The most overlooked aspect of IT Security could be the most important

August 30, 2016

Hint - It’s vendor risk management

Pretty hard to miss it, so why aren’t we doing a better job?

There is a massive array of innovative, and exciting new security tools that an IT manager can buy to monitor endpoints, put up firewalls, manage keys and certs, and lock down environments. And with all the sales reps from this legion of providers constantly vying for attention it is easy to fall into the trap of believing that the right question is to ask “Which one(s) should I choose?”

With increasingly severe, frequent, and public data breaches, it is clear that most IT security strategies aren’t working very well. So how is it that companies spending tens of millions or more on security tools and compliance are still suffering from massive breaches? The answer is simple — the hackers are basically just walking through the door.

This is essentially how it works:

  1. IT builds the corporate equivalent of Fort Knox.
  2. Someone internal comes along and says, “Hey there’s this really cool vendor that can do X, Y, and Z, but we need to give them access so they can work their magic.
  3. The business case makes sense, so you punch a hole in the side of your Fort Knox and start pushing bits of data through the hole.
  4. This manual business of pushing data to the vendor gets annoying, so you widen the hole, and turn it into a door.
  5. You repeat this process dozens, hundreds, and sometimes even thousands of times if your company is big enough.
  6. One day, the data gets stolen and your executives start scratching their heads and wondering “how could this have happened?!”

It’s time to ask some new questions

A recent report from Bomgar, a leader in secure access solutions, found that only 35% of companies are confident that they even know how many vendors are accessing their IT systems. It’s no wonder then that 80% of vulnerabilities come from 3rd party vendors (Cybersecurity Market Report, Cybersecurity Ventures). It’s time we started asking some different questions, here are some ideas to get you started:

  • How many vendors are handling sensitive data for my company?
  • How many vendors have access to my premises?
  • Am I properly limiting access to my vendors?
  • How do vendors access my data?
  • Are my vendors sophisticated enough to protect my data when it resides in their environment?

So what’s the solution?

Whistic is a modern web application that was built to ask those kinds of questions. It replaces the traditional risk assessment spreadsheet with a nice user interface and adds a lot of helpful functionality for companies assessing their vendors.

With Whistic you get the ability to easily assess your vendors against industry standards like PCI DSS, ISO 27001, or the Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ for short).

Whistic has also crowdsourced the wisdom of more than 600 IT security professionals to create a special scoring algorithm that provides you with a measure of how much your peers are willing to trust someone with their data, based on a set of security controls.

If you’re on the vendor side, and find yourself filling out a lot of risk assessments in spreadsheets or word documents, Whistic enables you to create a detailed IT security profile and securely share it with your customers. When your environment becomes more secure, you can update your profile and push those changes to all your customers at the same time.

Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.

For more information about Whistic, visit:

Risk Management it security data breach Article vendor risk

About the author

Andrew Watanabe
Andrew Watanabe

Chief Product Officer @ Whistic

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.