62% of employed Americans are working from home during the COVID-19 pandemic, a number that has doubled since mid-March. The sudden shift to remote work and the accompanying demand for digital capabilities, as well as other supply chain disruptions created by the pandemic, has Chief Information Security Officers (CISOs) pivoting from more long-term goals to immediately secure new cloud environments and support virtual third-party relationships.
Embracing remote operating models comes with new challenges for IT and security teams, such as:
- Securing a more complex attack surface due to cloud adoption and remote access from personal devices
- Supporting rapid vendor onboarding without taking on risk as organizations rebuild supply chains
- Increasing workload under budgetary constraints
These challenges have brought third-party risk management (TPRM) and cyber resilience programs into focus. By following the three processes below, security and IT teams can gain the agility needed to support their organizations as they respond to, and recover from the disruption caused by the pandemic.
1. Third-party risk management at scale
Prior to the pandemic, many organizations were already accustomed to working with a large number of third-party suppliers. Few were truly prepared, however, to handle the accelerated pace of engagement with new suppliers. Here is how cyber resilient companies are managing third-party risk at scale.
Streamlined vendor onboarding
Firms are utilizing security ratings to streamline the vendor onboarding process. With security data curated by these platforms, teams gain an immediate understanding of prospective vendors’ security posture and have the ability to prioritize due diligence by risk and criticality. Security teams that are able to engage with new vendors quickly can better support their organizations’ business continuity plans.
Efficient security assessments
With social distancing guidelines in place, vendor security assessments are moving off-premises. Firms are now conducting efficient remote assessments using technology that allows them to identify high-risk vendors that require assessments, customize questionnaires to meet their needs, and automatically exchange and validate cybersecurity questionnaires at scale. This technology enables teams to identify and remediate security issues within their supply chain more efficiently than those still relying on the manual exchange of emails and spreadsheets.
2. Resilience through automation
We recommend that companies re-examine the cyber health of their vendors, many of which have incurred fiscal damage, and whose client-facing networks are overburdened due to the recent uptick in e-commerce. Here are some of the ways in which automation is helping organizations.
Continuous cybersecurity monitoring for vendors
Tracking third-party security issues on an ongoing basis can prevent costly visibility gaps from arising. Security ratings and automated questionnaire solutions enhance TPRM workflows with the ability to continuously monitor the cyber health of third-party vendors and provide automatic alerts when a change in a vendor’s security posture takes place, so you know if they are no longer compliant with the terms of your service level agreement (SLA) or risk tolerance.
Simplified operations
Whether it’s securing new digital collaboration platforms, onboarding new vendors, or training remote workers on cybersecurity best practices, CISOs have their hands full. Automating time-consuming tasks—such as identifying unpatched systems and open access ports— minimizes human error, and saves time and resources for more high-level efforts. Firms can further optimize their security operations by leveraging a solution that integrates with the tools they’re already using—such as GRC, SIEM, and ITSM solutions—in order to get the most out of their technology stack.
3. Leveraging Existing Tools
Many CISOs had to put projects on hold to meet the cost of addressing new security issues created by the pandemic, as their budgets were already in place. Fiscal challenges aren’t expected to go away any time soon, with more than 70% of security executives expecting their budgets for the fiscal year 2021 to contract. Let’s take a look at how successful security teams are optimizing costs in the current environment.
Security reporting
Security leaders are creating a common language and reporting framework to communicate risk to executives who may not be cyber experts. By utilizing objective data and key performance indicators (KPIs), CISOs can demonstrate the value of cybersecurity initiatives, even under a tight budget.
Measured ROI on security investments
Taking a risk-based approach that prioritizes internal and third-party security issues allows security executives to support business functionality while demonstrating cost savings. Leveraging the right technology enhances existing workflows, increases the value of security investments, and provides organizations with comprehensive threat intelligence that informs effective cybersecurity strategy and spending.
How SecurityScorecard can help
SecurityScorecard solutions enable organizations to remain flexible and ensure business resilience and continuity in an unpredictable environment. Security professionals can use SecurityScorecard to minimize cybersecurity risk, with a comprehensive platform for a unified risk ratings and questionnaire exchange process.
To learn more about how to remain agile during these unprecedented times, read our ebook, “How Security and IT Teams Can Manage the Shift to the New Normal,” and download our tip sheet, “The Golden Rules of TPRM in The New Normal.”