Third Party Risk Assessment & Vendor Management: The Good News

May 14, 2019

If you work in InfoSec or cybersecurity, it can sometimes feel as though the news cycle is a never-ending stream of the latest breaches and hacks. It can seem like everyone and their neighbor is falling victim to a cybercriminal, and it’s easy to start thinking ‘when will we be next?’. While it might be easy to start doubting, there is always reason to stay optimistic, especially in a space that is continuously changing and growing more complex and innovative.

New strides are being made on a daily basis to help combat and prevent cyber attacks. While this is no reason to drop all defenses and stop being vigilant, it is a reason to celebrate and appreciate the monumental strides industry leaders have already take to evolve and improve the cybersecurity landscape. Here is a quick list of industry ‘wins’ to celebrate when it seems as though you’ve hit a point of no return in the cybersecurity world:

Advancements in security standards and questionnaires

Security standards, assessments, and questionnaires are in place to help corporations map certain compliance standards with clients, partners, and vendors. As corporate security regulations continue to evolve, these standards and questionnaires are also evolving to encompass all critical points involved. Here are a few of the newest standards, assessments, and questionnaires to hit the space:

  • NIST: The NIST security framework is one of the most popular security frameworks and is celebrating its fifth year in use. As a popular security regulation framework, NIST is constantly evolving to reflect the changes and advancements in the industry.
  • SIG (and SIG-Lite): In 2018, the Shared Assessments program released a Standardized Information Gathering (SIG) questionnaire to act as a comprehensive security assessment for all industries and business needs. This assessment is incredibly long and in-depth, which is why the SIG-Lite questionnaire was released in 2019 that streamlines the larger assessment to focus on only critical security-related issues. The Shared Assessments Third Party Risk Management Toolkit offers various tools, including the SIG assessments, that are designed to directly address gaps in third party cybersecurity.
  • CAIQ: The Cloud Security Alliance also released a security assessment (in both a long and short form) to vet and approve third party vendors. While the CAIQ assessment features nearly 300 questions, CAIQ-Lite only includes 73 questions and takes much less time. This way, InfoSec leaders can spend less time answering questionnaires and more time protecting company data.

The ongoing growth of the cybersecurity industry

One major story in the cybersecurity industry is the growth of the industry as a whole. Yes, cyber threats are becoming more real and more innovative, but that only means that the power on hand to fight these risks is growing as well. The industry as a whole is poised for huge growth by 2025, and InfoSec teams will be on the front lines. Currently, there aren’t nearly enough cybersecurity resources available as there needs to be in order to combat growing threats. But, this means that thanks to the incredible opportunity available, more professionals will be joining the industry, bringing new ideas and opinions to the space.

The evolution of security policy and resources

A few years ago, the InfoSec space was the realm of only a few. Today, the ramifications of cybersecurity reach into the upper echelons of corporations, making it a critical pillar of success for many companies. With cybersecurity as a top concern for the upper levels of management and even boards, there are more resources available than ever before. Additionally, the tools and solutions on the market are more advanced and innovative as well. There is no shortage of information or answers to any problem, and all of it is just a Google search away.

A deeper understanding of inherent risk

Understanding the inherent, or baseline, risk of vendors is a critical necessity in today’s Information Security world. Luckily, with so much relevant information and research hitting the airwaves, cybersecurity teams are now able to build comprehensive models for inherent risk. With these models, teams can easily pinpoint which vendors might need more attention and which are pretty ‘risk free’. Having access to these detailed reports also allows InfoSec teams to construct Risk Tiering model for vendors, which assigns a workflow and timeline for review to every vendor based on risk.

A growth in third party risk management

As third party security continues to grow in importance and as digital tools become more sophisticated, there has been a steady uptick in third party vendor risk management activity. Vendor security assessments conducted on the Whistic Platform, including security profile shares/views in Q1 of 2019, increased by over 100% in the last year. Just from our own data, we’re seeing record numbers of vendors added, documents uploaded, and even questionnaires utilized.

The growth in third party risk management has also opened up the doors for more targeted solutions, like the Whistic platform. Scoring models like Whistic’s CrowdConfidence™ Score allow InfoSec teams to get a top-down, timely view of each vendor’s security grade & then move to address any potential flags, threats via an ongoing, automated process. Cybersecurity processes and workflows as a whole are becoming more streamlined and automated as disparate systems and internal teams begin to integrate and work together as a cohesive unit. The InfoSec space is evolving, which is opening up space for crucial information security activities to occur at scale and on a much more efficient time table.

information security cybersecurity cloud computing risk hacks

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.