Security Vulnerabilities Don’t Equal Security Risk – So How Do You Prioritize?

Posted by Kelly White on May 31, 2018 1:53:50 PM


By Kelly White | May 31, 2018 

While security vulnerabilities are found in many technologies, their presence doesn’t necessarily equal risk. Borrowing the FAIR Institute’s definition, risk is the probable frequency and magnitude of loss. Knowing what security vulnerabilities are present in your infrastructure can help you understand the probable frequency, but it offers no indication of loss magnitude. Rather, solving risk requires two foundational data points: what security vulnerabilities your technology has, and the value of the assets in which those vulnerabilities exist. Without that context, a given vulnerability is the same as any other.

Read More

Topics: Scalability, Vendor Risk Management, Security Ratings, Vendor Security, Third Party Risk

What is the True Cost of Administering Your Vendor Security Questionnaire?

Posted by Kelly White on May 8, 2018 7:04:45 PM


By Kelly White | May 8, 2018

The more questions you ask in your third party assessments, the higher the cost. But how much does an extra question really cost? And what is its value?

In late 2017, we at RiskRecon explored this issue as part of a detailed study in which we analyzed the third-party cyber risk management practices of thirty firms. Let’s walk through a few of the study data points that led us to the answer.

Read More

Topics: Scalability, Vendor Risk Management, Vendor Security

Part 1:  Incorporating Continuous Monitoring into Your Third Party Risk Program: Begin with the End State in Mind

Posted by RiskRecon on Jan 20, 2017 1:39:28 PM

Like many organizations today, you have existing processes, tools and people laser-focused on analyzing periodic vendor security questionnaires, documentation, and on-site reviews. Moving to a continuous monitoring program can be daunting.  Our advice: Don’t focus on where to start…think about where you want to end up.  Begin with the end state in mind.

Read More

Topics: Scalability, risk control, Continuous Monitoring, Vendor Risk Management, 3rd party risk management, CISO

2017 Outlook: Vendor Risk Continues as a Top Challenge Faced by CISOs

Posted by RiskRecon on Dec 23, 2016 6:38:25 PM

CISOs know that security risks abound. But objectively measuring risk and balancing it against the needs of the business is essential. Third-party risk provides a perfect case in point and spotlights one of the top challenges facing CISOs today.

Take the shift to cloud infrastructure as an example. It makes obvious business sense to allow your company to reduce its operational footprint to reduce costs to deploy, maintain and support critical IT functions. Local or decentralized IT and line of business areas are now often able to procure SaaS solutions on their own, entirely bypassing the formal IT governance process. From a security perspective, this introduces a larger external footprint and leaves your organization exposed to hard-to-measure inherent risks and controls. 

Read More

Topics: Scalability, risk control, 3rd party risk management, CISO