Product News

Find out about our new product features, the latest platform changes, and discover company announcements before anyone else.

Risk Management

Stay up to date on third-party risk management best practices and techniques, and learn about new regulations for third party risk.

Security Research

Keep up with research around the biggest data breaches, malware infections, IoT risks and all the latest news in cybersecurity.

[Case Study] How To Operationalize Third Party Risk Management

Harry’s Automates Vendor Risk Management

Harry’s, an online retailer, was looking to solve the paradoxical challenge of having accurate, precise security information about partners, vendors, and suppliers whose networks they cannot access. Organization’s such as Harry’s cannot directly log in and access a partner’s network to readily view the security posture of that third party’s systems, nor is Harry’s allowed to have any continuous view of partner risks as they change.

● How often does a third party vendor patch vulnerabilities?

● What is the DNS health of a given partner?

● How susceptible is a random supplier to a dangerous SQL injection?

These questions are very difficult to answer today.

Traditional methods for gathering this kind of security information include questionnaires, on-site visits, and penetration tests that require permissions, require time and patience, and can be expensive. These methods also may not reveal enough about a security posture because most organizations are not interested in giving away too much information about internal systems infrastructure, networks,  or other technology-related information lest it end up in the wrong hands. In short, meticulous, rigorous information security gathering is a game of faith.

“All too often these [vendor questionnaire] surveys would dribble back weeks after we’d hope to see them and, more often than not, they were not done thoroughly,” said Daniel Schwartz, Director of Engineering, at Harry’s.

“Along with that was the element of faith that the responses are wholly factual… The notion of running a pen test on a vendor is interesting but problematic as they have been known to take down a system. To do so without permission and then contend with a system failure would be disastrous.”




Download Case Study Now



Read how Harry’s uses SecurityScorecard’s risk benchmarking platform to resolve these time, cost, and information gathering challenges.

Harry’s recently raised $75.6 million in Series D funding.

Security Data Breaches Round Up: Higher Education
U.S. Military Manufacturer Experiences Data Breach