If you’re familiar...
The increasing number of third-party breaches has made it more important than ever to ensure the vendors you partner with are secure. In today’s business environment, protecting only your data and systems from cyberattacks is not enough.
While there are many benefits to outsourcing, there are also inherent security risks as third-party networks are rapidly growing and becoming increasingly complex. As your third-party network expands, so does the attack surface available to hackers. Any third party that has access to your sensitive data or systems poses a potential security risk.
Call it third-party risk management (TPRM) or vendor risk management (VRM), but either way you need processes in place to ensure that the use of external service providers and vendors does not create vulnerabilities, business disruptions, or have a negative impact on business performance.
Purpose of VRM Software
Vendor Risk Management Software collects vendor risk data, helping organizations to align risk tolerances and prevent data breaches, compliance issues, and supply chain vulnerabilities. VRM software also automates risk management procedures, assisting in securing and managing vendor relationships for their duration, not just during onboarding. Utilizing VRM software can help protect your organization from security risks within your vendor network and provide automated processes for third-party risk management.
How VRM Software Can Benefit You
- Establish security posture of your organization and for new or existing vendors
- Automate risk monitoring
- Centralize storage of risk data
- Increase vendor visibility
- Help align risk tolerance and creates a standard of comparison among all your vendors
- Help track security controls and compliance
- Provide baselines and documentation for tracking remediations and improvements to security posture
- Monitor ongoing changes to vendors’ security posture
- Reduce errors
Choosing VRM Software
The right VRM software for your organization will meet your current risk management needs with flexibility to scale with your business in the future. Risk management is an ongoing process that can be made more efficient and accurate with the appropriate VRM software. Ideal vendor risk management software must have features like built-in questionnaires, remediation tracking, audit logs, and reports and dashboards.
myCYPR for Vendor Risk Management
myCYPR offers customizable risk management with increased visibility third-party risk for you and your vendors. Easily identify vulnerabilities and security gaps and track progress in an interactive dashboard with views for first- and third-party risk.
Considering Vendor Risk Management (VRM) software but want to learn more? Contact us with more questions or request a demo to see how myCYPR can improve your vendor risk management.
Security questionnaires can be frustrating and daunting. With no true standards or guidelines in place for companies to follow, most are left to create their own vendor onboarding and assessment procedures. The result is different questionnaires, from different companies, with little consistency between them all. Not only is this frustrating for organizations trying to manage their vendors and align risk tolerances, but it is also chaotic for vendors on the receiving end of an array of questionnaires from each company they work with.
Improving security questionnaires eases the burden of first- and third- party security teams alike. Below are 6 ways to improve questionnaire implementation and establish consistency among vendors to aid your vendor risk management processes.
Improve Your Security Questionnaire
1. Organize by control categories– Questionnaires categories should be built around control frameworks, industry standards and regulations, and common areas of cybersecurity evaluation.
2. Integrate standardized responses– Multiple choice responses create easy to score questions that highlight problem areas and can streamline remediation efforts. Standardized responses also prevent lengthy, free text answers that are time consuming to read and make it difficult to accurately compare vendors.
3. Create flexible options- While it is important to create consistency with standardized responses, it is also necessary to acknowledge implemented security practices don’t always fit within a range of multiple-choice options. Sometimes, more explanation or support may be needed. Flexibility for those situations is necessary to elaborate upon standardized response options. This can be achieved with options for noting remediation plans, acknowledging risk, and uploading evidence for review, as appropriate.
4. Assign to multiple respondents– To ensure the highest level of accuracy on a questionnaire, it must be answered and reviewed by subject matter experts. Assigning multiple respondents to attest to questionnaire responses ensures responses are accurate and prevents the questionnaire from needing to be redone, while also increasing awareness of areas in need of improvement.
5. Track improvements– Questionnaires can be a useful tool for showing leadership areas in need of improvement, progress, and ROI. A questionnaire can serve as baseline for current state of security posture. As remediations are made, improvements can be documented and tracked for comparison.
6. Ditch the spread sheet– Spreadsheets can quickly grow disorganized and out of control as your vendor network changes or expands. Utilizing a risk management tool or streamlined dashboard eliminates the need for your security team to hunt for answers in a spreadsheet. These tools also make it easier to update the questionnaire with remediations and facilitate progress tracking. Already have an existing spreadsheet? A questionnaire dashboard within an effective risk management tool will cover core frameworks and key areas of cybersecurity, matching or surpassing the effectiveness of any previously used spreadsheet.
Benefits of Improved Security Questionnaires
What are the benefits of improved security questionnaires? For starters, consistency across questionnaires for all vendors makes it easier to identify vendors who align with the primary organization’s risk tolerance and those who do not. This insight helps organization’s make better decisions to protect their data and assets from third-party compromise when onboarding new vendors and managing existing vendors. Consistent, standardized questionnaires are also easy to scale to fit your third-party network as it grows. The benefits also extend to vendors. With increased standardization of questionnaires, vendors will no longer have to fill out a variety of different questionnaires. Instead, one questionnaire can be shared with any organization requesting one, with responses updated and shared as remediations are made.
myCYPR provides a standardized first-and third-party risk management solution with an interactive dashboard built to improve the questionnaire response process for organizations and their vendors. Request a demo today to learn more.
COLUMBIA, Md., Jan. 19, 2022 / — Anchor Technologies, Inc., experts in cybersecurity consulting, today announced the launch of revolutionary risk management tool, myCYPR. The interactive platform manages compliance, internal and third-party risk, and delivers next generation security assessments in a single tool. The addition of next generation security assessments and professional service engagements are currently not available from any other risk management solution on the market. CISOs, IT leaders, and security teams across industries will gain real-time, interactive insight to risk management and the ability to self-track remediation from the only solution backed by the power of a security services team.
The risk presented by third parties has continued to escalate despite the emerging solutions of the past five years, with 51% of organizations having experienced a data breach caused by a third party. Current solutions have failed to effectively solve the problem, primarily due to the exclusion of in-depth security assessments. Where many other tools provide a risk score as the result, the myCYPR score is used as a starting point to better understand current levels of risk and facilitate remediation. The tool evolves the concept of risk scoring into a complete risk management solution.
myCYPR manages compliance, internal & third-party risk, and delivers next generation security assessments with one tool.
Peter Dietrich, President and CEO, said, “Current tools are acting as audits simply looking to find problems with third parties rather than providing a tool to solve the problem. myCYPR helps third party vendors solve the problem, not just report on their faults.”
myCYPR allows both principal organizations and third-party vendors to interact with risk data and self-track remediation. By providing an interactive risk management solution, myCYPR ensures third-party risk management can easily be integrated into daily operations and risk can be tracked over the course of a business relationship. The goal is to strengthen relations between principal organizations and vendors, for the duration of the relationship, rather than simply reporting on point-in-time faults. Interested parties can visit www.mycypr.com for more information.
Anchor Technologies, Inc. was founded in 2002 with a total focus on cybersecurity. Established experts in their field, Anchor Technologies boasts a seasoned advisory services team powering the myCYPR platform. With experience serving a breadth of industries and performing engagements in breach response, penetration testing, and cyber maturity analysis, the company is uniquely equipped to develop a complete risk management solution. To learn more about Anchor Technologies, Inc., visit www.anchortechnologies.com.
Media Contact: Meagan Huebner, (410) 295-7601, firstname.lastname@example.org
SOURCE Anchor Technologies, Inc.
What is Third-Party Risk Management (TPRM)?
Third-party data breaches are a growing threat to organizations. In fact, 51% of organizations have experienced a data breach caused by a third-party. With the consequences of such a breach including financial loss, investigations & lawsuits, damaged reputation, and loss of sensitive company information, effective third-party risk management (TPRM) is critical to the continued success of any organization.
Third-party risk management is often used interchangeably with other industry terminology, such as supplier risk management, supply chain risk management, vendor management, or vendor risk management (VRM). While definitions may vary slightly, “third-party risk management” and like terms describe the process of identifying and mitigating risk associated with the use of third parties. Third parties describe vendors, suppliers, partners, contractors, or service providers who provide products and services to customers on behalf of an organization and as a result have access to sensitive company and customer data.
Why is TPRM Important?
TPRM is a rapidly growing practice, mainly due to the increased reliance on outsourcing. Utilizing third-party services can maximize budget and business speed but giving third parties access to sensitive company data makes it crucial to consider their cybersecurity posture so that the relationship does not become a vulnerability. Partnering with a vendor with weak cybersecurity practices may leave your organization more vulnerable to a supply-chain attack, where systems are breached through a third-party with access to your systems and data. Hackers are attracted to supply-chain attacks because if widely used software can be compromised, the attackers can potentially gain access to other entities that use the same software, increasing the scale and impact of their attack.
Organizations are also becoming increasingly intertwined with a growing number of third-party vendors. Not only do today’s third parties require more access to the primary organization’s data assets, but they are also increasingly working with their own third-parties. This has exponentially increased the size and complexity of third-party networks, making it a critical challenge for organizational leaders to manage the risks associated with third-party networks with no hinderance to the efficiency, speed, and productivity of business. This growth has only made supply-chain attacks more attractive to hackers and further increases the risk associated with third parties.
Considering what is at stake, can an organization afford to take their vendors’ word when they self-report they are secure?
What TPRM Does:
Effective TPRM manages who is part of your third-party network, verifies that they are an active vendor, assesses their level of access, and confirms it is the appropriate level of access. A risk profile should be created for each vendor to make vetting vendors more consistent and increase the understanding of your third-party network. Once the risk each vendor presents is understood, proper controls must be in place to manage that risk. TPRM should also examine what would happen if the third party’s networks and data are compromised and how it might impact the principal organization should their confidential information be leaked.
TPRM should begin the moment a new vendor or supplier is onboarded and continue over the course of the business relationship, only ending when the relationship is completely dissolved. Effective TPRM also utilizes standardized processes and automation to maximize time and resources.
Benefits of TPRM Software:
Effective use of third-party risk software will enable organizations to implement a successful TPRM management program. TPRM software provides consistency and allows for the automation of risk management activities, which maximizes ROI, productivity, and results. Utilizing such software often leads to:
- Increased data visibility and reporting capabilities through risk management dashboards.
- Simpler assessments and audits.
- Time and cost savings.
- Improved vendor performance.
- Decreased risk.
Learn how myCYPR can help your organization manage third-party risk by requesting a demo today.
If you’re familiar with a credit score, you already have a better understanding of cybersecurity risk ratings than you think. A credit score is a quick and easy way to tell lenders about your creditworthiness, providing a prediction of how likely you are to pay back a loan on time.
Similarly, cybersecurity risk ratings, or security ratings, provide a quick and easy way to communicate an organization’s cybersecurity posture to internal teams, executives, and existing or potential third-party vendors.
Why Cybersecurity Risk Ratings
In our increasingly digital world, Gartner, a global research and advisory firm, expects that security ratings will reach the status a credit score holds today when assessing the risk of existing and new business relationships. Soon, you may be as familiar with your organization’s security rating as you are with your own credit score; the future of your business may depend on it. Cybersecurity ratings are a useful tool to better understand or improve the cybersecurity posture of any organization, and to initiate risk-based discussions with company leadership or with third parties when establishing new business relationships.
Security Ratings Help Manage Internal Security and Third-Party Risk
Cybersecurity risk ratings are data-driven, quantifiable measurements of an organization’s overall cybersecurity performance and based off of a cybersecurity risk assessment. The scores are intended to provide organizations of all industries with an independent view into the security practices of the organization itself, as well as for their third-party vendors. Third-party vendors provide products and services to customers on behalf of an organization and as a result have access to sensitive company and customer data. When giving third parties access to sensitive data, it becomes crucial to consider their cybersecurity ratings so that the relationship does not become a vulnerability.
Organizations are increasingly intertwined with a growing number of third-party vendors. Not only do today’s third parties require more access to the primary organization’s data assets, but they are also increasingly working with their own third-parties. According to Gartner, this has multiplied the size and complexity of third-party networks. It is a critical challenge for organizational leaders to manage the risks associated with third-party networks while remaining efficient and productive with no hinderance to the speed of business. Obtaining security ratings for your organization and third parties helps to secure your internal environment, as well as mitigate the growing risk associated with third parties.
Where Security Ratings are Falling Short
As with credit score providers, there are currently several security rating providers on the market. Despite the benefits of cybersecurity ratings, the businesses and third-party vendors who currently use them are sometimes left dealing with ratings that fail to capture the true picture of their organizational cybersecurity posture. This is because there is currently no universal scoring method for cyber risk ratings, making it so different providers can potentially deliver different risk scores depending on the data chosen for assessment. If a company feels their score is not valid, the existing processes to dispute ratings are tedious and difficult to overturn. Current cyber risk ratings providers utilize open-sourced intelligence, or data gathered from publicly available sources. While this information is valuable to scoring, only assessing open-sourced data means a company’s score could be marked by the narrow scope of information available publicly or by information that is not updated regularly.
Current cybersecurity ratings providers also fail to utilize input from the companies and vendors that are being rated. When positioned as a benefit, this makes the ratings sound convenient and easy, as little input or resources are required from the company being scored. Unfortunately, this also prevents the company being rated from being able to provide verifiable and valid data that could strengthen their score, furthering the potential for ratings that fail to depict the true organizational security posture.
The Data Makes the Score
Given the shortcomings in the current cybersecurity risk ratings market, myCYPR aims to help organizations accurately identify and manage risk internally and for their third-party vendors. While current security rating providers only score organizations based on a single data set, myCYPR offers organizations the choice of up to three data sets. These data sets range from open-sourced intelligence to a highly detailed next generation security assessment, backed by the expertise of a cybersecurity consulting team. The range of options allows organizations to customize a program to match their unique budget, organization size, risk profiles, or for multiple third-party vendors. The cybersecurity consulting power behind myCYPR also allows organizations to be involved with their own score by providing data for consultants to consider in the scoring process using an interactive web dashboard. Combined, myCYPR’s features allow organizations to be more involved in the risk rating process and deliver the most accurate risk score possible.
As cyber security ratings become increasingly vital to business operations, it will be equally as important to choose the right risk rating provider. See, score, and secure your organization with myCYPR.
Anchor Technologies will participate in the RSA Conference this year! We will be in the expo at booth 5355. This booth and conference will serve as the official launch for the myCYPR™ cybersecurity ratings platform.
myCYPR™ is the COMPLETE cybersecurity ratings platform. Combining multiple perspectives on risk data to mange your cybersecurity posture or manage a customized risk program for your vendors.
Also stay tuned, as we will be announcing product details and several offers to get FREE conference expo passes over the next several weeks. If you will be at the conference, drop a comment below and let everyone know and make sure to come by the booth to say hello and get more details on the solution.
A cybersecurity ratings platform provides a quick and easily communicated perspective on an organization’s cybersecurity risk profile. A cybersecurity rating alone isn’t terribly new or revolutionary. Several security assessment vendors have offered a score as a method of communicating an overall risk profile. The addition of a web-based dashboard and interactive platform evolves the concept of a risk score into a risk management solution allowing for a much more advanced way to interact with the findings data and remediation requirements. The largest challenge of the traditional security assessment exercise is effectively remediating ALL of its findings. It can be a daunting task and often a percentage of the findings are not addressed due to a poorly communicated recommendations or remediation fatigue. A primary goal of the Cybersecurity Ratings Platform is to provide a solution which evolves the cyber risk management process improving effectiveness and complete remediation.
Many breaches today are the results of hackers exploiting weaknesses that had actually been identified previously in a security assessment. Well-known examples of this were the Home Depot 56 million credit card breach of 2014 and the crippling City of Baltimore ransomware compromise of 2019. In both cases evidence was made public that prior security assessments had identified the weaknesses exploited.
The cybersecurity ratings platform will provide multiple levels of perspective into the risk data through an easy to consume web-based dashboard. This platform will solve five significant issues with the current market ratings and assessment solutions.
Problem #1 Solved: Risk data is difficult to consume and remediate.
The web-based dashboard will allow the organization to see risk data at a high “10,000 foot” perspective first with an overall summary rating or score based on a FICO™-like and relatable score from 250 to 900. The dashboard will also break down the data into digestible categories of risk, such as technical vulnerabilities, operational maturity and application risk. The drill-down methodology will enable the user to drill into as much specific finding and remediation data as they are ready to consume. It will also provide a way to track progress and dynamically update the score based on the progress or remediation. At various points along the way a downloadable report is available.
Problem #2 Solved: Risk data used in legacy ratings solutions is unreliable.
Some vendors have decided that cheap is good in security and have created ratings systems based solely on free publicly available historical data, also known as open source intelligence (OSINT), to score an organization on their risk posture, others have added on self-assessment as a means to improve reliability. Both of these methods for data collection have some value, but should be implemented within a complete program where various levels of risk data accuracy and reliability can be married up with the organization’s data security requirements. Very often evaluating a vendor based on historical and uncontrollable independent public data may not produce a result reflective of the actual risk posture facts for the targeted organization. A reliable solution should included risk data from multiple sources, internal audited operational security (OPSEC) data as well as OSINT.
Problem #3 Solved: Risk planning, prioritization and budgeting is difficult and time-consuming.
Many organizations today have some sort of budget for cybersecurity risk remediation. However, the plethora of successful breaches has grown to epidemic proportions. One of the key issues is a misalignment of the security spend with the actual risk present in the organization. Many products are being implemented as the primary solution to cyber risk, when other areas of the risk landscape are prioritized lower in the budget and may never be implemented. Enter the need for better alignment between What to address first?, How much will it cost?, and What will improve my score the most? The best cybersecurity ratings platform will include a method of easily visualizing the highest risk findings and what remediation is estimated to cost, so that remediation can be prioritized based on largest risk remediation and effective budget management.
Problem #4 Solved: Defining risk posture between audits is unreliable.
Many organizations perform security assessments annually or at least every two years. Typically, remediation efforts extend past the deliverable presentation by a few months to even the next budget cycle. Often it quickly becomes very difficult to clearly define how much these efforts have improved the security posture without rerunning the assessment. A cybersecurity ratings platform provides a method of remediation tracking and dynamically updates an “unaudited” security posture rating so that the organization can understand its current risk state and communicate progress. The platform can also offer scenario based risk remediation planning so that remediation scenarios can be run prior to spending actual budget to determine how the risk posture would be impacted.
Problem #5 Solved: Regulatory and compliance goals are often a separate unconnected effort from the security assessment.
Cybersecurity standards and regulations are a part of almost every CIO’s playbook. Most organizations are required or have voluntarily chosen to comply with a cybersecurity standard or regulations, such as the NIST Cybersecurity Framework (NIST CSF), the Center for Internet Security’s Critical Security Controls (CIS CSC), or the Payment Card Industry’s Data Security Standard (PCI DSS), or ISO/IEC 27001. Publicly traded companies have SOX, Healthcare has HIPAA, banking has FFIEC, GLB and many others, Education has FERPA, the entire European Union has GDPR, Federal Contractors and sub-contractors have NIST 800-171, FISMA, CMMC, FedRamp and more. Many organizations also have to comply with multiple sets of standards, still more are mandated to comply with prime vendor questionnaires or the AICPA SOC2, AUP or SIG. Wouldn’t it be nice to bind all of these efforts into one effort? One platform? Most of the standards and regulations have overlapping security requirements by at least 80%. The cybersecurity rating and assessment effort already gathers data on most of these control implementations. The cybersecurity rating platform should offer mappings of the risk data to the appropriate standards and regulatory requirement. It would therefore be able to communicate a compliance gap analysis and remediation plan.
Just like a FICO™ credit score, data is collected, an analysis performed and a score produced. Cybersecurity risk ratings are exactly the same with different data. Key differences in solutions present themselves when you look at the data used to develop the rating. To date, solutions in the market have focused their data set on one or two of three groupings of data: Operational Security (OPSEC), Open Source Intelligence (OSINT), and Governance, Risk and Compliance (GRC).
OPSEC data is time consuming and detailed in its collection. It requires cooperation with the rated target organization to allow data collection access and provide key pieces of business related data. This is also historically similar to what is commonly called a Security Assessment, although market definitions of the standard security assessment vary widely in scope and cost. OPSEC data is the most accurate data available when evaluating an organization’s risk posture.
OSINT data is free and allows for a completely independent collection of data from the rated target. This data is collected from the public Internet and generally grouped along three categories: IT Hygiene, User Behavior and Public Disclosures. The organized collection of this data is newer to the market than the other two. The collection of this data is also highly automated reducing collection costs but reducing accuracy and reliability.
GRC data is collected typically as part of compliance management program or Gap Analysis. This data is also typically laborious to collect and document requiring the organization’s cooperation. Most data is organized in groupings of “controls” aligning to a published standard from CIS, NIST or ISO or a regulation such as HIPAA, FISMA, GDPR, CMMC or PCI.
Data acquisition of these various types are gathered in three categories. Collection be automated in some cases which is typical for OSINT data. It can also be gathered through a self-attestation or self assessment questionnaire which is a method used with portions of GRC and OPSEC data. Lastly and most commonly data is collected through a facilitated exercise with a security practitioner or auditor. The last method is most accurate and generally more expensive the the other methods.
The myCYPR solution is a complete cybersecurity ratings platform. It supports all three data types, provides multi-layered reporting and visibility and most importantly provides detailed findings and actionable recommendations for remediation.