“You can’t manage what you can’t measure,” Peter Drucker, the father of modern business management is famously quoted as saying. While there are many areas in business and in life where this quote can apply, it is especially pertinent to managing vendor cyber risk.
While the world has unprecedented access to data than ever before, it’s turning that data into actionable insights that’s important. When monitoring vendor cyber risk, it is critical for relevant stakeholders to comprehend the information being presented so they can make educated decisions going forward.
What Should You Be Evaluating?
When assessing your third parties, it is important to consider the following questions:
- Which vendors pose the highest risk to my organization?
- What issues does the vendor need to address for me to work with them?
- Which vendors are impacted by specific vulnerabilities?
- Should I approve or reject this vendor?
To achieve this, it behooves you to make sure that you are gathering the appropriate data that will yield the greatest insights. The following six reports will provide relevant information and actionable insights into managing vendor cyber risk:
1. Operational and Monitoring Report
What it is:
This report provides you with an overview of all your third parties. It tells you where vendors stand in the approval process (accepted, rejected, pending). It also tracks the status of vendors whose questionnaires have expired and suppliers whose remediation plans are open.
Why it’s important:
With this report, you have a clear “to do list” as it relates to managing your vendors’ cyber risk. In addition, it provides data about how many suppliers you are adding on a monthly basis.
2. CVE Investigation Report
What it is:
This report includes a list of companies in your portfolio that were recognized as being affected by CVEs (Common Vulnerabilities and Exposures), including new critical CVEs that potentially impact your vendors.
Why it’s important:
Staying on top of new critical CVEs that may affect your third parties is essential. With this knowledge, you can notify relevant vendors to remediate the vulnerability or mitigate your connection with vendors by implementing security controls.
3. Fourth-Party Investigation Report
What it is:
This report helps you understand your vendors’ vendors, or your fourth parties. While they are not contractually connected to your organization, they are connected to your organization’s third parties.
Why it’s important:
You must have knowledge of your fourth parties because of the new potential threat they pose to your company. Fourth parties can infiltrate your company’s data through your third-party vendor. In instances of a specific breach, (i.e. SolarWinds), this report also enables you to check if your vendors work with a third party who experienced that breach so you can take precautions if necessary.
4. Board Report
What it is:
This report displays the security posture scores of all third parties in your organization as well as statistics of accepted, rejected and pending suppliers. This data explains the potential risks posed by doing business with specific vendors by including a complete overview of ratings, questionnaire status, geolocation, business impact and more.
Why it’s important:
This report essentially shows your board that security risk is not an IT risk, but a business risk. With this in mind, your board can make informed decisions about working with a vendor. This is especially useful when there is a debate about whether or not to use a third party and the risks associated with that selection. In addition, this report provides a high level status of third-party security risk within your organization and delineates critical information for your board such as the number of vendors, trends and security incidents.
5. Supplier Comparison Report
What it is:
This report lists comparative security information about suppliers, such as how a vendor rates in different cyber posture categories (web server, mail server, application security), as well as how they rate in questionnaire categories.
Why it’s important:
This enables you to compare similar vendors side by side, which is useful for determining adherence to organizational standards and regulatory requirements (such as GDPR, CCPA and HIPAA) and for selecting vendors for RFPs.
6. Supplier Mapping Report
What it is:
This report helps you understand what type of information you share with your vendors. It also analyzes which departments are adding the most vendors, as well as other relevant mapping information based on your organizational needs.
Why it’s important:
Having easy access to organized data such as a report containing PII, PHI and other proprietary information will help you quickly and effortlessly understand which third parties are complying with your organizational standards and regulatory requirements and which are not.
Creating the right reports facilitates greater visibility of vendor risk in a manner that is relevant, concise and understandable. When security risk information is presented in this fashion, it becomes easier to manage, mitigate and remediate cyber risk, reduce breaches, ensure vendor compliance and improve your security across the board.
How Panorays Helps
Panorays provides greater visibility for you and your stakeholders into your organization’s third-party cyber risk. With Panorays, you can easily present a comprehensive view of your entire third-party portfolio while pinpointing potential regulatory and security gaps. Our solution provides ready-made reports, as well as the ability to customize reports to address the specific security needs of your organization.