In a previous blog in this series, we noted how the growing and imminent threats of third-party data breaches have gotten the attention of the highest levels of companies. Our research shows that 71% of respondents report program metrics to internal leadership outside of security business functions.
And what concerns both practitioners and executives most? The accuracy of the data provided to them by vendors as well as third-party validation.
Trust is key to vendor/client relationships
Trust is a major pillar of third-party risk management. Trusting the vendors you do business with is vital. You need to be able to trust their questionnaire responses and other information they provide to you. Research by Whistic and RiskRecon shows that more than half of those surveyed trust the information their vendors provide them.
But just because you trust that your vendors are being truthful, that doesn’t mean you shouldn’t do your due diligence and take the necessary steps to validate that information. In that same report, 61% of respondents validate vendor questionnaire responses with a third-party tool. Additionally, 43% of respondents have started using risk scoring to evaluate vendors within the last five years as a means to validate vendor risk data.
Read The Modernization of Cybersecurity
In this joint research report, discover the key trends in cyber risk management and vendor assessments — using responses from 500 cybersecurity and third-party risk practitioners.
Validation is still necessary
One question that might arise when you begin validating vendor responses is how often should I be doing this? And the simple answer is it depends. According to our survey 40% of respondents are validating responses every six months, 30% are validating once a year, 7% every other year, and 21% it depends on the vendor.
Having confidence in data and insights makes all the difference when you are faced with having to make too many risk decisions. Validation tools that only provide a laundry list of findings, plagued by false-positives create a panicked battleground of misinformation. When organizations can’t quickly decipher between a real threat or a non-threat, either because their validation tool does not prioritize the findings by potential impact if infiltrated or because the findings themselves are inaccurate, data loss events are more likely to occur.
Security ratings tools with high rates of accuracy, like RiskRecon — independently verified at 99.1% accuracy — allow you to create custom risk alerts based on your organization’s priorities, helping your firm to achieve better risk outcomes. RiskRecon’s Issue Risk Matrix provides organizations with instant visibility into the risk distribution of security issues across their entire vendor portfolio enabling them to identify vendors that have issues within their risk priority settings.
To learn more about trends that are impacting cyber risk and vendor security management download our report, The Modernization of Cybersecurity, or if you want to learn how Whistic can streamline your vendor assessment process, request a demo today.