Select Page

Assessing vendor risk with real-time data

Nikolay Filipets

Nikolay Filipets

GRC Product Manager (VRM), Galvanize

Identifying high-risk vendors can be challenging, but it helps to have a solution that integrates with security assessment tools like BitSight Security Ratings.

Picture this, you want a nice hotel for an upcoming family vacation, so you go online to research a property that meets your exact needs. A few clicks later and you find yourself with hundreds of options to choose from. Filtering by four-star ratings will narrow the results. But, any savvy traveler knows that before you book, it’s important to read a good number of the user reviews. You just might find that your perfect hotel is undergoing renovations and construction starts at 7am every morning. No, thank you!

It’s a similar situation when you’re assessing vendor risk. If you don’t marry control assessments (your hotel search results) with real-time data (customer reviews), it’s possible that you’ll miss some seriously important insights.

Let’s consider a common scenario in vendor risk management (VRM). You’re working with a very large number of vendors, but have limited resources to assess their potential risk. The good news is, many of your vendors are probably fine. The bad news is, it only takes one issue to open up your organization to regulatory penalties, fines, financial losses, and reputational damage.

Pre-qualify vendors

They say an ounce of prevention is worth a pound of cure, and that’s true with your third-party VRM approach, too. This is why Galvanize has integrated BitSight Security Ratings into ThirdPartyBond. This integration with BitSight means you can check a potential vendor’s security performance before working with them. (It’s like your mortgage lender checking your credit score to pre-qualify you for a home mortgage.)

“ThirdPartyBond plus BitSight Security Ratings is the combination that gives you a 360-degree view of VRM.”

Classify and monitor high-risk vendors

If you’re managing VRM for a large organization, you may have up to a thousand or more vendors to assess. This is where you would do an assessment to develop a risk classification of each vendor. Of those thousand or so vendors, it’s possible that only 20% of them are high risk. This might be because they touch part of your organization’s infrastructure, or share and manage some of your data. Of course, 200 vendors is still a lot to monitor and track on an ongoing basis.

But you can get a better feel for the vendors that require monitoring. BitSight works seamlessly with ThirdPartyBond to help you identify, prioritize, and mitigate the risks of sharing sensitive data with third parties. So, of those 200 high-risk vendors, 30% (60) might have great BitSight ratings. This leaves you with a more manageable group of 140.

Make better VRM decisions with data

More data equals better decisions, right? Well, that’s true if the data is normalized, analyzed, and actionable. But, when it comes to the nightmares that CISOs and risk management teams face, too much data without a meaningful way to present it can be worse than no data.

ThirdPartyBond plus BitSight Security Ratings is the combination that gives you a 360-degree view of VRM. You get the macro-level view of the security posture across your vendor ecosystem. And then at the micro-level, your organization gets a more comprehensive picture of each vendor that includes both their risk posture based on your questionnaires, as well as their BitSight score.

You also get a side-by-side comparison of all of their risk factors.

If you’re dealing with more than your organization can handle when it comes to VRM, then it’s time to consider a new approach. See how our vendor risk management solution can help you.

Solution checklist:

Vendor risk management solution checklist

Choosing a VRM solution can be tricky. This solution checklist outlines key features you should look for, including:

  • Vendor risk assessment workflows
  • Vendor engagement
  • Risk reporting requirements
  • Architecture and infrastructure

Download checklist

Related Articles

Find us in Gartner MQ for IT Risk Management

Gartner names Galvanize (formerly ACL and Rsam)* a Leader in the 2019 Magic Quadrant for IT Risk Management

Learn what you should be looking for when selecting an ITRM solution.

Download the report