Why Historical Security Data Matters in Vendor Risk Management

Why Historical Security Data Matters in Vendor Risk Management

In today’s cyber threat landscape, organizations must know how secure they are at any given time. One of the most important questions that security professionals and risk managers can ask is “how secure am I right now?”

However, there is an equally important question: “how has my security posture changed over the past year?” Organizations must first ensure they have controls in place to reduce the likelihood of cyberattacks; however, security resources and spend may not be efficiently allocated if they aren’t looking back in time to measure the effectiveness of their efforts. This cannot be done without historical security metrics.

This concept also applies for vendor risk management. A vendor or supplier may be secure today, but have they had security incidents in the past? How has their performance changed over time? Are there incidents that have caused changes in their performance? How are they responding to those issues now? Without historical data that spans a year or more, organizations may be entrusting third parties with potential vulnerabilities, exposing them to significant cyber risk.

Historical security data is not unlike historical stock prices. Most people would not invest in a company if they could only see today’s current stock price. As any researcher or analyst knows: context is everything. Savvy investors look at stock indexes that span back at least one year. And while many investors know not to overreact to small fluctuations in stock prices, they know it is an important baseline for decision making.


The same is true for vendor risk management. With historical context about an organization’s security posture, security and risk teams can make critical business decisions with utmost confidence. Without it, organizations may be flying blind.


Ignoring a vendor's security posture over time is just one way you can be left in the dark. Download this guide to learn what else may be putting your organization at risk.