SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

Trustwave Managed Vendor Risk Assessment GA

August 10, 2021

Trustwave has launched a first-of-its-kind cyber supply chain risk assessment solution for enterprises and SMBs in the Pacific region. The service, called Managed Vendor Risk Assessment (MVRA), gives organisations access to deep, fully scalable cybersecurity vendor assessments formerly prohibitively expensive.

Demand for this solution has been driven by organisations increasingly reliant on external vendors for the provision of data processing and storage services, as well as a range of other cloud-based or security-sensitive services. Greater outsourcing and deeper integration with vendors means heightened supply chain risk exposure.

In addition, recent supply chain breaches discussed extensively in the media, including the SolarWinds Orion breach, have raised awareness of the need to move away from ad hoc vendor assessments or those built solely on technology which frequently miss vulnerabilities or lead to bad commercial outcomes for both parties.

“Part of the reason we built MVRA is our concern for the cyber resilience of the enterprise space. We are encountering gaps in organisations where vendors are left unassessed because of the perceived cost. MVRA gives organisations the ability to assess a large number of vendors with a consistency of measurement not possible before while still leveraging the expertise of genuine security consultants. For these organisations and the wider community, scalability brings safety,” said Nick Ellsmore, global head of strategy, consulting & professional services at Trustwave.

Ellsmore said that MVRA is a solution informed by decades of real-world consulting experience on the cybersecurity frontlines married to best-in-class risk assessment technology.

This technology has been developed by Findings — whose platform is a global solution of choice in VRM automation for enterprises and vendors of all sizes. By automating the labour-heavy process of vendor assessments, Findings allows for fuller coverage of the organisation’s supply chain, and therefore heightened security and lower supply chain risk.

“While conventional methods apply a Pareto cutoff to invest their manual resources in some of their vendors, current attacks have shown this approach’s vulnerabilities and the need for wider coverage,” says Kobi Freedman, co-founder and CEO of Findings. “Security friction is becoming a global challenge on supply chains, whether from regulatory or objective risk.”

Ellsmore added, “MVRA uses Findings’ technology to accelerate and harmonise critical elements of the audit. Riding on top of this is a layer of experience and strategic human cybersecurity thinking specifically applied to deliver the best outcomes.”

“It takes people to assess people. Purely technological solutions to the vendor supply chain risk are sometimes adequate but often come up short because they tend to minimise real risk while amplifying smaller risks. They don’t apply a business thinking lens.”

Ellsmore also said that part of the challenge is what he calls “Go/No Go” decisions about third-party suppliers. These decisions are being made without enough information and consistency. For example, a fully automated supply chain assessment might lead a company to rule out a vendor too quickly without considering the business implications.

“What we’re seeing is unintended cybersecurity consequences,” Ellsmore said. “A marketing department, for instance, gets rid of a very effective customer engagement technology based on a superficial vendor risk assessment, only to find three months later everyone on the team is surreptitiously using a handful of different, unvetted solutions to fill this gap.”

Based on 25 years of cybersecurity services experience and thousands of risk assessments, the service encompasses both an automated and specialist-led assessment, built on a software-as-a-service (SaaS) platform that is easy to use by organisations of all sizes.

The MVRA service provides:

Streamlined process to onboard vendors and collect essential data, including penetration test reports, audit reports, and technical and organisational data;

Comprehensive security maturity questionnaire built on the NIST Cybersecurity Framework that is both reasonable and realistic for vendors to complete;

A further review of each vendor’s responses and data conducted by a skilled Trustwave specialist who understands possible indications and implications of vendor risk. Each answer and security asset is reviewed by our experts for completeness and accuracy;

For each vendor assessed, a report is delivered within eight days. The report identifies the vendor’s maturity and risk rating on a consistent scale, helping clients understand the potential risk exposure as it pertains to the nature of their business – the type of system, sensitivity and volume of data, and nature of the supply chain link;

Assessment reports also importantly deliver an impact analysis with recommendations for remediating gaps and issues for each vendor.

Terms of Use | Copyright © 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement