About Jacob Olcott

Jacob Olcott is vice president of business development at BitSight Technologies. He previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Prior to that he served as legal advisor to the Senate Commerce Committee and as counsel to the House of Representatives Homeland Security Committee.

Why You Need a Vendor Management Policy Right Now

In recent years, more and more cybersecurity incidents have taken place as a result of insecure third-party vendors, business associates and contractors. For example, the repercussions of the notorious Target breach from a vulnerable HVAC vendor continue to plague the company today. With sensitive data, trade secrets and intellectual property at risk, hackers can easily leverage a third party’s direct access into a company’s network to break in.

While such incidents may cause significant financial and reputational harm to the first-party business, there is hope. Regulators are instating a growing number of legal requirements that an organization must meet with respect to third-party vendor riskcybersecurity management. As liability and regulations take shape, it is important to assess whether your company currently employs a vendor risk management policy, and, if not, understand how a lack of due diligence poses significant risk on your organization’s overall cybersecurity preparedness.

A vendor management policy is put in place so an organization can tier its vendors based on risk. A policy like this identifies which vendors put the organization most at risk and then expresses which controls the company will implement to lessen this risk. These controls might include rewriting all contracts to ensure vendors meet a certain level of security or implementing an annual inspection.

All this probably sounds pretty good, but you may still be wondering why you really need a vendor management policy—and why it’s urgent.

Here are four explanations to give you a better idea:

  1. Legal Liability

There are a growing number of legal requirements in a variety of sectors—from finance, to retail, to health care, to energy—on how companies should manage their third-party risk. Regulators have recognized that data breaches through third parties can present significant and sometimes catastrophic consequences to an organization. To deal with this risk, they have created various legal requirements in an effort to have organizations manage their third-party cyber risks more carefully. If you are in a regulated industry and do not currently have a vendor management policy, you could be out of compliance (and in a lot of trouble).

  1. Well-Known Risks

An organization should be concerned about third parties that have either access to their most sensitive data or direct access into their corporate network. So if you work with a lot of third parties, you are naturally creating more targets that hackers and criminals can exploit. This is becoming more common, as organizations are outsourcing to vendors more frequently in an effort to either save costs or capitalize on vendor expertise. While that is all well and good, the more vendors you have, the larger risk landscape you create. This is a well-known risk—but all too many companies don’t give it enough thought.

  1. Unknown Risks

Not all risks are easily understandable. Many organizations today have entered into business relationships with third parties, not fully understanding the risk to their data. What’s more, the first party may not have set requirements for how their vendors should secure their data. A number of organizations struggle to even know who has access to their sensitive data, how much access they have, where it resides, and more. These unknowns give plenty of companies a valid reason for concern.

  1. Significant Consequences

To see how very real the consequences of not managing vendor policy are, simply read some of the latest cybersecurity headlines. An example that demonstrates the significant impact of a third-party breach is the recent Experian breach, which exposed the personally identifiable information of over 15 million consumers. In this case, Experian was holding loads of sensitive T-Mobile customer data, which hackers were able to access. The T-Mobile CEO John Legere expressed how furious he was at Experian for being the source of this compromise. Nothing has been stated yet, but we’re certain that this business partnership will be reevaluated after this experience.

The truth is that if you don’t have a vendor management policy in place today, your company is falling behind the times. Unfortunately, not having such a policy in place also means there is a good chance that your organization’s sensitive data is being handled by someone who shouldn’t have access to it. This puts the health of your entire company on the line.

Vendor Risk Management: The Full Definition

cyber partners

Vendor risk management (VRM) is the practice of evaluating business partners, associates, or third-party vendors both before a business relationship is established and during the duration of your business contract. This is an important concept and practice to put in place during the evaluation of your vendors and the procurement process.

A key feature of VRM is understanding your vendor’s cybersecurity program. This allows you to understand how well they’re going to be able to secure your data, both from a physical and cyber perspective. VRM helps ensure that your vendors have a contractual obligation for specific requirements and standards, therefore mitigating your organization’s risk.

There are a number of risks vendors can bring to your enterprise, including:


There are many legal risks associated with sharing sensitive information with third parties. For instance, if your vendor is breached and you lose your customers’ personally identifiable information (PII) like social security numbers or health care records, the law clearly states that you are responsible—not your vendor. Or, if you fail to spell out security expectations in your vendor contract, you may have no legal recourse whatsoever if your vendor compromises your data.


So much of vendor risk management is based on reputation. You are able to ask a lot of questions at the beginning of the vendor procurement process that may help you weed out the businesses you’d rather not work with, but you should also be monitoring news feeds during the procurement process. You, of course, would want to know if a business associate has been hit with a lawsuit during the time you were engaged with them and how that could affect the performance of their contract with you. And don’t forget about the reputational harm that could affect your company if your customers’ sensitive information is stolen due to an unsecure vendor.


If a vendor has a poor financial record or past performance, you’ll want to know that information before engaging in a business relationship. That’s why a lot of companies do credit monitoring for their vendors. You’ll also likely want to ask other organizations who have previously done business with the third party in question for references. This way, you’ll be able to clearly evaluate the vendor’s project plan and all the different things they’re planning to do before entering into a contractual relationship.


Of the various risks a vendor poses, there are some things you need periodic updates on, which are relevant only at certain points of a business relationship. If you’ve established a vendor’s credit worthiness at the beginning of the process, for example, you’ll likely feel quite comfortable about their financial standing during the rest of the process. This is a good example of how some elements of vendor risk do not require continuous monitoring. Cyberrisk, however, is not quite as simple.

Cyberrisk is unique in that things can happen on a moment’s notice which could catastrophically damage your organization. You simply cannot rely on periodic or infrequent snapshots and assessments of your vendor’s health to understand cyberrisk. The thing that makes cybersecurity “special” is that it can pose financial, reputational, and legal risks.

It’s important to understand that cyberrisk management doesn’t end when your vendor signs a contract. Managing vendor cyberrisk requires persistent awareness of how the vendor is doing with your security expectations. You have to know at all times whether they are accessing your network in an unauthorized manner, or if your most important data could be jeopardized by their actions. Any slip-up or incident may have a catastrophic impact on your business (and lead to some pretty embarrassing headlines).


Some losses from “traditional risks” can be recuperated easily and quickly. If a food and beverage vendor doesn’t show up one day to cater a meeting, you’re only dealing with a limited amount of loss. Or, if a vendor doesn’t complete a project to your expectations, there are reasonable steps you can take to remedy the situation without dramatically impacting the bottom line.

But if someone hacks into your corporate network through a vendor and steals your most precious data, the outcome could be catastrophic. Your reputation can be damaged irrevocably, financial losses can be huge, and legal liability may be hard to transfer to your vendor. This is why vendor risk management—and especially IT risk management—is not something to be taken lightly. All angles must be examined with every vendor, both large and small.

Lowering the Detection Deficit: What Industries Can Gain from Continuous Monitoring

As cyber threats emerge and evolve each day, they pose challenges for organizations of all sizes, in all industries. Even though most industries are investing heavily in cybersecurity, many companies are still playing catch up, discovering breaches days, months, and even years after they occur. The 2015 Verizon DBIR shows that this “detection deficit” is still increasing: The time taken for attackers to compromise networks is significantly less than the time it takes for organizations to discover breaches.

The risk posed by third parties complicates the issue further. How can an organization allocate time and resources to trust their partners’ security when they are struggling to keep up with their own? Over the years, audits, questionnaires, and penetration tests have helped to assess third party risk. However, in today’s ever-changing cyber landscape, these tools alone do not offer an up-to-date, objective view. While continuous monitoring solutions can improve detection and remediation times for all organizations, the retail, healthcare, and utilities industries can especially benefit from greater adoption.


Some of the most notable data breaches have occurred in the retail sector. Recently, eBay asked its 145 million customers to change passwords after names, e-mail addresses, physical addresses, phone numbers and dates of birth were stolen. Retailers frequently work with new vendors and suppliers over time. Moreover, companies rely on point-of-sale systems (PoS) that are often susceptible to new types of malware. Compounded with the challenge of dealing with a large number of vendors and keeping up with new vulnerabilities, retail often ranks low in detection times. A recent study by Arbor Networks and the Ponemon Institute found that retailers take an average of 197 days to detect advanced threats on their networks.

Retail companies with tight budgets may not be able to commit the same amount of resources towards security as the Finance sector. Yet, implementing a continuous monitoring solution will enable companies to better monitor their own networks and stay on top of threats in their vendor ecosystem in a more cost-effective manner. Furthermore, it will also help retailers reduce detection and remediation times.


Healthcare providers have recently dominated headlines with large data breaches. In January, Premera disclosed that it lost information for roughly 11 million of its customers. A month earlier, Anthem Inc., said information of close to 70 million current and former employees and customers was stolen. Both of these breaches exposed personally identifiable information (PII) including SSNs and birthdays, and possibly medical information as well.

In general, healthcare providers have an immense amount of devices connected to their networks. Following widely known breaches in this sector, many criticized organizations for failing to encrypt files containing sensitive customer information. While stronger encryption would certainly help, these companies must also ensure their networks are secure in the first place. Weeks before the Premera breach, federal auditors told the organization that some of its network security practices were inadequate and vulnerable to attack. If Premera had been monitoring their networks with greater frequency, they may have learned of these vulnerabilities earlier, on their own. Subsequently, they may have had significantly more time to patch and prevent a breach.


