<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

The Pros and Cons of Vendor Risk Management Tools

Nick Gagalis | March 12, 2015

Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why the enterprise was justified in its refusal and why it was a poor choice.

Regardless of whether it was the right call to make, the situation displays the challenges an enterprise faces whenever it wants to evaluate the information security performance of a vendor, partner or other third party. Vendors may not agree to intrusive vulnerability scans, penetration tests or other assessment methods, making it difficult for organizations to verify the security postures of third parties. With vendor risk management models moving towards a “trust but verify” approach, we take a look at the vendor risk management tools organizations have to assess third parties in this challenging environment.

Vulnerability Scans

Vulnerability scans are a broad-reaching way to discover the potential weaknesses that exist within a network. When third parties allow you to scan their networks, you get an in-depth look at the level of cyber risk they are exposing to your company. However, it’s not out of the ordinary for a large company to have thousands of vendors in its extended ecosystem, and due to the high costs of vulnerability scans,  it would not be an effective solution to scan every network.

Penetration Tests

If you want to evaluate a network’s information security performance, a penetration test is an method you can use to your advantage. After discovering a vulnerability, a pen test will challenge your network’s tolerance for an attack through that weakness. Unfortunately, like vulnerability scans, pen tests are expensive and require permission from the third party to carry out.

Questionnaires & Audits

It can be helpful to see a qualitative view of an enterprise’s performance, and a questionnaire accomplishes that goal. Questionnaires assess what information security controls are in place. The issue with this type of assessment is that there’s often a bias between a vendor’s belief and what’s actually the case. You can also get very different results from different assessors, because the audits aren’t always conducted the same.

Continuous Monitoring & Security Ratings

Continuous monitoring solutions, like BitSight Security Ratings, offer an evidence-based assessment using data sources from all over the internet to see what activity is coming from a given network. These solutions do not require any investment of time or permission from the network being observed. They are used most effectively when combined with other assessment tools. Today, many organizations are using Security Ratings to augment their vendor risk programs with ongoing monitoring.

While no single tool shows the whole picture, using them in combination with each other can augment your visibility into third parties’ information security and help you trust AND verify vendor security performance.

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...


Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...


New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.


Subscribe to get security news and updates in your inbox.