Did you know that a breach that includes a third party will cost you 12% more1 than if it did not include a third party – almost $4 million? But it's not just the risk of a breach, anyone familiar with the General Data Protection Regulation (GDPR) knows that assessing your third-party risk is mandatory for compliance. In other words, managing your vendors’ risk has become essential to your business. Companies must be able to manage, report on, and remediate risk wherever it exists within your third- and fourth- party network.
ServiceNow Vendor Risk Management, one of four applications in the ServiceNow GRC portfolio, provides a formalized process to manage your third-party risk resulting in improvements in productivity, communication, and reporting. This application now includes an integration with BitSight Security Ratings, the leader in the security ratings market, to provide a view into the security performance of your vendors. Security Ratings provide real-time visibility into your entire supply chain, which is critical to understanding third-party risk within the context of your business. Security ratings allow companies to gain the visibility to manage, report on, and remediate risk wherever it exists within your third-and fourth-party network, enabling you to scale monitoring programs and ultimately build agile risk management programs.
BitSight Security Ratings generate daily objective, quantitative measurements on a company’s security performance, using externally observable data on compromised systems, security diligence, user behavior, and public disclosures. These ratings are generated through analyzing existing security incidents and events data. All companies—regardless if they are a customer or not—are rated on the same criteria. The BitSight Security Rating, similar to a credit score, is between 250 and 900, with a higher rating correlating to better security posture and vice-versa. BitSight Ratings are the only security ratings to have third-party validation of the ratings correlation to public data breach.
In ServiceNow, BitSight can be used to perform integrated reporting, tailor alerts for different vendors, kick-off action plans and remediation activities, as well as inform adjusting the calculated vendor tier score or automate response activities. By displaying the BitSight Security Rating alongside other vendor information, vendors’ security performance can be compared to residual risk for daily monitoring, vendor selection, as well as contract renewal and negotiation. A contextual link back into the BitSight portal allows for targeted investigation and data driven outreach to vendors.
The integration facilitates a more robust vendor risk management program through the following:
- Increased, on-going visibility into the cyber security of third and fourth-party vendors through pulling in the BitSight Security Rating and seeing a more well-rounded picture of vendor cybersecurity posture.
- More meaningful, action-oriented conversation with vendors through leveraging the ratings as well as the more granular data in the BitSight portal, in conjunction with the vendor data in ServiceNow. Use this data for activities such as reporting for contract renewal and negotiating, as well as vendor onboarding.
- Prioritized Resources and scale third-party risk management programs through using BitSight Security Ratings in conjunction with assessments, on-site visits, and other existing processes to calibrate your program and determine where resources should be allocated to most efficiently manage vendor risks.
- Automation to speed response, validate & remediate through customized alerting around specific changes in the ratings and risk vector grades. ServiceNow’s vendor tiering assessments workflow allows vendor risk managers to route the assessments to the right person and helps vendor risk managers determine the right assessment for the vendor based on the tier. Any changes in the security rating can automatically generate a vendor risk assessment to reduce a vendor’s risk exposure.
The BitSight application is available on the ServiceNow Store for customers with existing ServiceNow licenses.
Watch the Ask the Expert: How Security Ratings and Continuous Monitoring are Revolutionizing Cyber Risk Manage... to see the integration between BitSight and ServiceNow Vendor Risk Management in action. Learn more about BitSight at www.bitsighttech.com and Vendor Risk Management at www.servicenow.com/grc.
1. Ponemon Institute Cost of a Data Breach report 2017
