Insights blog.

Most organizations are accustomed to benchmarking certain business areas like sales, profits, and resource allocation. These areas all have one thing in common — they are easily measured with simple, quantifiable metrics.

The implementation of many strict cybersecurity regulations and requirements (including GDPR, NYDFS, and more) continues to increase on a global scale. 2018 has also brought about the continuation of strict cybersecurity regulations in the Asia Pacific region: most notably in Singapore, Australia, and Hong Kong. This year, one new requirement from 2017, the Securities & Futures Commission’s Guidelines, go into effect.

Effective cybersecurity involves regularly assessing the effectiveness of your organization’s policies, tools, and processes to ensure you’re staying ahead of the curve. In order to gain insight into your cybersecurity performance, you need clear, continuous, actionable metrics that you can track over time and compare to peers, competitors, and across business units.

In today’s evolving cyber risk landscape, Boards of Directors are becoming increasingly concerned about their company’s security performance. In fact, the NACD has found that 89% of public companies and 72% of private companies regularly discuss security at Board meetings. While they are asking for updates on enterprise cybersecurity posture more often, they do not necessarily have the expertise or experience to know what to ask for — or how to interpret the technical information presented to them.

Quantifying and tracking your cybersecurity performance so you can compare your organization to others, also known as benchmarking, is necessary to improving the effectiveness of your security programs.

As a member of your company’s board, you know that cybersecurity is a critical risk that simply cannot be ignored, and that should be reported on regularly by the appropriate executives. According to the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, 89 percent of public-company directors say cybersecurity is discussed regularly in board meetings, and 72 percent of private-company directors say the same. Most companies are clearly moving in the right direction.

Recently, Verizon announced the Verizon Risk Report (VRR), a new managed service offering that provides a security assessment framework to enable customers to gain a comprehensive view of their cyber risk. By combining external cybersecurity ratings, internal analysis, and culture and process assessments, Verizon is able to provide customers with a holistic profile of security performance and current posture, enabling customer to prioritize security investment and mitigate risks.

The launch

As the Bitsight front end team grows we are investing in our design infrastructure to enable faster development, better collaboration, and a more unified look and feel in our product.

As advances in cloud computing and managed services have made IT operations more streamlined, the focus of IT leaders has shifted to improving efficiency, agility, and risk management. Managing risk, in particular, has become an even more central concern.

Last week, Bitsight released our new Security Rating Snapshot report.

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they must leverage the best technology, efficiently allocate resources, and strive for continual improvement.

Mitigating risk is an essential business function that should cover obvious domains — like financial risk — but also include reputational, strategic, and operational risks.

With outsourcing continuing to rise, third party cyber risk management has become a pressing issue for organizations worldwide. Yet, many firms across the globe are approaching this challenge differently.

At a recent Bitsight Roadshow, a customer with an advanced third party risk management program declared “assessments are not risk reduction.” The statement was not meant to convey that assessments are useless for third party risk; rather, that assessments themselves don’t inherently drive risk down.

Since third party vendors are not under direct supervision, they are typically the weakest link of an enterprise’s IT security landscape. The largest organizations have tens of thousands of vendors, which makes managing this type of risk particularly challenging. For many organizations, it’s simply impossible to communicate with every vendor on a frequent basis about their security posture. At the same time, outsourcing to vendors is critical for business success, and delaying engagement with vendors while their security is reviewed could adversely affect an enterprise’s operations. Faced with such challenges, how do you go about developing a cybersecurity plan that effectively and efficiently manages third party vendor risk?