Cybersecurity and risk professionals have long understood the weaknesses of security questionnaires that prevent them from being an accurate barometer of third-party risk. They're difficult to validate, and they take a lot of time for both the vendor and the organization to process. Plus, even assuming the answers to security questionnaires are accurate or truthful, they are pinned to a single point in time.
This is obviously what has driven a lot of companies to seek out continuous monitoring to bolster their third-party risk management (TPRM) programs. But organizations can't simply swap out continuous monitoring for security questionnaires. While there's often a lot of overlap, they're not 1-to-1 replacements of one another.
Each form of assessment offers a slightly different view of the risk status of a vendor. Self-attestation provides a more thorough inside-out look at the vendor's environment, while continuous monitoring provides an accurate and timely outside-in view.
The real power for TPRM programs is when they can effectively harness an approach that integrates both means of assessment. A good analogy here would be to liken it to accounting practices. Whereas self-attestation would bring more of a balance sheet mindset to assessment, continuous monitoring provides the ongoing cash-flow statement.
When well-integrated, the combined power of continuous monitoring with self-assessment questionnaires can help TPRM improve on five important fronts.
More Holistic, Validated View of Third-Party Risk
Pairing continuous monitoring with self-assessment allows companies to thoroughly dig into the holistic risk posture of vendors—particularly the riskiest vendors—while validating the accuracy of their answers. This is crucial considering that a recent research report from RiskRecon and Cyentia Institute found that 85% of security professionals don't believe the responses they receive from vendor questionnaires.
While continuous monitoring may not delve into the state of a vendor's architecture to the depth of a questionnaire, it can offer a quick litmus test to at least warn when bare minimum best practices aren't in place. If a self-attestation paints a rosy picture but the monitoring finds that the vendor is running a very poor score with lots of critical vulnerabilities on internet-facing assets, then that is a clue that the organization needs to have a discussion with the vendor to potentially review the full scope of the questionnaire.
Frequent Updates on Changes in Risk Posture
Similarly, continuous monitoring paired with self-assessment can provide an early warning system for when risk postures change from where they were when vendors initially answered their questionnaires. One of the biggest lessons the cybersecurity risk community learned from SolarWinds was how very important it is to have an up-to-date accurate vendor inventory.
Effectively integrating monitoring with questionnaires makes it easier to get to the point with a TPRM program where an organization understands the strength of a third-party control environment not just at a single point in time, but on a continuous basis. This makes it possible to identify issues in third-party environments before incidents occur rather than chasing problems after the damage has been done.
Requires Less Frequent Self-Assessment
The administrative burden of running self-assessment questionnaires can be heavy on TPRM programs with only a handful of staffers charged with a large portfolio of vendors to manage. Processing self-assessment results and acting on the information is notoriously difficult to scale.
Adding continuous monitoring to the mix makes it possible to take several different strategies to reduce the frequency of self-assessment without losing sight of risk around the highest value shared data or most exposed vendor environments.
Reduces Burden on Vendors When They Answer Questionnaires
Reducing administrative burden cuts both ways and TPRM programs that strategically employ continuous monitoring can similarly lighten the load for their vendors. They do this by not only cutting down on the need for frequent self-assessment but also reducing the number of questions they must ask each time they engage with questionnaires.
The scanning done by a continuous monitoring solution can obviate the need for certain types of technical questions—especially after a vendor has completed an initial questionnaire.
Makes It Easier to Tier Vendors in More Sophisticated Ways
One of the big mistakes that many less mature TPRM programs make is that they group vendors by how much the organization spends with them, rather than based on risk. The combination of continuous monitoring and security questionnaires makes it possible to tier and assess vendors based on risk in a much more sophisticated fashion.
Organizations can group by risk not only using factors on the type of data they handle or the environments they run but also the configuration or patch status of those systems. The results of their continuous monitoring could potentially trigger an escalation in self-attestation or even more rigorous in-person audits depending on other related variables.
Ultimately, organizations can reap great benefits if they're able to successfully merge the results of security questionnaires and TPRM continuous monitoring. But that's often easier said than done.
The good news is that many in the industry are working on methods to make this an easier integration. Most recently one of Risk Recon's valued partners, Privva, has been developing a way to bridge the gap between questionnaires and monitoring by feeding Risk Recon results directly into its third-party risk management platform. To hear more about how the industry is working on this problem and to get a look at how Privva's platform is giving organizations a better way to get started mapping continuous monitoring to security questionnaires, check out our recent joint webinar on the topic: Bridging the Gap Between Continuous Monitoring Data and Security Questionnaires.