Security Risk Management

Risk Universe Explores Vendor Risk Management with Mike Duffy

Melissa Stevens | January 6, 2014

riskuniverse-logoWith increased emphasis on third party risk management coming down from regulators and executive boards alike, cyber risk in the extended enterprise is shaping up to be a hot topic in 2014.

BitSight board member Mike Duffy recently contributed an article to Risk Universe on the topic.  In the article, "Rating Cyber Risk Vendors," Duffy explains why organizations are looking to cyber risk rating services to help manage their vendor security risk. Citing examples of recent high profile third party breaches, such as the JP Morgan Chase UCard breach, and increasing concerns amongst boards and executives about cyber risk, Duffy says now is the time for organizations to consider investing in new ways to manage this risk.

The article goes on to explain the limitations of current solutions and how relying on questionnaires and audits alone leaves organizations with blind spots as certain things are overlooked or emerge in the changing threat landscape:

The challenge is that while necessary, using these methods alone for assessing security risks is not sufficient. A company may be compliant with all the appropriate regulations and have excellent security policies but may be completely ineffective in the day-to-day implementation of these policies – rarely does a questionnaire ask how many compromised servers a provider is currently running on its network. Also, no matter how complete a checklist or audit is, its results are only a point in time reflection and can’t measure the dynamic nature of the risks it is meant to assess for the duration of the business partnership. Even if a penetration test or vulnerability scan is included as part of a vendor assessment, it cannot reveal issues that may appear the following week.

Duffy goes on to explain how new solutions are emerging, such as BitSight Partner SecurityRating, and how models like credit ratings can apply to cyber security in order to help businesses better manage and reduce their third party risk.

Click here to read the full article in Risk Universe>

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.