While the technical posture requires a technical background to evaluate in full, there’s a more “managerially understood” aspect of cybersecurity monitoring. It’s being able to determine vendor compliance with industry-standard requirements and accepted certifications. This is an important secondary capability for you to possess.
For example, the General Data Protection Regulation (GDPR), the European Union law defining the controls EU citizens have over their personal data. It’s been the source of litigation and major fines for violators, so it’s a risk area to be avoided.
Via cybersecurity monitoring using the aforementioned VRM solution, you can receive validation that required GDPR facilities operate within a proposed vendor’s public-facing web presence, giving you confidence about their conforming to GDPR requirements. Suggestions for improvement can be made, and input included in the evaluation.
This same procedure can be applied to other certifications and regulatory mandates, like the CCPA, the Shared Assessment SIF, ISO 27001, NIST and others. They’re just a few of a dozen (and growing) industry-defined standards. In the case of VendorInsight, our resident Vendor Evaluations Information Security Questionnaire is based on NIST standards and certified for vendor certification inputs into Normshield.
Steering clear of the Outer Limits of vendor cyber risk
Sorry, I couldn’t help myself. But rather than lose control, as in the intro to that old show, you can now gain more control over vendor cyber risk. Knowledge (and data), after all, is power, and the right VRM solution gives it to you.
Having insight into a provider’s cybersecurity shortcomings (and corresponding undue risk to your organization) provides exceptional leverage in negotiating a contract, or in calling a vendor on the carpet for corrective actions and financial adjustments. It also allows you to determine the financial exposure the exists, based on the data that’s resident within the relationship. This is extremely powerful insight, obtainable using the FAIR™ Institute Value at Risk (VaR) framework.
In the hypothetical example we started out with, being able to analyze our would-be vendor’s third-party cybersecurity posture may be the absolute best way to ensure that their proposed widget is acceptable. Being able to maintain ongoing monitoring of a third party’s cybersecurity posture and the reciprocal risk to your organization is empowering and essential for your organization. With the right VRM provider and solution on hand, you’ll avoid unwanted drama. Especially of the Rod Serling kind.