Business requires trust, but knowing whether your vendors merit that trust is difficult. With the rise of information technology, the ways in which trust can be broken, intentionally or unintentionally, have multiplied and become more complex. Vendor risk assessment questionnaires are one method for verifying that third parties follow good information security practices so your business can weigh the risk of entrusting them with your data.
Vendor risk scoring is a practice that has emerged to address the complexity of vendor management by assigning vendors a single score– typically a number or letter grade– to facilitate comparison between vendors and portfolios. The past decades of digital transformation have provided both the need for innovative IT security hygiene assessment techniques and the technological capabilities to gather and analyze the data necessary to give those risk scores predictive power. Now the vendor solutions have reached a level of maturity that they are valuable for businesses of all sizes and sectors.
In managing cyber risk, it’s not enough to ensure that your business’s systems and enterprise web presence are secure. You must look beyond your perimeter properly vet the third and fourth-party vendors who will have access to your data without being subject to your governance. If an organization outsources technological functions to third parties, or uses them in its supply chain or data handling, the risk is compounded by these parties’ weaknesses. The 2013 Target data breach, which began at an air conditioning subcontractor, is a well known example, but the danger of third-party vendor risk has only increased. More third party breaches are being discovered than ever before.
Introduction Utilities in the Enterprise Modern enterprise data centers are a complex mix of different technologies geared towards accomplishing business goals. Some of these technologies are pricy, big-name business solutions, but some are simple tools and utilities, facilitating processes. Linux sysadmins have been using rsync (remote synchronization) to move and mirror files for two decades, though versions of it now run on nearly every platform. Its lightweight build, small footprint, and usability make it a good choice for simple file copy operations. But this same asset is also a liability for many utilities: designed purely for functionality, they may not automatically account for potential risks to enterprise data. To successfully use rsync in the enterprise means protecting the data being transferred through it from accidental exposure.
It is increasingly hard to trust your technology as it scales along with your business. New servers, network appliances or applications are constantly added to your IT environment in costly efforts to optimize your business needs. With increasingly strict regulatory rules in place, this leaves many of us worried about IT backlash.
Most engineering teams we connect with tell us they do not have any runbook repositories of documentation for logging their processes.
Information technology has changed the way people do business. For better, it has brought speed, scale, and functionality to all aspects of commerce and communication. For worse, it has brought the risks of data exposure, breach, and outage. The damage that can be done to a business through its technology is known as cyber risk, and with the increasing consequences of such incidents, managing cyber risk, especially among third parties, is fast becoming a critical aspect of any organization. The specialized nature of cyber risk requires the translation of technical details into business terms. Security ratings and cyber risk assessments serve this purpose, much like a credit score does for assessing the risk of a loan. But the methodologies employed by solutions in this space vary greatly, as do their results.
It's been a while since we last covered these two leading IT automation solutions—suffice to say, both SaltStack and Ansible have evolved significantly since then. Let's take a fresh look at how they compare when it comes to enterprise-grade IT automation and orchestration.
The emergence of the cyber risk assessment space marks a strategic shift in how enterprises handle digital threats, from traditional, ineffective security-centric approaches to blended frameworks that combine layered security and risk management. Let's see how Cavirin and RiskRecon stack up when it comes to measuring enterprise cyber risk.
According to the Forbes Insights/BMC second annual IT Security and Operations Survey, 43 percent of enterprises plan on redoubling their patching and remediation efforts in 2017, citing patch automation investments as having the best ROI among security technology purchases in 2016. It's not hard to understand why: the same survey reveals that known security vulnerabilities continue to cause the majority of data breaches and security compromises. Rapid7 and Qualys are two leading cybersecurity vendors in the vulnerability management space—let's see how they stack up in this comparison.
Penetration testing (pen testing) is crucial for developing and maintaining hardened, attack-resilient systems—these can be applications, nodes, or entire networks/environments. Specialized tools are readily available for discovering vulnerabilities and security gaps in these systems; in this comparison, we'll compare Arachni and OWASP Zed Attack Proxy (ZAP), two popular security suites for application-level pen testing.
Unless you've been hiding under a rock in a datacenter from the last century, chances are you've heard of Docker, the leading software container solution on the market. And if so, you've likely heard of its chief competitor CoreOS as well. Let's see how the two stack up in this comparison.
As pure play digital businesses, SaaS vendors live and die by their uptime and availability; fortunately, a plethora of tools are available these days for monitoring and troubleshooting the entire stack. AppDynamics and New Relic are two leading application performance management (APM) tools for tuning and diagnosing modern software applications—let's see how they hold up in this head-to-head comparison.
We've covered more than a handful of IT monitoring solutions, but few dominate their categories like SolarWinds and Microsoft SCOM, the two contenders in this match-up. From the network to the servers and applications, SolarWinds' suite of solutions ensure that the whole stack is performing optimally; similarly, SCOM/Systems Center 2016 provides monitoring across applications, workloads, and infrastructures. Let's see how they stack up in this head-to-head comparison.
IT admins managing expansive infrastructures require specialized tools for discovering IT assets living in their environments—no trivial task, considering the myriad of nodes connected at any given time: guest laptops, mobile devices, dev/test servers, virtual machines, old desktops, and more. Cybersecurity suites such as ForeScout and Tanium have made infrastructure discovery and visibility their bread-and-butter; let's see how they stack up in this comparison.
In a recent report by Forbes and BMC, known vulnerabilities were cited as the leading cause of data breaches, accounting for 44 percent of security incidents. These statistics underscore the importance of proper vulnerability management; judging by the continued failure of organizations to properly patch/update their software and systems, the practice is easy in theory but hard in practice. Tripwire and Qualys are two cybersecurity vendors with a keen focus on keeping vulnerabilities in check—let's see how they stack up in this comparison.
The enterprise's infrastructure monitoring needs have evolved drastically over the years; more often, firms need operational intelligence regarding the health and performance of a myriad of IT assets: physical/virtual servers, applications/services, security devices, and more. System Center Operations Manager (SCOM) and Splunk are two leading solutions on the market for monitoring datacenter health and performance; let's see how they compare for keeping the enterprise IT ship afloat.
You may have heard that perimeter security is dead, but rest assured, IT folks aren't about to do way with their corporate firewalls just yet. The perimeter is just one—albeit critical—dimension of your organization's digital attack surface, and endpoint security is no less important, especially with the continued enterprise adoption of cloud and mobile technologies. Tanium and IBM BigFix are competing solutions in this space that were, interestingly, born from the same progeny.
Data analytics continue to play an integral function in cybersecurity—from SIEM to advanced network-based intrusion detection (NID), today's leading solutions are heavily reliant on data science-backed, actionable threat intelligence to detect and mitigate cyber attacks. Varonis is one such vendor whose platform revolves around cybersecurity data analytics; let's see how it holds up against leading security vendor Tripwire.
Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it's worth, has generally avoided this concept because it goes against the narrative that their respective offerings—whether it's a firewall, IDS, monitoring tool, or otherwise—would be the one-size-fits-all silver bullet that can keep businesses safe. But reality tells a different story.