Addressing Security Gaps

If working to improve a company's own security wasn't hard enough, businesses also have to make sure they are evaluating the risk posed by third-party vendors and suppliers. Some of the most notable breaches of the past five years – including Target – have occurred because hackers have attacked a less-protected third-party vendor, then leveraged that to breach a larger target. According to a study by the Ponemon Institute, 73 percent of businesses said they see the cybersecurity risk from vendor partners increasing, with 65 percent saying it is difficult to manage that risk. For partners, that means a huge opportunity, executives from security company BitSight said in interviews with CRN. Take a look at seven areas partners can leverage third-party risk assessment tools to help their clients address security gaps in this area.

Third-Party Supplier Risk

The most obvious opportunity around third-party risk assessment offerings is to assess the risk posed by third-party vendors and suppliers when it comes to cybersecurity. The shift in the market around third party risk scoring, CTO Stephen Boyer said, is that it is now possible to rate third party companies using public information, rather than having to ask them to share information that might be slow to gather or might not be in their best interest to share. That's important, Boyer said, because the vast majority of breaches – upwards of 70 percent – still stem from some sort of third-party attack.


Boards of directors are often interested in third-party risk assessment services as a way to benchmark their own security capabilities against their competitors, President and COO Tom Turner said. Turner said that allows board of directors to have more strategic conversations around cybersecurity from a business risk perspective, a conversation he said they are increasingly looking to have.

"Like all security topics, discussions about this are in the board room right now," Turner said. "My belief is third-party risk is much more consumable [for those executives]."

Cyber Insurance

Boyer said there is also a significant opportunity for third-party risk services around the growing industry for cyber insurance, as insurance companies look for a way to calculate risk scores for potential or current subscribers. Boyer the company's six years of historical data have been able to show a strong correlation between investments in security in certain areas and a company's likelihood of being breached. Boyer said those metrics will become even more important as the cyber insurance industry becomes more mainstream, saying he expects it will ultimately become something every company will need.

Security Prioritization

While BitSight and other security ratings companies don't provide advice on what security technologies a company should buy, they can provide some guidance on areas a company might want to invest to improve its risk rating, Turner said. He said assessment services like this can help pinpoint areas that present the greatest security risk to an organization, for example patching. For partners, Turner said that can be a conversation starter to sell and implement new security technologies to reduce a company's security risk.

Meet Regulation

Boyer said cybersecurity regulations have also "gone up substantially" around due diligence on suppliers, driven by high-profile attacks on Target, OPM, and more that centered around third-party suppliers. For solution providers, he said that is important because customers will often look to their partners for support around meeting regulatory requirements.

"We see the regulators really zeroing in on these entities and making sure they're testing third parties because they see the risk ultimately flows back upstream," Boyer said.

Supplier Due Diligence

Companies are increasingly using third-party risk services as a way to do due diligence on suppliers, Boyer said. He said he has seen multiple examples of big companies rejecting a supplier for a contract because of a poor cybersecurity rating, a trend he said is different from years past. While not all companies will go so far as to terminate or decline a contract because of a rating, he said he also sees companies more and more putting caveats in purchase agreements around assuming liability or requiring cyber insurance in the event of a breach.

Managed Vendor Risk Offering

For partners that are providing a managed security offering, Turner said third-party risk assessment offerings can pose an interesting opportunity to add an ongoing risk assessment offering. That can include either regular risk assessments of a client's cybersecurity standing or managed third-party risk assessments of suppliers and other associated vendors, he said.