BitSight has released the results of a commissioned study conducted by Forrester Consulting entitled ‘Take Control of Vendor Risk Management Through Continuous Monitoring’. The findings reveal that current methods for managing third-party risk are inefficient and that companies must adopt continuous monitoring to detect security and risk issues to better understand their vendors’ cybersecurity posture and overall risk posed to their business.
The study surveyed 251 IT, risk, compliance and security decision makers in North America and Europe. Participants included managers, directors, vice presidents and c-level executives from organizations ranging from 1,000 to over 20,000 employees.
Key findings:
- It typically takes between two weeks and two months to adequately assess a vendor’s cybersecurity posture. It took 88 percent of organizations over two weeks to assess vendors’ cybersecurity using manual methods, leaving many organizations exposed to security control and performance gaps.
- Outside vendor analytics are important. 87 percent of firms said a mixture of in-house and analytics from an outside vendor are very to extremely important when assessing third-party cyber risk management.
- Firms recognize the value of continuous monitoring. 83 percent of firms said more frequent or continuous monitoring of their vendors’ cybersecurity posture would be very to extremely valuable.
- Continuous monitoring is more than an annual survey. 49 percent of firms believe a key benefit of better third-party cyber risk management is improved vendor communication.
- Firms are making the connection between continuous monitoring and improved security. 51 percent of firms believe a key benefit of third-party cyber risk management is improving collaboration to remediate security issues.
