[Case Study] How To Operationalize Third Party Risk Management
Harry’s Automates Vendor Risk Management
Harry’s, an online retailer, was looking to solve the paradoxical challenge of having accurate, precise security information about partners, vendors, and suppliers whose networks they cannot access. Organization’s such as Harry’s cannot directly log in and access a partner’s network to readily view the security posture of that third party’s systems, nor is Harry’s allowed to have any continuous view of partner risks as they change.
● How often does a third party vendor patch vulnerabilities?
● What is the DNS health of a given partner?
● How susceptible is a random supplier to a dangerous SQL injection?
These questions are very difficult to answer today.
Traditional methods for gathering this kind of security information include questionnaires, on-site visits, and penetration tests that require permissions, require time and patience, and can be expensive. These methods also may not reveal enough about a security posture because most organizations are not interested in giving away too much information about internal systems infrastructure, networks, or other technology-related information lest it end up in the wrong hands. In short, meticulous, rigorous information security gathering is a game of faith.
“All too often these [vendor questionnaire] surveys would dribble back weeks after we’d hope to see them and, more often than not, they were not done thoroughly,” said Daniel Schwartz, Director of Engineering, at Harry’s.
“Along with that was the element of faith that the responses are wholly factual… The notion of running a pen test on a vendor is interesting but problematic as they have been known to take down a system. To do so without permission and then contend with a system failure would be disastrous.”
Read how Harry’s uses SecurityScorecard’s risk benchmarking platform to resolve these time, cost, and information gathering challenges.