Vendor Risk Management Insights

Breaking the Cybersecurity Insanity Cycle

Posted by Yong-Gon Chon on Jun 19, 2018 11:15:36 AM

 

By Yong-Gon Chon | June 19, 2018

I’m joining the Board at RiskRecon because with my 20+ years of experience working in information security, I truly believe their offering solves the failing state that dominates this domain.

To put it bluntly, Einstein defined INSANITY as “doing the same thing over and over again and expecting different results.” Over my long tenure in information security, I have witnessed exactly that: INSANITY. From firewalls to next-gen firewalls to something better than next-gen firewalls; from anti-virus to endpoint protection to endpoint protection with machine learning to AI orchestrated through “frictionless security,” we are doing the same thing over and over again expecting a different result. In some sense things are different—they’re worse. According to the 2011 Verizon Data Breach Investigations Report (DBIR), the cumulative caseload from 2004-2010 spanned over 1,700 breaches. In the 2018 DBIR alone it was 2,200.

Read More

Topics: Vendor Risk Management, 3rd party risk management, Third Party Risk

Security Vulnerabilities Don’t Equal Security Risk – So How Do You Prioritize?

Posted by Kelly White on May 31, 2018 1:53:50 PM

 

By Kelly White | May 31, 2018 

While security vulnerabilities are found in many technologies, their presence doesn’t necessarily equal risk. Borrowing the FAIR Institute’s definition, risk is the probable frequency and magnitude of loss. Knowing what security vulnerabilities are present in your infrastructure can help you understand the probable frequency, but it offers no indication of loss magnitude. Rather, solving risk requires two foundational data points: what security vulnerabilities your technology has, and the value of the assets in which those vulnerabilities exist. Without that context, a given vulnerability is the same as any other.

Read More

Topics: Scalability, Vendor Risk Management, Security Ratings, Vendor Security, Third Party Risk

Why the Security of Your Vendor’s Entire Enterprise Matters

Posted by Kelly White on May 15, 2018 11:34:14 AM

 

By Kelly White | May 14, 2018  

Reliably protecting systems and data over time requires the disciplined execution of a robust security program that spans an entire enterprise. As a former CISO and now advisor to third-party risk management teams, I’ve seen some vendors take the contrary position, arguing that customers need only be concerned with security of the systems that host their data.  

Read More

Topics: Vendor Risk Management, Vendor Security, 3PRM

Meet with RiskRecon at the Financial Services-ISAC Annual Summit

Posted by RiskRecon on May 11, 2018 2:52:01 PM

 

May 20th to 23rd RiskRecon will be a sponsor at the 2018 Financial Services - Information Sharing and Analysis Center Annual Summit in Boca Raton, Florida at the Waldorf Astoria Boca Raton Resort. 

Read More

Topics: Vendor Risk Management, 3rd party risk management, risk measurements, Press Release

What is the True Cost of Administering Your Vendor Security Questionnaire?

Posted by Kelly White on May 8, 2018 7:04:45 PM

 

By Kelly White | May 8, 2018

The more questions you ask in your third party assessments, the higher the cost. But how much does an extra question really cost? And what is its value?

In late 2017, we at RiskRecon explored this issue as part of a detailed study in which we analyzed the third-party cyber risk management practices of thirty firms. Let’s walk through a few of the study data points that led us to the answer.

Read More

Topics: Scalability, Vendor Risk Management, Vendor Security

Public Customer Vendor References – Good Partnership but Risky Business

Posted by Kelly White on May 3, 2018 9:38:32 PM

 

By Kelly White, Founder and CEO, RiskRecon

A public testimonial from a satisfied customer is marketing gold for most any business. Who isn’t proud to display the logos of respected brands on your customer list, or to publish case studies about the great work you did for them? When I was a CISO of a top-30 financial institution, vendors frequently offered us financial incentives for permission to leverage our brand. There’s also a human element – people like helping other people. In the digital age where a negative customer experience can spread like wildfire through social channels, positive testaments are more important than ever.  

Read More

Topics: Vendor Risk Management, Vendor Security

When the media wrongly implicates you in a third-party data breach

Posted by Kelly White on May 1, 2018 6:48:15 PM

Be Prepared: The Media Might Drag you into a Vendor Data Breach Mess Even if Your Data Wasn’t Compromised

Kelly White | May 1, 2018

When your vendor gets breached, you might be dragged into the mess by media even if your data was not compromised. Consider the recent case of [24]7.ai data breach.

On April 4, 2018, online chat application vendor [24]7.ai publicly reported that they had “an incident potentially affecting the online customer payment information of a small number of our client companies…” Shortly afterwards, well-known corporations Delta, Sears, Kmart and Best Buy released statements acknowledging that their customer data was impacted by this breach.

Read More

Topics: Vendor Risk Management, Third Party Risk

You Can’t Outsource Risk - A regulatory guide to third-party cyber security risk management

Posted by Kelly White on Apr 26, 2018 12:44:54 PM

 

 

Kelly White | April 29, 2018

Third parties are integral to the value chain—any given organization can have up to hundreds of vendors, depending on its size. Along with business process, IT bandwidth and application functionality, data also flows through that chain. While you can outsource systems and services, you cannot outsource your risk associated with that data and how it’s managed. Regulators have been consistently and clearly giving that message for years, in writing and in practice.

Read More

Topics: Vendor Risk Management, Whitepaper, Third Party Risk

We Are Proud To Announce Our Exclusive Partnership With the FAIR Institute.

Posted by RiskRecon on Apr 13, 2018 12:17:09 PM

We are proud to announce an exclusive partnership with the FAIR Institute. Factor Analysis of Information Risk (FAIR) has emerged as the standard Value at Risk (VaR) framework for cybersecurity and operational risk. The FAIR Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk.  

 

Read More

Topics: Vendor Risk Management, 3rd party risk management, Press Release, Third Party Risk

The Playbook for Managing Third-Party Security Risk

Posted by RiskRecon on Mar 21, 2018 12:02:49 PM

Get our All-New Playbook reflecting real life data from executives of 30 companies that offers a window into how organizations are confronting persistent breach risks stemming from third parties.

We are excited to announce the release of our inaugural Third-Party Security Risk Management Playbook. An inside look at how real companies are managing third party cyber risk. To get this important information we have conducted in-depth interviews with security executives from 30 participating organizations across multiple industries. The Playbook reveals how companies are managing the security risks of their complex digital supply chains and sensitive business partnerships.  Our study identified 14 vendor-neutral capability sets comprising 72 common, emerging, and pioneering practices that firms have implemented to manage third-party security risk. As a study of real-world third-party risk management programs, the Playbook is a valuable tool executives can use to benchmark their own programs and gain insight into pioneering practices other firms are adopting.

 

Read More

Topics: risk exposures, risk transparency, Vendor Risk Management, 3rd party risk management, risk measurements, Whitepaper, Vendor Security, 3PRM, Third Party Risk

New Call-to-action

Subscribe to Email Updates

Recent Posts