Vendor Risk Management

The “Swap” Model: Is Your Goal to Mitigate Risk...Or Just Move it Around?

Alex Campanelli | July 26, 2017

In today’s security ratings services market, a few companies have offerings described as “swaps” or “slots.” When considering third party monitoring, this gives organizations the option to “trade out” which vendors they are monitoring when they see fit. But, does this type of disjointed monitoring actually proactively mitigate risk (which is the goal of utilizing a security ratings service) or just shift it around and hide it? This approach poses several problems.

As data breaches originating on third party networks occur more and more frequently, businesses have increasingly built out Vendor Risk Management (VRM) programs. Developing these programs to account for cyber risk is no easy feat: Bomgar’s 2017 Secure Access Threat Report found that the average number of vendors accessing a company’s network has doubled in just one year to 181 per week, with 67 percent of companies experiencing a data breach because of unsecured vendor access. With supply chains expanding and businesses increasingly sharing data, organizations need continuous visibility into the third parties they work with to safeguard their own data. With hundreds or thousands of vendors introducing new risks, security teams need to be able to continuously monitor the networks of their vendors.

As mentioned above, other security ratings firms may provide a number of slots for vendors that can be changed at any moment. The issue? This does not allow users to gain continuous visibility into companies as they constantly swap them out. By adhering to this “swapping” method, organizations lose visibility into significant changes in the security performance of their supply chain as they shift focus on another subset of vendors.

Traditional assessments such as penetration tests, security audits, and questionnaires don’t provide this continuous visibility, and neither does attempting to swap vendors in a security ratings portal. This continuous visibility into vendor networks is the key to proactively mitigating cyber risk. Moreover, conducting these “swapping” exercises across the supply chain is both costly and resource-intensive. “Swapping” out vendors for others is not a sustainable model — eventually your number of vendors may become so great that your team can’t handle swapping some in and some out constantly.

Organizations are increasingly adopting BitSight Security Ratings to continuously monitor the security risk of their third parties and vendors. However, as many organizations have learned after building out their VRM programs and tiering their vendors, not every business requires the same level of scrutiny. Many businesses continuously monitor the members of their supply chain that pose the most immediate or largest risk, while checking in on other business associates less frequently through alerting capabilities. This enables them to never lose the visibility that “swaps” take away.

When considering vendor risk management strategies, you need to find the approach that best fits your organization. By continuously monitoring your vendors, gaining visibility into major changes in third party networks via alerts, and proactively mitigating risk, BitSight Security Ratings provide what it takes to scale an effective vendor risk management program.

REQUEST A DEMO to see bitsight security ratings in action.

Demo Request - Third Party

Suggested Posts

Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


4 Ways to Minimize the Risk of a Third-Party Data Breach

Today, 59% of data breaches originate with third-party vendors. And, as globalization brings more interconnected supply chains, that number is anticipated to grow.


How to Develop a Vendor Cyber Risk Management Framework

Third-party vendors are an essential part of today’s business ecosystem. A study by Gartner finds that, in 2019, 60% of organizations work with more than 1,000 third parties and those networks are only expected to grow.


Subscribe to get security news and updates in your inbox.