Vendor risk scoring is a practice that has emerged to address the complexity of vendor management by assigning vendors a single score– typically a number or letter grade– to facilitate comparison between vendors and portfolios. The past decades of digital transformation have provided both the need for innovative IT security hygiene assessment techniques and the technological capabilities to gather and analyze the data necessary to give those risk scores predictive power. Now the vendor solutions have reached a level of maturity that they are valuable for businesses of all sizes and sectors.
Extending Vendor Risk Management
Vendor risk scoring grows out of existing vendor risk management practices as a way to automate and simplify the process of identifying risk in third party relationships. The first step of such a process is to categorize the third parties by the types of services those businesses provide and the effects of service or security incidents. A third party that provides a critical manufacturing component that could lead to a stoppage in production deserves closer attention, and possibly redundancy, than one who provides breakroom snacks, for example. The same principle applies to software companies and the technical services they provide. A service failure in a third party that allows users to authenticate into their workstations is more critical than in one that allows them to submit expense reports. This is the essence of third-party vendor risk.
In the digital economy, those relationships also carry a far greater potential for data compromise. A material supply chain failure may bring your production line to a halt, but if data is stored physically it is difficult to be breached en masse. Physically stored information is also far less likely to be useful; the ease of operating on and replicating digitally stored data is one of the key drivers of the digital transformation. Even for vendors that do not supply technical services, digitization has made data breaches a consideration as the exchange of information is the baseline for doing business.
Your vendors have, at a minimum, some kind of payment information. They are also likely to have other data that their service produces, analyzes, or stores: personal information about your employees, your customers’ data, product roadmaps, sales strategies, schematics, email communication, financial statements, legal documents credentials to other systems– depending on the type of service, virtually any data might be shared with them. Consuming a vendor’s service entails the flow of data back to them. In addition to the operational risk of service failure, third party relationships also create the risk of data loss.
These two forces integral to digital transformation– the benefits of using third party technical services and the ubiquity of data digitization– have made IT third-party risk management progressively more important to a business’ overall security posture. That expanding role has in turn led to the need for more innovative approaches and solutions that foster cyber resilience.
The Invention of the Perimeter
As businesses came to rely on digitization and technical services, they developed virtual boundaries differentiating inside from outside, self from other, data that was private from data that was public. In contrast to the early history of the internet and precursors like ARPANET– a time when the challenge was making remote access work at all– the challenge became how to limit remote access. Digital businesses developed perimeters. The first generation of information security practices concerned the establishment and protection of those perimeters. While the perimeter defense philosophy has been heavily amended as the threat landscape has evolved, the fact that is important for the history of vendor risk scoring is that businesses developed a virtual epidermis at all.
The existence of a perimeter provides a surface for assessing. Every business with physical facilities maintains some level of security for their premises, and the susceptibility of a business to physical theft can be assessed by measuring how far one can penetrate the facility without encountering resistance. With the emergence of the digital surface, and of a devoted enterprise web presence, a business's risk posture– the danger it poses to its own interests and to others– can be measured as its ability to establish a border between itself and the world.
The Limits of Vendor Management
The growing reliance on and risk from third parties has raised the importance of the practice of vendor management and exposed areas where new approaches are necessary. Vendor attestations to internal security processes and procedures can detect risks that people are willing and able to disclose, but that leaves out quite a bit of the risk environment. If someone does not password protect their systems, and knows this, and is willing to admit it, a questionnaire will accurately reflect their risk of being compromised. But as technology has become more mature and complex, the limits of such attestations have become more apparent. What was once still within the peripheral vision of vendor risk management has moved more and more to its blindspots as the number of vendor relationships has outpaced the techniques for managing them.
Periodic attestations have several limitations. The first is that they are administered periodically, usually once a year. Due to the rate of technological change– which is, again, one of the benefits driving digital transformation– by the time a new attestation is submitted the old one may be wildly out of date. A technical control in place at the time of attestation can be altered the next day. The second problem is that it relies on the knowledge of the person doing the attestation. Even if a person has good reason to believe that a certain control is in place– they believe all computers are password protected because they set them up that way– the effort needed to check every relevant configuration on every system is unlikely to be done before checking this item off the list. Moreover, there may be additional systems they are not aware of– shadow IT– that other people have plugged in, downloaded, subscribed to, or added to the network. A third problem is simply that it takes time for people to administer these assessments. The labor cost of vendor management limits the scope of assessments to ensure that they are a net positive for the business. Smaller firms may be unable to justify any dedicated resource and simply default to retaining unmeasured risk.
