Risk Universe Explores Vendor Risk Management with Mike Duffy

Melissa Stevens | January 6, 2014 | tag: Security Risk Management

riskuniverse-logoWith increased emphasis on third party risk management coming down from regulators and executive boards alike, cyber risk in the extended enterprise is shaping up to be a hot topic in 2014.

BitSight board member Mike Duffy recently contributed an article to Risk Universe on the topic.  In the article, "Rating Cyber Risk Vendors," Duffy explains why organizations are looking to cyber risk rating services to help manage their vendor security risk. Citing examples of recent high profile third party breaches, such as the JP Morgan Chase UCard breach, and increasing concerns amongst boards and executives about cyber risk, Duffy says now is the time for organizations to consider investing in new ways to manage this risk.

The article goes on to explain the limitations of current solutions and how relying on questionnaires and audits alone leaves organizations with blind spots as certain things are overlooked or emerge in the changing threat landscape:

The challenge is that while necessary, using these methods alone for assessing security risks is not sufficient. A company may be compliant with all the appropriate regulations and have excellent security policies but may be completely ineffective in the day-to-day implementation of these policies – rarely does a questionnaire ask how many compromised servers a provider is currently running on its network. Also, no matter how complete a checklist or audit is, its results are only a point in time reflection and can’t measure the dynamic nature of the risks it is meant to assess for the duration of the business partnership. Even if a penetration test or vulnerability scan is included as part of a vendor assessment, it cannot reveal issues that may appear the following week.

Duffy goes on to explain how new solutions are emerging, such as BitSight Partner Security Rating, and how models like credit ratings can apply to cyber security in order to help businesses better manage and reduce their third party risk.

Click here to read the full article in Risk Universe>

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with...


3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so,...


Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result,...


Subscribe to get security news and updates in your inbox.