• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
BLOG

Replace Point-In-Time Third Party Vendor Risk Assessments with Continuous Monitoring (Part 2)

Private: Michelle Wu
05/23/2018

Point-in-time assessments are outdated as soon as they’re made. They don’t take into account changes in security posture. If a vendor is breached, you might not know until your vendor decides to alert you—or until the next assessment. By that time, a cyber attacker may already have broken in to your network.

This is part 2 of a series in which we show you how to improve your vendor risk management process. In this VRM series, we cover:

  1. How to Improve Your Vendor Risk Management: Start with an audit of known risks and vendors
  2. Replace Point-In-Time Third Party Vendor Risk Assessments with Continuous Monitoring
  3. How to Establish Fourth Party Insight to Know Your Vendor’s Real Risk

In part 1 of our series, we showed you how to identify and tier third party vendor risks that are critical to you, allowing you to optimize assessment methods and properly manage vendor risk. Now, we’re going to show you how to continually assess your vendors to manage risk on an ongoing basis, rather than just through point-in-time assessments.

The problem with point-in-time risk assessments

The information collected through point-in-time assessments quickly becomes outdated and doesn’t take into account changes in a vendor’s security posture between assessments. If the worst-case scenario is realized and a vendor is breached, you might not be aware until your vendor decides to alert you – or until the next assessment. By that time, a hacker already may have entered your network.

With vulnerabilities being exploited faster than ever, being aware of your vendor’s security posture on an ongoing basis gives you the information and opportunity to react faster and mitigate issues. A PWC Third Party Risk Management report on the finance industry notes that 58% of respondents that monitor third parties on an ad hoc basis experienced a third party service disruption or data breach, compared to only 37% of respondents that regularly monitor third parties.

Most companies still have high exposure to risk

Unfortunately, the current state of vendor risk management does not look good when it comes to third party monitoring. 93.5% of respondents in a Deloitte study on Third Party Risk Management expressed moderate to low levels of confidence in their risk management and monitoring mechanisms.

According to PWC’s The Global State of Information Security Survey 2016, only 52% of respondents even have security baselines or standards in place for third parties. Just 27% of respondents from the Ponemon Institute’s Tone at the Top and Third Party Risk study say their assessments of third party controls are effective. Only 12% have a formal process that is applied consistently.

These figures show that the current practice of vendor risk management (VRM) is not good enough. Companies are unnecessarily exposing themselves to higher risk, which can prove to be costly. The Ponemon’s 2016 US Cost of Data Breaches studied noted that the organizational cost of breaches average $7.01 million. Their measures include costs of investigation, incident responses, providing free services such as identity theft monitoring, and customer loss and churn.

Continuous risk monitoring is the best practice

Continuous, or ongoing, monitoring is increasingly becoming part of a recommended vendor risk management process. The US Treasury OCC, which provides security frameworks and guidelines for the finance industry, has included third-party continuous monitoring as part of an effective vendor risk management framework.

Here’s how to incorporate continuous third-party monitoring as part of your vendor risk management program by establishing a centralized VRM office, defining controls and processes to monitor, and collaboratively engage in tracking, reporting, and remediation processes with your vendor.

Step 1: Establish a centralized VRM office

Vendor risk management has an accountability problem. The Ponemon Institute surveyed over 17,000 IT and IT security practitioners and found a lack of consistency in the departments owning the vendor risk management process. The compliance department came first with only 23%, followed by security/information security (17%), legal (15%), and procurement (15%), with more departments rounding out the rest of the responses.

Nor is risk management given a high priority. Only 17% said their Board of Directors has significant involvement in overseeing risk management.

What is a VRM office?

A centralized VRM office allows a unified team (whether cross functional or a single department) to:

  • Communicate with vendors
  • Establish standardized practices
  • Track and report risks with third party service providers
  • Take ownership and responsibility for fixing problems
  • Be a point of contact for business units that have relationships with vendors

The central VRM office will make critical decisions, quickly inform business unit owners, and escalate priorities should critical issues arise.

How to Establish Fourth Party Insight to Know Your Vendor’s Real Risk

Next Up – Part 3

Learn more

A VRM office is essential to establish a foundation the business can rely on for all aspects of vendor risk management, from technical to process to financial

As PWC states, a central VRM office is a “key ingredient to a successful [VRM] program, particularly as firms expand nationally and globally”. McKinsey’s Working Paper on Third Party Risk has deemed it as an essential element in excellent vendor risk management.