Companies in the Utilities sector are challenged with protecting critical infrastructure. These companies also hold a large amount of customer data, making them big targets for hackers looking to destroy or exfiltrate data. In 2014, nearly 70% of companies in the utility sector said they had been breached. Many companies also have reported attempts to have their data completely deleted or destroyed.

Breaches of Utility companies are often not disclosed, so the full scope of vulnerable companies are in this industry is not fully understood. However, a recent study found that 52% of companies in the Utilities industry had significant botnet infections. Greater monitoring will be necessary for companies in this sector to decrease the breadth of infection. Without it, our critical infrastructure and personal information remain vulnerable.

Narrowing the gap

For this “detection deficit” to narrow, companies need to monitor their own networks with greater frequency. As business have increasingly outsourced their operations over the years, they will also need to monitor third parties –and even fourth parties– to manage risk.

A recent survey found that 46% of companies that experienced a data breach took more than four months to detect a problem on their networks. Perhaps even more concerning is that 70% of these breaches were detected by a third party. Continuous monitoring solutions will enable organizations to detect intrusions as they occur. As a result, IT teams can spend more time and resources on fixing and remediating threats rather than detecting them in the first place.

Nobody wants to live the embarrassment of being told over the phone that they’ve been breached, or worse, read about it in the news. But as more organizations adopt continuous monitoring solutions, this experience should become far less frequent.

Measuring Risk: Why We Need Standards for Continuous Monitoring & Assessment

Continuous monitoring on its own is great for the detection and remediation of security events that may lead to breaches. But when it comes to allowing us to measure and compare the effectiveness of our security programs, there are many ways that simply monitoring falls short. Most significantly, it does not allow us to answer the question of whether not we are more or less secure than we were yesterday, last week or last year.

This is a question that we all have grappled with in the security community, and more recently, in the board room. No matter how many new tools you install, settings you adjust, or events you remediate, there are few ways to objectively determine your security posture and that of your vendors and third parties. How do you know if the changes and decisions you have made have positively impacted your security posture if there is no way to measure your effectiveness over time?

In recent years, solutions have emerged in the market which bring to light new potential from continuous monitoring and enable organizations to not only identify and remediate security issues, but also answer questions about security performance and effectiveness. Through the analysis of historical data, performance rating solutions allow organizations to quickly and objectively compare their effectiveness over time as well as to their industry and peers. The ratings are generated through the continuous collection of security data, including events, user behaviors and configurations, and updated on a daily basis. Higher ratings indicate better security performance, and users receive alerts when ratings change significantly. The ease with which these ratings can be accessed means organizations can leverage performance ratings in a number of ways that go far beyond threat detection.

For example, using ratings in vendor selection can help organizations choose and negotiate with secure partners from the beginning of business relationships. They have access to information that can show how performance over time has varied, as well as if there have been prior security incidents or breaches worthy of further investigation. Using ratings for vendor management encourages all parties to be proactive and transparent in their security practices, thus helping to improve overall performance.

There are other third party transactions where continuous security performance ratings can help, such as in underwriting and negotiating cyber insurance premiums as well as making strategic M&A decisions. Performance ratings provide context that is lacking from other assessment methods, as ratings are based on evidence of security outcomes and the criteria for both assessment and rating is congruent between networks.

However, the value in this metric isn’t simply in providing a number; the value is in its potential to become a standard that organizations can objectively benchmark themselves and their third parties against. Many organizations have their own methodologies to assess security risk, relying on auditors, compliance certificates, questionnaires and multiple frameworks for qualitatively, and in some ways quantitatively, measuring their risk. But if we’re all using different frameworks and methodologies, the ability to compare and contrast is lost, and objectivity comes into question. The lack of a standard in this area has lead to ambiguity when it comes to defining what “good security performance” actually looks like.

Of late, legislators and regulators have been pushing organizations to show that they are monitoring security risks across the business ecosystem and taking responsibility for the performance of their vendors as well. There has also been additional pressure placed on board members and executives to demonstrate awareness and oversight of security performance at all times.

HIPAA, PCI and OCC guidelines have all added language around vendor selection and management, requiring more frequent assessments and in some cases, naming liability if a vendor falls out of compliance. One thing these updates don’t include is specific guidelines for how and what to assess in network security ecosystems. This means it is up to the individual to interpret guidance, which may result in inconsistent (and often biased) assessments.

If regulators and lawmakers want to simplify risk management, they could make great strides by adopting and enforcing a set of measurement standards that could span industries and bring transparency to security practices in all organizations. To overcome the lack of awareness and bias in security performance assessments, continuous performance monitoring provides a significant advantage because it is outcome based rather than control based. Because of this, continuous assessment methodologies can answer the age old questions of how am I doing compared to my industry and my peers? Am I safer now than I was before?