Improving and expanding third-party security insights as it relates to the overall risk to the organization
Continuous visibility and actionable insights into evolving supplier risk
Companies invest valuable time and money searching for solutions to solve a variety of organizational challenges. So, what do you do when you are a company that utilizes tools to help manage your third-party security program, but your tools simply don’t deliver? That’s precisely the difficult position Arvest found itself in.
Arvest’s previous vendor security management tool simply wasn’t granular enough to accurately assess whether the security program of the external organization was adequate, explained Arvest’s Third Party Risk Manager Jenny Ditta. It merely provided Arvest with a yes or no answer about potential vendors. This resulting lack of visibility was not sufficient for Arvest. In addition, at the time, Arvest was only able to perform one to two vendor security assessments per month, which really wasn’t scalable with more than 220 potential vendors to prioritize for evaluation.
All third-party due diligence is led by Arvest’s TPRM (third-party risk management) team, under the direction of Tammy Smith. Inherent vendor risk is Arvest’s primary concern and since TPRM professionals are often not InfoSec experts, they rely heavily on the InfoSec team to understand and evaluate vendor technology risks and remediation plans.
Furthermore, explained Arvest’s InfoSec IT Manager, Greg Mathes, the tool Arvest was using at the time didn’t provide the capability to share a remediation plan, leaving the vendor with little information about its security risks and how to strengthen its security posture.
“Our previous tool gave us a report but lacked granular detail, was hard to understand and didn’t provide a remediation plan,” explained Smith.
Lastly, Arvest was frustrated with the lack of service offered by its previous solution provider. While the functionality of the product is integral to getting the job done, knowing that you have the support you need along the way is equally important, and it just wasn’t there.
Simply put, “Panorays was offering more,” explained Smith. With Panorays, Arvest is able to drill down to very specific details about vendors. Additionally, it can monitor a greater number of vendors than previously—for roughly the same price. The ongoing monitoring helps Arvest keep up-to-date on any vendor security changes. Using Panorays’ automated solution, Arvest went from assessing one to two suppliers per month to up to ten vendors per week.
In the past, Arvest would only evaluate specific types of businesses and only critical findings. Arvest now easily enters vendors into the Panorays system to generate their cyber posture ratings. In addition, findings categorized as medium and high are now evaluated in addition to critical findings, which just wasn’t possible before Panorays. As non-technical professionals, both Smith and Ditta are pleased with the ease and intuitiveness of Panorays that allow them to seamlessly work within the platform and have a high-level understanding of their approximately 220 vendors’ security risk. On the flip side, the InfoSec team, which is interested in the nitty-gritty details of its vendors’ security posture, now has a tool to do a deep-dive into suppliers’ security posture and findings and make recommendations to vendors for mitigating risk.
Mathes applauds Panorays’ ability to give him the important information he needs about potential vendors faster than ever—about five minutes is all it takes to evaluate a vendor, thanks to the insights readily available at his fingertips. And instead of telling a prospective vendor a simple yes or no, Mathes provides a list of items that need to be addressed to improve its security score and proceed with the procurement process. For existing vendors, ongoing monitoring alerts Arvest of a breach or change in security posture so it can keep on top of any potential vendor risks and respond accordingly.
“Supply chain risk is becoming one of the most important areas of security and Panorays will help security teams be able to move to that next step very easily—in a way they wouldn’t have been able to do before,” said Mathes.
At the end of the day, supporting the customer’s third-party security program isn’t just about a product, but also about the customer service. Arvest praises Panorays’ ongoing support and extraordinary service. Arvest experienced that when it needed to quickly reach out to vendors following the SolarWinds breach, as well as in day-to-day interactions with Panorays. Whether it’s the non-stop, super-responsive assistance from its Customer Success Manager or the product and management team’s receptiveness to feedback, Arvest feels that its needs are always being considered and addressed with Panorays’ white glove customer service.
Using Panorays has not only enabled Arvest to add more suppliers in less time, but has also helped vendors bolster their security posture. In fact, Mathes is pleased that suppliers have become interested in learning more about their findings and as a result, a real dialogue has developed between them. In the event of a breach, Arvest has information about the breach even before the supplier is alerted, allowing for severing connections to that vendor immediately.
The InfoSec team appreciates having greater visibility into critical vendors that can be accessed independently, rather than having to request that data from the risk team. Arvest has integrated its Fusion Center platform with Panorays so that a significant drop in a vendor’s security posture triggers an alert to check Panorays. When building more practices around business resiliency or threat intelligence monitoring, having that visibility greatly improves Arvest’s security decision-making.
“Panorays is disrupting the space and changing the game for cybersecurity risk management for suppliers,” noted Mathes.
Vendors aren’t the only ones improving their security posture. Arvest performs self-assessments twice weekly on average, just to make sure there are no new findings within the organization that need addressing. Working hard at keeping a high security posture score is a priority for Arvest.
Internally, new discussions have emerged between the risk and InfoSec teams about ways Arvest protects itself based on insights obtained from the platform. Ultimately, these security risk insights impact the contractual relationships with vendors.
While the Arvest team’s intention was to expand knowledge about vendor security risk, in reality, the team ultimately matured its own security posture as well as its entire security risk program across the board.
“Panorays is not a static tool,” said Smith. “It morphs, as we need it to. Whenever there was something that affected our company from an information security perspective, Panorays jumped in as a true strategic partner, helping us every step of the way.” Isn’t that how it should be?