Establishing a VRM office begins with hiring an in-house VRM team or transitioning existing employees to move into a VRM position. The VRM office is a highly specialized department that functions beyond information security. Deloitte has an excellent guide and outlines ten pillars an effective VRM office should specialize in:

  1. Contract management
  2. Financial and Commercial Management
  3. Issue and Dispute Management
  4. Service Performance Management
  5. Governance
  6. Multi-Service Provider Integration
  7. Transition and Transformation PMO and Oversight
  8. Document Management
  9. Service Request Management
  10. Risk Management and Third Party Compliance

This will be the most extensive and complicated step to take but it will reap huge benefits, making all aspects of VRM simpler and more efficient.

After setting up a central office, you can start defining what you will be monitoring.

Step 2: Define controls and processes to monitor and establish vendor reporting methods

Continuous monitoring takes more resources than most VRM processes, so optimizing those resources is crucial. You have to define what aspects of your vendor you will be monitoring – including data, assets, processes, and/or controls. These decisions are based on several criteria, including how critical a risk is, how likely things are changing, and how feasible it is to monitor

Risk criticality

As we described in part 1 of our VRM series, defining what is most risk-critical to your company will inform your monitoring choices. If your third party is processing or storing sensitive information, then you should monitor the security controls and systems that protect that third party’s network and endpoints.

Likelihood of information/status change

Group your risk-critical vendor services and systems by frequency of status change over time. If a vendor is hiring rapidly, that means the number of endpoints is increasing, so you should pay more attention to endpoint security. However, a system that is likely to not change over a long period of time – such as a hosting or CMS provider – won’t need continuous monitoring.

Feasibility of monitoring

When you have a list of the vendor’s risk-critical controls, systems, and processes, assess the resources and time necessary to continuously monitor these elements. Basic security controls such as the use of two-factor authentication is important, but impossible to monitor among all your critical vendors. If a monitoring process takes a long time to get information, then perhaps monitoring should be done as part of an annual assessment.

Step 3: Establish communication, tracking, and reporting processes collaboratively with vendors

Vendor collaboration and communication is key to successful ongoing monitoring. Your VRM office should clearly communicate with your vendors what will be monitored and tracked. This helps improve the security posture of everyone involved.

For your own security, you should already be using continuous monitoring tools, solutions, and other processes. Often, these same tools and processes can be used to monitor any integrated systems that your vendors use or provide. If you’re using tools that won’t alert your vendors, then if any issues arise your VRM office should be ready to reach out to them to begin remediation.

To begin the continuous monitoring process, your central VRM office should begin implementing the following:

Metrics

Monitoring and tracking is near-useless without relevant KPIs or specifying how data change over time affects security and risk. Designate goals such as lowering average number of days it takes to apply a software patch, or the increasing frequency of open port scans. As time passes, you’ll begin to identify vendors who aren’t meeting your standards.

Tracking/Monitoring

Your VRM office should begin monitoring and tracking your vendors using any technologies or tools already in place. Work with your vendors to plan and implement any new processes. Working with your vendor to get information already produced from their own monitoring efforts will save you time and resources.

Reporting

The VRM office should establish reporting methods for vendors and relay them to the respective business unit owners. The VRM office is responsible for alerting both vendors and business unit owners of any potentially critical issues that arise in reports.

Engaging in Remediation

The foundational work you’ve done will help the VRM office identify issues and abnormalities more quickly and clearly. When any vendor security issues pop up, the VRM office should work in tandem with business unit owners in order to remediate issues.

Engaging in vendor continuous monitoring takes some effort but produces compounding results. This improves not only your vendor risk management, but your own total security posture as well.

Tip for SecurityScorecard Customers – Our platform was built with continuous monitoring in mind. Your VRM office can quickly load any number of vendors and begin tracking their security posture across a number of security categories. To communicate issues to vendors, you can share the ‘partnership’ report or invite them to the platform to view their SecurityScorecard.

Return to Blog
Join us in making the world a safer place.
FREE ACCOUNT SIGN UP
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube