<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

Fact or Fiction (Part 3): How Security Ratings Play a Role in Third-Party Risk Management

Alex Campanelli | September 17, 2018

Over the course of this blog series, we’ve addressed some of the major concepts surrounding third-party risk, as well as addressed some misconceptions. In this final post, we’ll continue to examine the last three of the top notions surrounding third-party risk management programs and weed out fact from fiction.

third party risk managementIt’s impossible to always have an up-to-date view of a third-party’s cybersecurity posture.

Fiction.

BitSight Security Ratings are updated daily, allowing third-party risk teams to continuously monitor every third parties’ cybersecurity posture from the outside in. This can make a big difference compared to traditional point-in-time risk assessment techniques. For example, during the outbreak of the WannaCry ransomware attack, one BitSight customer was able to identify every affected third-party in just one day. With the ability to drill down into the security details used to generate an organization’s rating, companies can lead intelligent, data-driven conversations with third-party vendors about their current security posture.

Security ratings do not reflect real-world security risks.

Fiction.

BitSight continuously updates its rating algorithm to reflect real-world security risk. It has been independently verified that a company that has a BitSight Security Rating of 500 or lower is nearly 5x more likely to experience a data breach than a company with a rating of 700 or higher. BitSight also leverages real-time data on compromised systems from our proprietary sinkholing infrastructure — regarded as the largest in the world. Our high-quality data helps organizations proactively mitigate risk both internally and in their supply chain in real time.

All security ratings are the same.

Fiction.

Different security ratings measure different risk vectors, have different levels of consistency, haven’t been independently reviewed, and are delivered through different platforms. BitSight takes 23 risk vectors into account when computing security ratings, while alternative security ratings services factor in 10 or fewer. In addition, BitSight has more than 1,200 customers actively monitoring over 100,000 organizations. This level of engagement and the valuable ecosystem created by and for our customers enables BitSight to provide more accurate and refined security ratings.

With new threats emerging daily and companies increasingly outsourcing, managing vendor risk is becoming increasingly critical to protecting a company’s most important assets. The third party risk gap is growing, and it’s more critical than ever to enable your organization to proactively mitigate risk while continuously monitoring the security performance of vendors.

Read our new ebook to learn more about common misconceptions surrounding third-party risk management.

third-party risk management misconceptions


Read part 1 of the Fact or Fiction series: Things You Should Know About Third-Party Risk Management.

Read part 2 of the Fact or Fiction series: More Misconceptions About Third-Party Risk Management

Suggested Posts

Streamline Your Bank's Third-Party Vendor Management Risk Assessments

Banks and other financial institutions are a proving ground for new risk management methods. High risk and intense regulations feed into a culture of serious, comprehensive security — a culture that has manifested in mature methodologies...

READ MORE »

Should Cybersecurity Have a Voice in Vendor Procurement?

Business leaders now realize that their data is being exposed to risk by their vendors, and that monitoring and remediating these threats is a necessary part of an effective cybersecurity program.

However, even companies with strong vendor...

READ MORE »

Fact or Fiction (Part 3): How Security Ratings Play a Role in Third-Party Risk Management

Over the course of this blog series, we’ve addressed some of the major concepts surrounding third-party risk, as well as addressed some misconceptions. In this final post, we’ll continue to examine the last three of the top notions...

READ MORE »

Subscribe to get security news and updates in your inbox.