Vendor Risk Management

The Pros and Cons of Vendor Risk Management Tools

Nick Gagalis | March 12, 2015

Earlier this month, it was discovered that Anthem denied a government auditor’s request to perform vulnerability scans on Anthem’s IT systems both in 2013, and for a scan this coming summer. This Data Breach Today piece details both why the enterprise was justified in its refusal and why it was a poor choice.

Regardless of whether it was the right call to make, the situation displays the challenges an enterprise faces whenever it wants to evaluate the information security performance of a vendor, partner or other third party. Vendors may not agree to intrusive vulnerability scans, penetration tests or other assessment methods, making it difficult for organizations to verify the security postures of third parties. With vendor risk management models moving towards a “trust but verify” approach, we take a look at the vendor risk management tools organizations have to assess third parties in this challenging environment.

Vulnerability Scans

Vulnerability scans are a broad-reaching way to discover the potential weaknesses that exist within a network. When third parties allow you to scan their networks, you get an in-depth look at the level of cyber risk they are exposing to your company. However, it’s not out of the ordinary for a large company to have thousands of vendors in its extended ecosystem, and due to the high costs of vulnerability scans,  it would not be an effective solution to scan every network.

Penetration Tests

If you want to evaluate a network’s information security performance, a penetration test is an method you can use to your advantage. After discovering a vulnerability, a pen test will challenge your network’s tolerance for an attack through that weakness. Unfortunately, like vulnerability scans, pen tests are expensive and require permission from the third party to carry out.

Questionnaires & Audits

It can be helpful to see a qualitative view of an enterprise’s performance, and a questionnaire accomplishes that goal. Questionnaires assess what information security controls are in place. The issue with this type of assessment is that there’s often a bias between a vendor’s belief and what’s actually the case. You can also get very different results from different assessors, because the audits aren’t always conducted the same.

Continuous Monitoring & Security Ratings

Continuous monitoring solutions, like BitSight Security Ratings, offer an evidence-based assessment using data sources from all over the internet to see what activity is coming from a given network. These solutions do not require any investment of time or permission from the network being observed. They are used most effectively when combined with other assessment tools. Today, many organizations are using Security Ratings to augment their vendor risk programs with ongoing monitoring.

While no single tool shows the whole picture, using them in combination with each other can augment your visibility into third parties’ information security and help you trust AND verify vendor security performance.

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.