Study Reveals Top Business Concerns about Supply Chain Relationships

IT decision makers have significant interest in tracking third-party security, yet few organizations do so with the necessary frequency.

Date: March 3, 2015

BitSight Technologies, the standard in Security Ratings, today announced results from a commissioned study, conducted by Forrester Consulting on behalf of BitSight, that reveals third-party security as a top business concern for enterprises. The findings suggest a significant appetite for monitoring third-party security but a steep disconnect in resources available to adequately and objectively manage. 

The study, “Continuous Third-Party Security Monitoring Powers Business Objectives and Vendor Accountability,” is based on surveys of IT security and risk-management decision makers in the U.S., U.K., France and Germany.

Forrester found that when it comes to tracking third-party risk, critical data loss or exposure (63 percent) and the threat of cyber attacks (62 percent) ranked as the top concerns, above standard business issues, including whether the supplier could deliver the quality and timely service as contracted (55 percent).  Despite the desire for more robust insight into third-party security practices, only 37 percent of survey respondents reported tracking any of these metrics on a monthly basis.

Third Party Monitoring Beneficial to Critical Metrics

Base: 422 IT decision-makers at enterprises in the US, UK, France, and Germany

Source: Forrester Forrsights Services Survey, Q3 2013

The research further reveals that a vast majority of IT decision makers believe that continuous third-party monitoring would have a major improvement on their security effectiveness in key areas, such as event identification time (76 percent), event remediation time (72 percent) and response times to high-profile events (71 percent). 

“Across the nine types of third-party information we surveyed IT security decision-makers on, an average of 59% indicated a desire to track and monitor. Yet across those same nine information types, an average of only 22% were tracking with monthly or greater frequency”, according to Forrester Consulting. “Enterprises overwhelmingly anticipate major or moderate improvement to many metrics around third-party evaluation, such as the ability to compare security postures, screen vendors based on risk, and evaluate infrastructure configurations. Additionally, enterprises anticipate reductions in times required for security event identification and remediation times and responses to high-profile events.”

“The supply chain has become a cyber security minefield for companies, as we’ve seen with breaches caused by third-party vendors at Target, Neiman Marcus, Goodwill, Home Depot and many more,” said Stephen Boyer, CTO and co-founder of BitSight Technologies. “Continuous, data-driven monitoring of third-party security vulnerabilities and threats has become essential for effective vendor risk management.”


Other Key Findings:

  • Forrester estimates that enterprises allocated 21 percent of their overall IT budget to third parties.
  • 63 percent of respondents believe continuous third-party monitoring would improve their ability to screen vendors based on risk.
  • 79 percent of respondents reported that ensuring business partners and third parties comply with their security requirements is a top IT security priority over the next 12 months.
  • 82 percent of respondents said that ensuring regulatory compliance is a “critical” or “high” priority, but only 29 percent were fully compliant, on average, across eighteen regulations or best practice guidelines.

In addition to releasing the new Forrester study, BitSight is announcing significant enhancements to its innovative Security Ratings product line, strengthening the data breadth, quality and innovation for benchmarking comparative data and third-party risk management. To learn more, click here.


About BitSight Technologies

BitSight Technologies is transforming how companies manage information security risk with objective, evidence-based security ratings. The company's Security Rating Platform continuously analyzes vast amounts of external data on security behaviors in order to help organizations manage third party risk, benchmark performance, and assess and negotiate cyber insurance premiums. Based in Cambridge, MA, BitSight is backed by the National Science Foundation, Commonwealth Capital Ventures, Flybridge Capital Partners, Globespan Capital Partners, and Menlo Ventures. For more information, please visit or follow @BitSight on Twitter.