Vendor Risk Management

Which Vendor Management Metrics & KPIs Should You Track For Cyber Risk?

Melissa Stevens | May 17, 2016

“You can’t manage what you can’t measure.”

This adage may be overused in business, but there’s a reason for it. Simply put, if you want to improve your vendor risk management program or get a better look at your vendor’s security posture, you’ll need to use several important metrics.

These metrics will help you monitor where you stand now and where you’re headed.

KPIs For Evaluating Your Vendor Management Program

1. The frequency by which you review your entire list of suppliers and vendors and designates those that are critical.

The process for identifying security threats begins with understanding two important designations: who your third parties are and who your critical third parties are. If this process is performed frequently, your organization is more likely to find third parties that have a surprising amount of access to your data or network, and thus should be deemed “critical.”

2. Percentage of critical vendors whose contracts have been updated to include certain cybersecurity implementations.

Of course, the best time to include the cybersecurity implementations you require from a vendor is when you onboard them. This makes it far easier to begin the business relationship with a clear understanding of security expectations.

But if you are just beginning your vendor risk management program — or have recently updated it—you may need to reevaluate your contracts. If this happens, you should monitor how many vendors you’ve required to revisit contractual agreements regarding cybersecurity best practices.

Tip: Be sure each of your contracts designates who should be notified in the event of any security breach to the vendor and how quickly this notification should take place.

3. Percentage of critical vendors you’ve required to purchase insurance policies that would cover you during an incident.

Cybersecurity liability insurance is in high demand for several good reasons — not the least of which is the ever-growing threat of sophisticated cyber attacks. Board members and company executives are becoming more aware of the weight targeted cyberattacks can hold.

To ensure your critical vendors purchase an insurance policy that also covers you as the first party isn’t just a good practice — it can be the difference between recovering some or all of a financial loss you may take if your vendor is compromised.

KPIs For Evaluating Each Of Your Vendors

1. Time it takes your vendors to immediately remediate vulnerabilities.

This is also known as “patching cadence” — and it involves determining how many vulnerabilities your vendors have in their system and how many of the critical vulnerabilities have yet to be patched.

One of your vendors may, for example, purchase and deploy a new piece of software. This software could have a number of vulnerabilities that the software company releases patches for. It is critical for you to monitor how quickly your vendor is able to patch each of these vulnerabilities, because leaving vulnerabilities unpatched can increase the likelihood that the vulnerability will be exploited (potentially exposing your data).

2. Time it takes your vendors to respond to security incidents.

A security incident is an actual exploitation of a system — not just the threat of it. So you will most certainly be concerned with how quickly your vendors are able to identify threats and respond appropriately to them. Unsurprisingly, the longer it takes for these incidents to be shut down, the greater the chance that your data will be compromised as well.

The catch here is that virtually no company will want to provide you with these metrics. They may not be tracking this metric themselves, or they could be performing poorly. In fact, when you use traditional vendor monitoring methods, there are a limited number of things you can glean about a third party’s cybersecurity effectiveness. You can view recent audits, conduct assessments, perform on-site interviews, and review documentation, but these methods take time and are completely subjective.

Because of this, having a security rating platform like BitSight that is able to alert you to potential security incidents when they happen is highly useful — not only for your vendors, but in your own organization as well.

third-party vendor risk management program

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.