<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Vendor Risk Management

The “Swap” Model: Is Your Goal to Mitigate Risk...Or Just Move it Around?

Alex Campanelli | July 26, 2017

In today’s security ratings services market, a few companies have offerings described as “swaps” or “slots.” When considering third party monitoring, this gives organizations the option to “trade out” which vendors they are monitoring when they see fit. But, does this type of disjointed monitoring actually proactively mitigate risk (which is the goal of utilizing a security ratings service) or just shift it around and hide it? This approach poses several problems.

As data breaches originating on third party networks occur more and more frequently, businesses have increasingly built out Vendor Risk Management (VRM) programs. Developing these programs to account for cyber risk is no easy feat: Bomgar’s 2017 Secure Access Threat Report found that the average number of vendors accessing a company’s network has doubled in just one year to 181 per week, with 67 percent of companies experiencing a data breach because of unsecured vendor access. With supply chains expanding and businesses increasingly sharing data, organizations need continuous visibility into the third parties they work with to safeguard their own data. With hundreds or thousands of vendors introducing new risks, security teams need to be able to continuously monitor the networks of their vendors.

As mentioned above, other security ratings firms may provide a number of slots for vendors that can be changed at any moment. The issue? This does not allow users to gain continuous visibility into companies as they constantly swap them out. By adhering to this “swapping” method, organizations lose visibility into significant changes in the security performance of their supply chain as they shift focus on another subset of vendors.

Traditional assessments such as penetration tests, security audits, and questionnaires don’t provide this continuous visibility, and neither does attempting to swap vendors in a security ratings portal. This continuous visibility into vendor networks is the key to proactively mitigating cyber risk. Moreover, conducting these “swapping” exercises across the supply chain is both costly and resource-intensive. “Swapping” out vendors for others is not a sustainable model — eventually your number of vendors may become so great that your team can’t handle swapping some in and some out constantly.

Organizations are increasingly adopting BitSight Security Ratings to continuously monitor the security risk of their third parties and vendors. However, as many organizations have learned after building out their VRM programs and tiering their vendors, not every business requires the same level of scrutiny. Many businesses continuously monitor the members of their supply chain that pose the most immediate or largest risk, while checking in on other business associates less frequently through alerting capabilities. This enables them to never lose the visibility that “swaps” take away.

When considering vendor risk management strategies, you need to find the approach that best fits your organization. By continuously monitoring your vendors, gaining visibility into major changes in third party networks via alerts, and proactively mitigating risk, BitSight Security Ratings provide what it takes to scale an effective vendor risk management program.

REQUEST A DEMO to see bitsight security ratings in action.

Demo Request - Third Party

Suggested Posts

Fact or Fiction (Part 3): How Security Ratings Play a Role in Third-Party Risk Management

Over the course of this blog series, we’ve addressed some of the major concepts surrounding third-party risk, as well as addressed some misconceptions. In this final post, we’ll continue to examine the last three of the top notions...

READ MORE »

Fact or Fiction (Part 2): More Misconceptions About Third-Party Risk Management

There are many third-party risk concepts, some of which we addressed in the first blog post of this series. While third-party risk management (TPRM) programs are becoming increasingly common for businesses, there are still some...

READ MORE »

Third Party Tiering: The Cornerstone of a Strong Third-Party Risk Management Program

With the number of third parties connected to businesses increasing, risk and security teams need to ensure they are spending the right amount of attention on the right third parties. To do this, organizations need a clearly defined,...

READ MORE »

Subscribe to get security news and updates in your inbox.