The Importance of Actionable Metrics in Managing Vendor Risk

Alex Campanelli | September 5, 2017

In today’s market, an increasing number of security and risk management executives are being asked to present to the Board of Directors on the state of their — and their third parties’ — security and risk programs. Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk. BitSight understands that making an organization’s security posture accessible to C-level executives and the Board of Directors is becoming more of a requirement within the business; we’ve added capabilities within BitSight Security Ratings that arm security and risk management executives with actionable metrics that they can share with the Board of Directors.

Most Boards understand that cybersecurity — both for their own organization as well as their supply chain — is a critical issue and as a result, they frequently ask to receive regular briefings on the topic. If your organization has just begun this practice, it’s essential that you establish credibility when you present to your Board of Directors. BitSight’s latest product enhancements allow organizations take actionable steps to identify, effectively communicate about, and actively manage the risk in their vendor portfolios.

BitSight Security Ratings have helped hundreds of organizations develop their vendor risk management (VRM) strategies and programs. The foundation of this success has been objective, verifiable, and actionable data that empowers executives to make critical business decisions. To continue to do this, organizations need a set of prescriptive features when forming their VRM program. BitSight now provides a prescriptive approach that allows companies using BitSight Security Ratings to increase the actionability and effectiveness of their third party risk management programs. Using this prescriptive methodology enables BitSight customers  to operate their VRM programs at scale, drive faster decision making, and enhance collaboration between first parties and their critical vendors.

A portfolio overview in the BitSight Security Ratings portal, with the vendor action plan and company breakdown indicated on the left.

A portfolio overview in the BitSight Security Ratings portal, with the vendor action plan and company breakdown indicated on the left.

Additionally, BitSight users can now create a vendor action plan based on their vendors’ tier, or prioritization, and their security rating. If a vendor has a security rating between 250-740 and is tiered as either High or Moderate priority, they are labeled as Escalate, meaning that immediate remediation steps should be taken. As the most serious vendor action plan label, “Escalate” marks that the company should issue an Enable Vendor Access (EVA) request to the vendor and ask them to remediate issues that BitSight has identified.

Vendors tiered as Moderate or Low with a security rating of over 640 may be labeled as Review or Monitor. If labeled as “Monitor,” no action is needed and users can simply choose to receive a notification if the ratings change. “Review” signifies that the company should investigate the security posture of the third party further to gain a deeper understanding and determine if any remediation steps are necessary.

Actionable metrics should be at the heart of every organization’s VRM program, especially as organizations begin to communicate their security posture to their executives. By using BitSight Security Ratings’ prescriptive approach to VRM, companies can convey easy-to-understand metrics to their Board of Directors or executives. This allows for easier collaboration moving forward as security teams continue to develop third party remediation plans and develop ways to proactively mitigate the risk vendors can pose to their organization.


Watch our live panel webinar, “The Evolution of Executive Reporting”

Watch Webinar

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...


Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...


Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...


Subscribe to get security news and updates in your inbox.