The idea of telling a vendor or potential vendor that you've rated their security performance can be a little daunting. If someone has never heard of a BitSight Security Rating, being told that another company has been monitoring their security effectiveness, without them knowing, can sound a little "big brother-ish" and raise lots of questions about privacy and legality. Though our methods are unobtrusive and based on the same outside-in model of credit ratings, we provide many materials to our customers to help them deal with these types of situations.
However, many vendors are happy to get their first Security Rating. Below are three ways your vendors can benefit from knowing their Security Rating- and they just might thank you for bringing it to their attention!
- Increased oversight from boards and regulators means we're all looking for better ways to communicate effectiveness to people outside of traditional security roles. Security Ratings provide companies with an easy to understand, objective way to assess their own security performance. The additional reports and metrics accompanying Security Ratings let people dig in on specific risk vectors to see how performance is being impacted now and over time. We can also provide private access to forensic details that will allow your third parties to fix their security issues and have an immediate impact on their performance. This information can be invaluable for demonstrating how specific strategic decisions are affecting security posture, and for determining whether additional resources or investments are needed.
- In many cases, when companies see how their rating compares to their peers and competitors, it can lead to conversations about improving their performance or acknowledging good behaviors. Companies with advanced ratings have called their ratings a "metric of pride" and have been excited to share these details with other businesses in their ecosystem.
In a recent RSA talk entitled The 50 Minute MBA for Information Security Professionals, Branden Williams and James Adamson referred to using security performance as a market differentiator. Being able to highlight their security posture as a competitive advantage can be a great bonus for your vendors and third parties.
- As you know first hand, third party risk management is a laborious process, and your vendors are likely to have third parties of their own whom they need to assess. Knowing how easy it can be to get a continuous, automated rating on your vendors means they too can save time by working with BitSight to augment their current vendor risk management practices. We have rated tens of thousands of organizations worldwide and are adding more organizations to our inventory on a daily basis, making it easy to onboard new customers and provide them with the high quality, accurate ratings they need. In fact, a recent Gartner report said that BitSight "has rapidly emerged as the "standard" in vendor security ratings" - a distinction we are honored to carry.
Vendor management is a crucial part of any enterprise risk management strategy and BitSight is committed to helping our customers add efficiency and transparency to this practice area. If you've received any feedback after sharing a Security Rating report with your vendors, we'd love to hear from you!