increasingly common, your consumers and the public also expect that you’ll make every effort to protect their data. If your organization was to experience a breach caused by a third party, the fact is that consumers probably won’t care whether their information was accessed via your systems or some vendors’.
Continuous monitoring increases accountability, reduces the likelihood that you’ll experience a data breach, and may reduce liability in the event one does occur.
The Solution: Security Ratings
Over 1,000 customers around the globe use BitSight to continuously monitor security in their business ecosystem. BitSight Security Ratings are updated daily and range from 250 to 900. It has been independently verified that companies with a rating of 500 or below are nearly five times more likely to experience a publicly disclosed breach.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...