Posted on Jul 7, 2015
Harry’s, an online retailer, was looking to solve the paradoxical challenge of having accurate, precise security information about partners, vendors, and suppliers whose networks they cannot access. Organization’s such as Harry’s cannot directly log in and access a partner’s network to readily view the security posture of that third party’s systems, nor is Harry’s allowed to have any continuous view of partner risks as they change.
● How often does a third party vendor patch vulnerabilities?
● What is the DNS health of a given partner?
● How susceptible is a random supplier to a dangerous SQL injection?
These questions are very difficult to answer today.
Traditional methods for gathering this kind of security information include questionnaires, on-site visits, and penetration tests that require permissions, require time and patience, and can be expensive. These methods also may not reveal enough about a security posture because most organizations are not interested in giving away too much information about internal systems infrastructure, networks, or other technology-related information lest it end up in the wrong hands. In short, meticulous, rigorous information security gathering is a game of faith.
“All too often these [vendor questionnaire] surveys would dribble back weeks after we’d hope to see them and, more often than not, they were not done thoroughly,” said Daniel Schwartz, Director of Engineering, at Harry’s.
“Along with that was the element of faith that the responses are wholly factual… The notion of running a pen test on a vendor is interesting but problematic as they have been known to take down a system. To do so without permission and then contend with a system failure would be disastrous.”
Read how Harry’s uses SecurityScorecard’s risk benchmarking platform to resolve these time, cost, and information gathering challenges.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.