Third-Party Risk Management

Put your cyber risk expertise to the test! Take the quiz on third-party risk management and see what's fact or fiction.
Down Chevron

"Many companies have a false sense of security when it comes to cyber risk stemming from third parties", according to a recent BitSight commissioned Forrester Study.

Among the many initiatives that make up a modern enterprise cybersecurity program, third-party vendor risk management (VRM or TPRM) might be the most complex and misunderstood. The evolving threat landscape requires risk leaders to prioritize a TPRM strategy built on speed, scale, and collaboration.

How much do you really know about the purpose — and practice — of third-party risk management?

01

01

Third-party risk manangement is only necessary for companies with hundreds or thousands of third-party relationships.

fiction ribbon

The more third parties an organization has, the more likely it may be that one of them will cause a data breach. However, it only takes one.

Even if your immediate third parties don’t pose a direct risk, their third parties (your fourth parties) might. Security leaders must gain visibility into the flow of sensitive data among all third and fourth parties, and closely monitor every organization that comes in contact with it.

02

02

Third-party risk management should be a Board-level initiative.

fact ribbon

TPRM is no longer just an IT department project.

A successful third-party risk management program has sponsorship from multiple departments, as well as support and involvement from the Board. In fact, Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a Board-level initiative.

03

03

Compliance should be the primary goal of any good third-party risk program.

fiction ribbon

Compliance should be one goal of your third-party risk management program, but not the primary goal.

Many industries and governments regulate third-party risk management, but just maintaining compliance doesn’t ensure the safety of your company's data. Regulatory standards typically reflect minimum acceptable standards of security, while truly effective TPRM requires going above and beyond.

Essentials of Third-Party Risk Management

report icon
Take Control Of Vendor Risk Management Through Continuous Monitoring
report icon
How Automation is Transforming Third-Party Risk Management
report icon
Protecting Against Third-Party Breaches Requires Continuous Monitoring
Access Content

04

04

All cybersecurity resources should be allocated toward defending one’s own network.

fiction ribbon

Your own network could be 100% airtight, but without effective third-party risk management, your sensitive data will still be vulnerable.

Surveys indicate that many data breaches are caused by third parties. Deloitte reports that 1 in 5 organizations has experienced a third-party breach, and 1 in 10 has lost revenue as a result.

05

05

A typical third-party security questionnaire could be 50% shorter and be just as effective.

fact ribbon

Third-party security questionnaires are often time-consuming and resource-intensive. As a result, many organizations are moving towards shared, streamlined questionnaires.

By supplementing these questionnaires with continuous monitoring data like BitSight Security Ratings, customers have been able to drastically reduce the number of questions they need to ask their third parties and decrease turnaround times.

06

06

Organizations can’t really influence their third partie's cybersecurity practices.

fiction ribbon

Security leaders have many techniques at their disposal to improve the cybersecurity of their third parties.

Writing security obligations into contracts is the strongest of these techniques, but having frequent data-driven conversations using security ratings and assessment results can also improve third-party performance. In fact, one BitSight customer was able to improve the security posture of more than half of their vendors in just 6 months by granting them access to the BitSight platform.

Third-Party Risk Management in Action

report icon
Case Study: How Fannie Mae Uses BitSight to Assess & Monitor Third-Party Cyber Risk
report icon
Video: Enabling Vendor Access in BitSight
report icon
Case Study: Cabela's Uses BitSight Security Ratings to Reduce Cybersecurity Risks
Access Content

07

07

It’s possible to always have an up-to-date view of a third-party’s cybersecurity posture.

fiction ribbon

BitSight Security Ratings are updated daily, allowing third-party risk teams to continuously monitor every third parties’ cybersecurity posture. This can make a big difference compared to traditional point-in-time risk assessment techniques.

For example, during the outbreak of the WannaCry ransomware attack, one BitSight customer was able to identify every affected third-party in just one day.

08

08

Security ratings do not reflect real-world security risks.

fiction ribbon

BitSight continuously updates its rating algorithm to reflect real-world security risk.

A company that has a BitSight Security Rating of 500 or lower is nearly 5x more likely to experience a data breach than a company with a rating of 700 or higher.

09

09

All security ratings are the same.

fiction ribbon

Different security ratings measure different risk vectors, have different levels of consistency, and are delivered through different platforms.

For example, BitSight takes 23 risk vectors into account when computing security ratings, while other providers factor in 10 or fewer. In addition, BitSight has more than 1,200 customers monitoring and sharing ratings with 100,000 organizations. This level of engagement enables BitSight to provide more accurate and refined security ratings.

Making the Case for Security Ratings

report icon
The Proven Business Value of Security Ratings
video icon
Video: How TransUnion’s CISO uses BitSight
report icon
The Only Rating that Indicates Risk of Data Breach
Access Content

Fortify your third-party risk management program with BitSight Security Ratings.

Request a Demo