Vendor Risk Management Insights

Extending GRC with Continuous Vendor Security Monitoring

Posted by RiskRecon on Apr 24, 2017 11:25:28 AM

Extending-GRC-blog.jpg

We speak with many clients that already have some form of governance, risk management, and compliance (GRC) program in place to assist with managing their enterprise programs. And some have software solutions to help them manage the process. This is not surprising when the market for GRC solutions is expected to grow to $38 billion by 2021.

Most companies are seeking ways to obtain more value from their GRC system—often by extending their coverage to their third-party risk management programs. Using the new class of continuous vendor security monitoring solutions is one of the best ways to add immediate value to GRC. This pairing offers a number of benefits, such as speed to identify and manage risk, valuable insight for prioritization of response, visibility into an accurate and complete vendor IT footprint, and critical transparency of exposure and actionable information on inherited vulnerabilities.

Fast Response

Risk needs to be identified and managed quickly—and this is possible with RiskRecon’s continuous vendor security monitoring. For example, when the recent Apache Struts2 vulnerability emerged,we took less than 24 hours to help pinpoint which vendors were potentially vulnerable. Clients could then generate follow-up vendor information requests from their GRC solution, track status, and log remediation steps. Read our previous blog on Struts2 here.

Valuable Insight

Information not only needs to be delivered quickly, it needs to be accurate. Many clients today gather vendor security performance primarily through vendor surveys and attestation. That information can be stored within GRC systems and remediation steps identified to resolve known issues. But how confident are you in the accuracy of the information?

After all, your GRC program is only as good as the underlying data it contains. Many clients increasingly question using attestations alone when vendors typically all appear above average in their security performance. This just doesn’t make sense.

Our clients find new insights and better prioritize follow-up inquiries when integrating independently-produced security assessments side-by-side with the vendor attestations. Shining light on the “risk reality” of how vendors actually perform rather than their documented intent to perform is critical.

Visibility

Why are complementary solutions required for GRC in order to meet the new vendor “risk reality”? One key step for any good GRC program is to have an appropriate inventory of processes and metrics. Implicit in having a complete inventory is building “asset maps” of your organization’s and vendors’ IT systems.

But historically, building an “asset map” is difficult, particularly for your third-party suppliers. For example, how confident are you with the following scenarios?

  • We have good visibility into each critical supplier’s IT footprint, including that of the critical providers and fourth parties they use to deliver their service.
  • We can quickly gather detailed risk assessments of each vendor’s exposure to new “celebrity vulnerabilities” as they emerge.

If you can’t answer “yes” to both scenarios, then you are relying on incomplete data provided mainly through the vendor attestation and survey process.

Transparency

As SaaS adoption continues to grow, your organization is exposed to much larger, often unseen fourth-party risks. By using continuous vendor monitoring solutions, clients quickly identify the security gaps not only at their vendors but also at their vendors’ suppliers. For example, wouldn’t it be useful to know in advance which vendors rely on Dyn, Amazon Web Services (AWS), and GoDaddy to provide services to your organization?

With proper integration into your GRC program and systems, continuous vendor monitoring solutions bring the needed level of transparency and granular details to highlight performance gaps. These solutions enable you to tailor the scope and frequency of each vendor’s assessment program rather than rely on a one-size-fits-all solution. You therefore obtain better information but can also better align your scarce human resources to focus on the most pressing items rather than routine questionnaires.

And when those urgent new threats emerge, you can quickly pinpoint where to focus rather than spend days or weeks trying to get every vendor to respond to your initial request.

About RiskRecon's Continuous Vendor Security Monitoring

RiskRecon’s SaaS solution delivers transparent security measurements, analytics, and analyst-level insight directly into your GRC system. This enables you to better pinpoint risks and direct your resources to the most critical threats in your supply chain. Set up a demo today to learn more

 

 

Topics: risk control, Continuous Monitoring, Vendor Risk Management, 3rd party risk management, CISO, GRC