Why Cyber Risk Prioritization is Essential to a Solid TPRM Program
Brian Thomas | July 13, 2020
Today’s businesses can’t succeed on their own, which is why they turn to third parties to grow and stay competitive. However, these partnerships can introduce unwanted cyber risk.
To mitigate that risk, companies must undertake a vigorous and extensive vendor onboarding process. Too often, however, many security managers turn to a “one-size-fits-all” approach, where each third-party is assessed in the same manner.
Yet this process is not scalable, creates significant overhead, and fails to take into consideration the variances between different vendors. This has a trickle-down effect. When security teams spend unnecessary time and resources doing extended, full-blown assessments on each vendor — regardless of how critical they are to the business — they undermine their organizations' efforts at agility, which is one of the primary reasons they're hiring third parties to begin with. This conflicts with the business goals of the organization and can impede growth.
For a third-party risk management (TPRM) program to be as effective and efficient as possible, security managers must find ways to prioritize which vendors receive the greatest scrutiny based on criticality to the business and risk. Let’s take a look at how they can achieve this.
1. Tier vendors based on perceived risk
A simple way to prioritize vendors is to group or tier them based on how critical they are to the organization. A critical vendor is one who has access to the company’s sensitive data or one that provides an important service, like a payroll provider. These represent a much higher level of cyber risk than a third-party that doesn’t have direct access to the network, like an office supplies company.
With tiering, security teams can better determine whether a vendor needs a more in-depth assessment. Tiering also helps scale the assessment process, enabling organizations to allocate resources to vendors that may require more due diligence.
2. Use data insights to prioritize vendors that need the most attention
Tiering vendors can help streamline the security assessment process, but data can help take it one step further to measure the effectiveness of a potential vendor’s security program.
Calculated using externally observable and verifiable data,BitSight Security Ratings provide an instantaneous snapshot of each third parties’ overall security posture. These ratings, which range from 250 to 900, empower security teams to compare vendors’ security profiles side-by-side and prioritize them according to risk — with a higher score suggesting a stronger security posture. The BitSight platform also gives insights into specific risk vectors, such as malware or unpatched systems, to help security teams understand the severity of the risk present in a vendor.
With this data, companies can go beyond their initial tiering and further prioritize which vendors need the most attention. They can also study that data over time. If a vendor’s score drops — for example, from 750 to 630 — those vendors can be prioritized for additional due diligence and reassessment.
The security rating can also be used to optimize and prioritize risk assessment strategies. Organizations may decide, for instance, that the assessment process for vendors with high security ratings may not need to be as rigorous, while the process for vendors with lower ratings could be more thorough.
3. Understand where cyber risk is concentrated
BitSight Security Ratings also help organizations prioritize the cyber risk of their vendors by providing granular insight into the effectiveness of a vendor’s security controls and policies against specificrisk vectors. These could include compromised systems, open ports, user behavior, and publicly disclosed breaches.
This information allows security teams to align resources where risk is concentrated. For example, if a potential vendor receives a medium to low security rating the BitSight platform can provide visibility into the reason behind that score, such as the presence of hard to detect malware or an inconsistent patching cadence. These findings can then be shared with those third parties to ensure security issues are remediated.
Achieve significant risk reduction, even with limited resources
Third-party cyber risk prioritization is an essential best practice towards proactive risk mitigation. With the measures outlined here, security teams can cut down the time and resources needed to onboard partners from month to weeks or even days,better manage third-party risk at scale, and accelerate time to value.
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...