By Nikolay Filipets
Imagine needing a nice hotel for an upcoming family vacation to Maine. Like most of us, you’ll likely go online to do some research to find something that meets your needs: close to the beach, near family you’re visiting, with a pool and a breakfast buffet. Maybe you’d also like a nice 360° view of that impressive Maine coastline. A few clicks later and you may have nearly a hundred options to choose from. Narrowing it down by those with four-star ratings will get you down to a handful, which is much easier to review. But, before you click “book,” don’t forget to check out those real-time user reviews on your selected hotel. You just might find out that they’re in the process of building a new wing at the hotel and construction starts at 7 a.m. every morning. No thanks!
I’ve done this kind of searching for things I need, and it makes me think about the importance of marrying control assessments with real-time data when assessing vendor risk. It’s possible to miss important insights if you’re not using both. You’ll get important information from both data paths that are necessary for making the right choice.
The hotel example is similar to a common scenario in vendor risk management: You’re working with a significant number of vendors, but have limited resources to manage them and assess their potential risk on a consistent basis. The good news is, many of your vendors are probably fine, just like a lot of the hotels. The bad news is, it only takes one issue with one vendor to open up your organization to regulatory penalties, fines, financial losses, and damage to your brand equity with customers and industry partners. It’s that early-morning jackhammer that rips you out of your bed on what should be a relaxing vacation day.
If you’re managing vendor risk management for a large organization, you may have up to a thousand or more vendors to assess on a regular basis. Knowing where to start can be daunting, but there is a solution.
It starts with an assessment to develop a risk classification of your vendors. Of those thousand or so vendors you may need to assess, it’s possible that only 20 percent of them should be considered high risk, often because they either touch part of your organization’s infrastructure or share and manage some of your data. Of course, 200 vendors are still a lot to monitor and track on an ongoing basis.
This is why Rsam has integrated BitSight Technologies Security Ratings into our Vendor Risk Management module. It’s how we help organizations identify, prioritize, and mitigate the risk inherent in sharing sensitive data with third parties. It’s also how you get a better feel for the vendors you really need to monitor. So, for example, if you have 200 vendors who are high risk, BitSight Technologies can tell you that, say, 30 percent have great ratings. This frees you up to deprioritize these vendors that BitSight reviews with great ratings, leaving you with a much more manageable group to focus on.
BitSight Technologies Helps with Vendor Risk Management Prequalification, Too
They say an ounce of prevention is worth a pound of cure, and that’s true with your third party vendor risk management approach, too. Just like your mortgage lender checks your credit score to pre-qualify you for a home mortgage, BitSight Technologies allows you to check a potential vendor’s security performance before working with them.
Data Makes Vendor Risk Management Decision-Making Easier
The more data to aid your decision-making, the better—right? Well, that’s true if the data is normalized, analyzed and actionable. When it comes to the nightmares that CISOs and risk management teams face, too much data without a meaningful way to present it is almost as bad as no data at all.
Rsam plus BitSight Technologies offers the proverbial one-two punch that gives you a 360° view of vendor risk management. You get the macro-level view of the security posture across your vendor ecosystem. And then at the micro-level, your organization gets a more comprehensive picture of each vendor that includes both their risk posture based on your questionnaires as well as their BitSight score.
You also get a side-by-side comparison of all of their risk factors.
It’s time to stop dealing with the headache of vendor risk management on your own. If you’re dealing with more than your organization can handle when it comes to vendor risk management—and in reality, who isn’t?—it’s time to consider a new approach and enjoy that unobstructed view.