Navigating cyber
risk monitoring
and vendor

Author: Gary Hilson

Robust cyber risk monitoring and reliable threat intelligence are critical for large organizations to quickly deploy technology that keeps them competitive in industries with razor-thin margins.

Just as efforts like adopting cloud and edge computing and supporting remote workers are driven by business needs as much as technology evolution, cyber risk monitoring is a business decision, too. Large organizations with distributed but connected facilities and remote workers are constantly evaluating new technologies to enable their businesses, all of which can present new risks. Once implemented, there continues to be a need for dynamic threat intelligence around their ongoing use.

Almost every technology implementation involves a third-party vendor, and you'll need a quick and reliable way to evaluate the risks associated with adding vendors to your daily operations.

Threat intelligence must be gathered faster

If your organization is like most large companies, you likely have a whole host of departments and business users all looking to build new applications and data services so they can be more productive, efficient and competitive. Businesses in industries like marketing, finance or human resources may spin up a new cloud-based application without involving the IT department.

But each time a new vendor comes on board, so does the need for additional cyber risk monitoring. Though your organization can't completely avoid risk, it can quantify it to make an informed decision each time it considers adding a new vendor.

Whether you are a security leader or a stakeholder, it’s important to recognize that collecting the right information on each potential vendor is no simple feat. The process of evaluating third-party vendors can take weeks, and even then it may still overlook critical variables. A cyber risk monitoring tool can help accelerate decision-making by tapping into current threat intelligence so you can weigh all the security pros and cons.

The cyber security landscape has changed because the nature of large organizations has changed. You likely have geographically distributed facilities with many connection points, routers, switches and workstations. There's no longer a corporate-owned data center storing all data in a single, secure area surrounded by fences and doors requiring key cards. Data and applications reside all over the world, and a lot of security has moved up the application stack and into the cloud environment with controls.

This landscape means your organization is likely more reliant on the capabilities and facilities of third-party providers. Connecting two diverse networks creates opportunities for bad actors to interfere with that connection. Typical threats can include malware, botnet infections, spam propagation and unsolicited communications. Every external technology vendor that connects to your organization is an ongoing risk vector, further raising its risk of data loss, exposed credentials and breaches. It's not just your organization's security hygiene that matters; every vendor must go through an initial vetting process and be continually monitored and managed.

Evaluating third-party vendor risk

The initial evaluation and ongoing re-evaluation of a third-party vendor is often about weighing how much risk is worth taking on against the value the vendor can provide to your company. Threat intelligence is just one of many factors that might impact the decision to adopt a technology. You will also need potential vendors to answer many other questions to effectively evaluate them.

Find out who at the vendor is responsible for overseeing security strategy, and learn about the IT security team's experience and expertise.

A third-party vendor's processes and practices also matter, so you will want to get answers to these questions:

  • How does it protect customer information?
  • How does it report cyber security incidents?
  • Does it outsource any IT or IT security functions to third-party service providers?
  • What processes does it have in place to respond to a security incident?

You will also need to understand the capabilities of the tools and technology the third-party vendor has in place. Be sure to ask the following questions:

  • Does the technology have automated monitoring tools that ensure malicious software isn't deployed?
  • What does it use to monitor wireless networks?
  • How does it analyze security logs?

Cyber risk monitoring means asking these questions regularly and assigning each vendor a score, bearing in mind that a vendor's security hygiene can ebb and flow over the lifespan of the relationship. You should also mix in threat intelligence from other sources—including surface web and dark web hunting, site visits, and information from commercial services that monitor companies for a wide variety of risk factors—and not just rely on the vendor's answers.

Leveraging cyber risk monitoring services

The cyber risk monitoring process can be automated by tapping into the capabilities of a managed services partner. The right partner can provide the visibility necessary to make critical security investments and manage risk. The right tools combined with threat intelligence can help you make smart decisions more quickly, and better manage vendor relationships over the long term.

With new vendors, you can apply automated cyber risk monitoring to score them based on quantitative risk data, which can be more objective than qualitative data pulled from a manual questionnaire. The right tool should also pull information from public sources, identify exposure on the dark web and correlate findings with proprietary data from your tool provider. Cyber risk monitoring can then be used on an ongoing basis to measure and benchmark the organization's security posture.

All this is done in the context of business risk and growth so that the risks and recommendations to manage those risks can be presented to internal stakeholders. If the preferred solution presents a higher risk, there can be a conversation about how to mitigate those risks and the vendor can be provided with feedback to improve their score.

Automated cyber risk monitoring can help enable business users to adopt the tools they want while enabling IT teams the oversight they need to evaluate security risks to the organization. The right tool backed by the right partner allows for confidence in the organization's vendor risk assessment and management and frees up resources for other security functions.

Learn more about how Verizon can help support risk management against cyber threats.