With increased emphasis on third party risk management coming down from regulators and executive boards alike, cyber risk in the extended enterprise is shaping up to be a hot topic in 2014.
BitSight board member Mike Duffy recently contributed an article to Risk Universe on the topic. In the article, "Rating Cyber Risk Vendors," Duffy explains why organizations are looking to cyber risk rating services to help manage their vendor security risk. Citing examples of recent high profile third party breaches, such as the JP Morgan Chase UCard breach, and increasing concerns amongst boards and executives about cyber risk, Duffy says now is the time for organizations to consider investing in new ways to manage this risk.
The article goes on to explain the limitations of current solutions and how relying on questionnaires and audits alone leaves organizations with blind spots as certain things are overlooked or emerge in the changing threat landscape:
The challenge is that while necessary, using these methods alone for assessing security risks is not sufﬁcient. A company may be compliant with all the appropriate regulations and have excellent security policies but may be completely ineffective in the day-to-day implementation of these policies – rarely does a questionnaire ask how many compromised servers a provider is currently running on its network. Also, no matter how complete a checklist or audit is, its results are only a point in time reﬂection and can’t measure the dynamic nature of the risks it is meant to assess for the duration of the business partnership. Even if a penetration test or vulnerability scan is included as part of a vendor assessment, it cannot reveal issues that may appear the following week.
Duffy goes on to explain how new solutions are emerging, such as BitSight Partner Security Rating, and how models like credit ratings can apply to cyber security in order to help businesses better manage and reduce their third party risk.