Security Ratings

Why Historical Security Data Matters in Vendor Risk Management

Noah Simon | October 22, 2015

In today’s cyber threat landscape, organizations must know how secure they are at any given time. One of the most important questions that security professionals and risk managers can ask is “how secure am I right now?”

However, there is an equally important question: “how has my security posture changed over the past year?” Organizations must first ensure they have controls in place to reduce the likelihood of cyberattacks; however, security resources and spend may not be efficiently allocated if they aren’t looking back in time to measure the effectiveness of their efforts. This cannot be done without historical security metrics.

This concept also applies for vendor risk management. A vendor or supplier may be secure today, but have they had security incidents in the past? How has their performance changed over time? Are there incidents that have caused changes in their performance? How are they responding to those issues now? Without historical data that spans a year or more, organizations may be entrusting third parties with potential vulnerabilities, exposing them to significant cyber risk.

Historical security data is not unlike historical stock prices. Most people would not invest in a company if they could only see today’s current stock price. As any researcher or analyst knows: context is everything. Savvy investors look at stock indexes that span back at least one year. And while many investors know not to overreact to small fluctuations in stock prices, they know it is an important baseline for decision making.


The same is true for vendor risk management. With historical context about an organization’s security posture, security and risk teams can make critical business decisions with utmost confidence. Without it, organizations may be flying blind.

DOWNLOAD GUIDE: 5 WAYS VENDOR RISK MANAGEMENT PROGRAMS LEAVE YOU IN THE DARKDownload Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark

Ignoring a vendor's security posture over time is just one way you can be left in the dark. Download this guide to learn what else may be putting your organization at risk.


Suggested Posts

BitSight Study: Healthcare Sector is Far Too Vulnerable to Cyber Threats

Healthcare is under attack. Hospitals, doctors’ networks, insurance companies, and others are prime targets for hackers due to the valuable protected health information (PHI) they store and the vital role they play in our nation’s critical...


What Boards of Directors Are Missing about Cybersecurity

Cyberattacks have increased significantly in recent years, bringing vital conversations about cybersecurity into the Boardroom. As Board oversight of cybersecurity has increased, Board members — even those without technical expertise —...


Research Paper Validates Security Ratings’ Correlation to Likelihood of Breach

This spring, the research paper titled “Risky Business: Assessing Security with External Measurements” was published on Cornell’s academic resource site. Authored by former BitSight data scientist, Jay Jacobs, as well as fellow academics...


Subscribe to get security news and updates in your inbox.