New Research Calls Out Today’s Vendor Risk Challenges
New ESG Report: “Intelligence-driven Vendor and Supplier Security Risk Management”
A recent study conducted by Enterprise Strategy Group (ESG), an IT research and strategy firm based in Milford, MA, looks at the issue of third party supplier and partner security in depth. The new report discusses approaches to today’s vendor risk management challenges and emerging technology solutions for improving the discipline. Keeping pace with security risks based in the partner ecosystem is a major business challenge for CISOs, vendor risk managers, and IT professionals in large enterprises.
Increases in the number of third parties and data breaches originating from suppliers are widening the attack surface, as are the volume of breaches originating from these partners. ESG’s 2015 survey of 303 IT security professionals found the following data points, among many others:
- 31% of respondents found that one or more of their IT suppliers have reported security breaches over the last few years.
- 34% of organizations have experienced an increase in the number of external third parties with access to internal assets.
“CISOs are reacting to a complex vendor ecosystem and risk landscape by increasing their security budgets, recruiting staff, and purchasing the latest cybersecurity defenses,” wrote Jon Oltsik, Senior Principal Analyst at ESG, in the report. “These tactics, however, often miss risks that are under the surface since they reside in partner and supplier systems.”
Traditional vendor audits are based upon point-in-time technical information often collected on a quarterly or annual basis. While regulations require due diligence, the challenge of keeping pace with third party risk once a year is not helping companies become more secure.
“Security risk today is incredibly dynamic and fast moving… It cannot be isolated to a single point-in-time answer given on a vendor questionnaire or one-time audit,” stated Dr. Aleksandr Yampolskiy, CEO & Co-founder of SecurityScorecard in a press release about the report. “Forward-looking organizations need a continuous and metrics-based view of security risk with real information depth in a context executives and board members can understand and easily digest, such as benchmark.”
It is not enough to have a static security rating. SecurityScorecard gives its customers information depth with ten categories and factors, and allows its customers to share Scorecards directly with vendors to speed up the remediation process of known issues.
“To be truly actionable, enterprises need a multi-dimensional assessment approach across all key security risk factors like SecurityScorecard provides rather than a single-dimensional security rating,” stated ESG’s Oltsik in the report.
Learn why vendor risk is increasing, and how to use SecurityScorecard to help scale your vendor risk management.