[Case Study] How To Operationalize Third Party Risk Management

By Imarc

Posted on Jul 7, 2015

Harry's Automates Vendor Risk Management

Harry’s, an online retailer, was looking to solve the paradoxical challenge of having accurate, precise security information about partners, vendors, and suppliers whose networks they cannot access. Organization’s such as Harry’s cannot directly log in and access a partner’s network to readily view the security posture of that third party’s systems, nor is Harry’s allowed to have any continuous view of partner risks as they change.

● How often does a third party vendor patch vulnerabilities?

● What is the DNS health of a given partner?

● How susceptible is a random supplier to a dangerous SQL injection?

These questions are very difficult to answer today.

Traditional methods for gathering this kind of security information include questionnaires, on-site visits, and penetration tests that require permissions, require time and patience, and can be expensive. These methods also may not reveal enough about a security posture because most organizations are not interested in giving away too much information about internal systems infrastructure, networks,  or other technology-related information lest it end up in the wrong hands. In short, meticulous, rigorous information security gathering is a game of faith.

“All too often these [vendor questionnaire] surveys would dribble back weeks after we’d hope to see them and, more often than not, they were not done thoroughly,” said Daniel Schwartz, Director of Engineering, at Harry’s.

“Along with that was the element of faith that the responses are wholly factual… The notion of running a pen test on a vendor is interesting but problematic as they have been known to take down a system. To do so without permission and then contend with a system failure would be disastrous.”

Download Case Study Now

Read how Harry’s uses SecurityScorecard’s risk benchmarking platform to resolve these time, cost, and information gathering challenges.

Harry’s recently raised $75.6 million in Series D funding.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!