The Pros and Cons of Vendor Risk Management Tools

Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why the enterprise was justified in its refusal and why it was a poor choice.

Regardless of whether it was the right call to make, the situation displays the challenges an enterprise faces whenever it wants to evaluate the information security performance of a vendor, partner or other third party. Vendors may not agree to intrusive vulnerability scans, penetration tests or other assessment methods, making it difficult for organizations to verify the security postures of third parties. With vendor risk management models moving towards a “trust but verify” approach, we take a look at the vendor risk management tools organizations have to assess third parties in this challenging environment.

Vulnerability Scans

Vulnerability scans are a broad-reaching way to discover the potential weaknesses that exist within a network. When third parties allow you to scan their networks, you get an in-depth look at the level of cyber risk they are exposing to your company. However, it’s not out of the ordinary for a large company to have thousands of vendors in its extended ecosystem, and due to the high costs of vulnerability scans, it would not be an effective solution to scan every network.

Penetration Tests

If you want to evaluate a network’s information security performance, a penetration test is an method you can use to your advantage. After discovering a vulnerability, a pen test will challenge your network’s tolerance for an attack through that weakness. Unfortunately, like vulnerability scans, pen tests are expensive and require permission from the third party to carry out.

Questionnaires & Audits

It can be helpful to see a qualitative view of an enterprise’s performance, and a questionnaire accomplishes that goal. Questionnaires assess what information security controls are in place. The issue with this type of assessment is that there’s often a bias between a vendor’s belief and what’s actually the case. You can also get very different results from different assessors, because the audits aren’t always conducted the same.

Continuous Monitoring & Security Ratings

Continuous monitoring solutions, like BitSight Security Ratings, offer an evidence-based assessment using data sources from all over the internet to see what activity is coming from a given network. These solutions do not require any investment of time or permission from the network being observed. They are used most effectively when combined with other assessment tools. Today, many organizations are using Security Ratings to augment their vendor risk programs with ongoing monitoring.

While no single tool shows the whole picture, using them in combination with each other can augment your visibility into third parties’ information security and help you trust AND verify vendor security performance.