New Report Finds Vendor & Supplier Security Is a Gaping Hole

Nov 05, 2015, 16:17 ET from SecurityScorecard from ,Enterprise Strategy Group (ESG)

NEW YORK, Nov. 5, 2015 /PRNewswire/ -- How does an organization receive continuous and actionable visibility into the security risk posture of third-party vendors and suppliers?  A study conducted by Enterprise Strategy Group (ESG), an IT research and strategy firm, looks at this issue in depth.

"CISOs are reacting to a complex vendor ecosystem and risk landscape by increasing their security budgets, recruiting staff, and purchasing the latest cybersecurity defenses," wrote Jon Oltsik, Senior Principal Analyst at ESG, in the report. "These tactics, however, often miss risks that are under the surface since they reside in partner and supplier systems."

Increases in the number of third parties and data breaches originating from suppliers are widening the attack surface. ESG's survey of 303 IT security professionals found the following, and much more, in the report:

  • 34% of organizations have experienced an increase in the number of external third parties with access to internal assets.
  • Similarly, 31% reported that one or more of their IT suppliers have reported security breaches over the last few years.

Traditional vendor audits are based upon point-in-time technical information often collected on a quarterly or annual basis. While regulations require due diligence, the challenge of keeping pace with third party risk once a year is not helping companies become more secure.

"Security risk today is incredibly dynamic and fast moving... It cannot be isolated to a single point-in-time answer given on a vendor questionnaire or one-time audit," stated Dr. Aleksandr Yampolskiy, CEO & Co-founder of SecurityScorecard. "Forward-looking organizations need a continuous and metrics-based view of security risk with real information depth in a context executives and board members can understand and easily digest, such as benchmark."

SecurityScorecard, the leading security risk benchmarking service, provides objective, non-intrusive security risk metrics for any type of vendor, giving CISOs and vendor risk managers the data they need to make intelligent vendor decisions without requiring permission.

"To understand where an organization should prioritize its security risk, it needs to have information depth that is instant and on demand, gives comparable business context and metrics, and maps to the predominant security and risk standards," wrote Oltsik. "To be truly actionable, enterprises need a multi-dimensional assessment approach across all key security risk factors like SecurityScorecard provides rather than a single-dimensional security rating."

Download the full report - "Intelligence-driven Vendor and Supplier Security Risk Management".

To read the ESG study, "Cyber Supply Chain Security Revisited", go here.

About Enterprise Strategy Group
Enterprise Strategy Group (ESG) is an integrated IT research, analysis, and strategy firm that is world-renowned for providing actionable insight and intelligence to the global IT community. Recognized for its unique blend of capabilities -- including market research, hands-on technical product validation, and expert consulting methodologies such as the ESG Strategy Lifecycle -- ESG is relied upon by IT professionals, technology vendors, investors, and the media to clarify the complex. For more information visit:

About SecurityScorecard's Benchmarking Service
SecurityScorecard allows organizations to benchmark the security of any partner, competitor, supplier, vendor, any third party or company— without requiring permission. Compare any company's security performance against other organizations within the same industry in real time. The platform is completely self service, making it the most business ready and technically-sound security risk benchmarking platform in existence today. The proprietary foundation of the platform is the ThreatMarket™ data engine that collects over 30 million daily security risk signals from the entire Internet.

About SecurityScorecard
SecurityScorecard was founded in 2013 by two former Chief Information Security Officers, Dr. Aleksandr Yampolskiy and Sam Kassoumeh. SecurityScorecard is made up of veteran security researchers, cryptographers, data scientists, and software engineers. The company is privately held with headquarters in New York City. Security Scorecard investors include Sequoia Capital, Evolution Equity Partners, Boldstart Ventures, and others.
For further information, please visit, email or call +1 800-682-1707. SecurityScorecard and the SecurityScorecard logo are trademarks of SecurityScorecard, Inc.  Other marks belong to their respective owners.

SOURCE SecurityScorecard; Enterprise Strategy Group (ESG)