Cyber Risk Leaders Magazine - Issue 6, 2021

Page 14

CYBER SECUIRTY

Tip: Increasingly, regulatory bodies are mandating continuous monitoring of third parties and vendors. Make sure you’re up to date with your industry's mandates (NYDFS, CMMC, Executive Order on Improving the Nation’s Cybersecurity) and stay ahead of any potential changes that will require continuous monitoring of suppliers. the security posture of your vendors, you can avoid all of these issues, receiving a notification whenever a vendor falls out of compliance, and scanning for problems the vendor might not know about, like an Amazon Web Services bucket that has been mistakenly configured, chatter on the dark web about breached assets, or other assets that have been left unsecured. Tip: Increasingly, regulatory bodies are mandating continuous monitoring of third parties and vendors. Make sure you’re up to date with your industry's mandates (NYDFS, CMMC, Executive Order on Improving the Nation’s Cybersecurity) and stay ahead of any potential changes that will require continuous monitoring of suppliers. 4. Automate the process When it comes to reducing third-party risk, due diligence can be both tedious and labor-intensive. Large organizations often work with hundreds or even thousands of third parties, ranging from cloud vendors that serve an entire company to contractors that work for just one department. It’s a lot to keep track of — especially since many companies are still using spreadsheets and other manual tools to track TPRM. Estimates vary, but research from Ponemon suggests that 40% of organizations use spreadsheets to track issues with third parties’ risk. This is a manual process that takes a lot of time, and — as with any other manual data-entry project — can be prone to human error. Automated tools reduce the paperwork and strain on staff by offering a way to easily monitor third parties without having to manually create questionnaires, or update spreadsheets. It’s worth mentioning that vendors often have questionnaire fatigue — they have to fill out many security questionnaires for their clients and may simply be copying and pasting answers to save time. Automated tools can cut down on the administrative work on their end as well. Tip: Automating third-party risk management processes will not only save you time but money. Need help justifying the need for tools that will automate your TPRM process? We’ve seen that organizations reduced the vendor questionnaire effort by 83% and received an ROI of 198% through automation. 5. Collect consistent data Automated tools can also solve another questionnairerelated problem. Often, when presented with a questionnaire, third parties may choose to answer a question differently. Some may take a narrative approach to answering questions, some may answer yes/no, some may attach a

14 | Cyber Risk Leaders Magazine

screenshot. Those different kinds of data are going to be difficult to store or understand because in many cases you won’t be comparing apples to apples. Nor can a tool automatically process all those different kinds of data — instead, someone will have to manually review it. An intelligence security tool can collect the data itself, only collecting the sort of structured data you need to automatically assess risk. It will also save people on both sides of the client/vendor relationship time and effort on questionnaires and surveys.

How can SecurityScorecard help? You can never eliminate risk, but you can manage it, and that’s important when you need to trust your third parties. To reduce the amount of administrative time and effort spent managing third-party relationships, consider an intelligent tool that automates parts of the third-party management process. SecurityScorecard enables organizations to drive scalable and automated third-party risk management to drive a trusted third-party risk management program. SecurityScorecard is the only omni-directional security ratings provider of cyber risk ratings, questionnaires, a marketplace of integrations, and attack surface intelligence.