Posted on Jul 10, 2018
Nearly every business that interacts online should have a solid cybersecurity program but measuring that solidity may be difficult. Despite increased spending, many organizations struggle to find ways of measuring the effectiveness of their vendor management programs. The last Protiviti Vendor Risk Management Benchmark Study released in November 2017 noted that while cybersecurity monitoring had increased over the previous year, a majority of companies planned to “de-risk,” or terminate, third-party relationships to reduce fourth-party risks (the main reason), costs of vendor assessment, and too little internal support and skills to sufficiently test vendors. Finding the appropriate key performance indicators (KPI) can help measure vendor performance.
Establishing a KPI for vendor management is the same as establishing one for yourself. However, while you control your data environment and controls, you don’t control your vendors. No matter how sophisticated your questionnaires are, they only represent a point in time.
All compliance programs begin with risk analysis and review. The first step for measuring vendor performance is to categorize the risk vendors pose to your data environment. Starting with your organizational goals, you to determine what vendors enable critical business operations. Once you categorize your vendors, you can align risk priorities with the potential business impact should a malicious actor exploit a weakness in the vendor’s environment.
To categorize your vendors, you need to ask:
What information do they access?
What systems do they access?
How important are they to my continued business operations?
If the vendor accesses private information or a critical system, then they are a high risk. If you need them to maintain business operations, they are a high risk.
Vendor relationships begin and end with contractual obligations. Therefore, your service level agreements (SLAs) act as a primary starting point for measuring vendor performance. If you include specific metrics as part of your SLAs, you can measure how effective your vendor is as maintaining a secure environment. Some questions to consider include:
How quickly do they resolve operational and administrative failures?
How often is the system unavailable?
How many times have they been breached?
How often do they update their product?
Do they incorporate continuous monitoring of their own environment and ecosystem?
SecurityScorecard reviews a variety of controls that help you create key performance indicators. As part of your vendor management program, you can align KPI categories to match SecurityScorecard’s ten factors (network security, DNS health, patching cadence, cubit score, endpoint security, IP reputation, web application security, hacker chatter, leaked credential, and social engineering).
Once you categorize the risks, you can use the security ratings to establish metrics for measuring vendor performance. Since lower scores indicate a higher risk of breach, you can establish a minimum security rating needed to contract with the vendor as well as a tolerance that can lead to termination of the contract.
Finally, SecurityScorecard helps break the “fourth” wall. Since we scan public data across the internet, you can see into the current state of a vendor’s third-party risk. A higher security rating can be used as one independent evaluation proving a robust cybersecurity program.
for your business and across your ecosystem of partner companies.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.
Download the complete guide to building your vendor risk management program and learn how to identify your organization's most critical third-party risk factors.