Security Ratings

Why Historical Security Data Matters in Vendor Risk Management

Noah Simon | October 22, 2015

In today’s cyber threat landscape, organizations must know how secure they are at any given time. One of the most important questions that security professionals and risk managers can ask is “how secure am I right now?”

However, there is an equally important question: “how has my security posture changed over the past year?” Organizations must first ensure they have controls in place to reduce the likelihood of cyberattacks; however, security resources and spend may not be efficiently allocated if they aren’t looking back in time to measure the effectiveness of their efforts. This cannot be done without historical security metrics.

This concept also applies for vendor risk management. A vendor or supplier may be secure today, but have they had security incidents in the past? How has their performance changed over time? Are there incidents that have caused changes in their performance? How are they responding to those issues now? Without historical data that spans a year or more, organizations may be entrusting third parties with potential vulnerabilities, exposing them to significant cyber risk.

Historical security data is not unlike historical stock prices. Most people would not invest in a company if they could only see today’s current stock price. As any researcher or analyst knows: context is everything. Savvy investors look at stock indexes that span back at least one year. And while many investors know not to overreact to small fluctuations in stock prices, they know it is an important baseline for decision making.


The same is true for vendor risk management. With historical context about an organization’s security posture, security and risk teams can make critical business decisions with utmost confidence. Without it, organizations may be flying blind.

DOWNLOAD GUIDE: 5 WAYS VENDOR RISK MANAGEMENT PROGRAMS LEAVE YOU IN THE DARKDownload Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark

Ignoring a vendor's security posture over time is just one way you can be left in the dark. Download this guide to learn what else may be putting your organization at risk.


Suggested Posts

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...


Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...


Subscribe to get security news and updates in your inbox.