The State of Vendor Risk Scoring
As a method for performing simple comparisons amongst a portfolio of vendors, scoring is not a new practice. At its core, vendor scoring is about processing a large amount of data into a simpler numerical format, and such scores can be part of managing traditional vendor questionnaires. With the evolution of extensive digital surfaces, however, vendor risk scoring can also be done non-invasively without the participation of the entity being assessed. The parallel development of sophisticated web crawlers and specialized data collection services have made it feasible to gather the information about those surfaces, assess them for risks, and generate a score for each of a business's digital properties.
Vendor risk scoring as it has emerged today addresses the key limitations of attestation. Automated assessments of digital surfaces occur far more frequently– daily or hourly instead of annually– than is possible for forms that people need to spend real time filling out. Automated assessments can look at every configuration on every digital property, not just those that the attestor has time to check. A modern enterprise may have hundreds of public facing websites across multiple domains. Technology providers support not only their own websites but API endpoints and customer instances, and behind a given website there may be several load-balanced servers. Regional hospitals are likely to have their public site as well as several login portals for patients, staff, and vendors. Even small firms are likely to have some services that require secure sign pages and storage for sensitive files. Assessing every configuration on every digital surface can easily overwhelm an organization’s resources; vendor risk scoring solutions have automated this work.
Risk scores can also blend other data sources easily. Cross referencing a business’ IP addresses with those on blacklists can point to systems that have already been compromised. Historical breaches at a business or trends in breaches by industry can further enhance the predictive power of a vendor risk score. Financial health data can provide another perspective on the risk of doing business with a vendor. As new capabilities for monitoring the threat environment emerge and larger datasets become available, vendor risk scores will only increase in their depth and predictive power.
Vendor risk scoring has matured to the point that vendors and clients in the space have begun to collaborate on defining the parameters of their market. The “Principles for Fair and Accurate Security Ratings” represent the first agreement on the minimum requirements for risk scoring offerings.
- Transparency: Rating companies shall provide sufficient transparency into the methodologies and types of data used to determine their ratings...Any rated organization shall be allowed access to their individual rating and the data that impacts a change in their rating.
- Dispute, Correction and Appeal: Rated organizations shall have the right to challenge their rating and provide corrected or clarifying data.
- Accuracy and Validation: Ratings should be empirical, data-driven, or notated as expert opinion.
- Model Governance: Prior to making changes to their methodologies and/or data sets, rating companies shall provide reasonable notice to their customers and clearly communicate how announced changes may impact existing ratings.
- Independence: Commercial agreements, or the lack thereof, with rating companies shall not have direct impact on an organization’s rating.
Confidentiality: Information disclosed by a rated organization during the course of a challenged rating or dispute shall be appropriately protected.
The publication of the security rating principles represent a turning point in the evolution of risk scoring from “can we make it work” to “can we define its boundaries.” As with the evolution of digital business, that inflection point of defining a perimeter is the point at which security ratings have emerged as an entity in their own right, independent of other practices within the broader cyber resilience disciplines of information security and risk management.
Within the scope of the security ratings charter there is still much work to be done. In addition to improvements to the discovery of external surfaces, assessing their security configurations, and diagnostics for the surrounding threat environment, there remains the promise of unifying internal and external risk assessments. For all the benefits of automated external scanning, there is a great deal of information that cannot– or should not– be available via this method. For companies to be able to understand their real risk, and be able to present that to those with whom they do business, they need a complete picture as they appear both within and beyond their borders. That, at least, is the aspiration. For now, adopting vendor risk scoring solutions and getting basic cyber insurance coverage is logical next step and an attainable goal.
Fortunately, the barrier to entry is getting lower every day. As companies use better technology, the cost of automated risk scoring goes down. Today, with UpGuard Cyber Risk, it is possible to start protecting yourself for free. UpGuard adheres to the standards for fair and accurate security ratings. The CSR Chrome and Slack extensions travel with you to inform you of risky websites in real time. To start monitoring your vendors, start a free trial of UpGuard Cyber Risk to see which vendors are increasing your risk of outage or breach.