A Custom Technology

Adoption Profile

Commissioned By BitSight

Technologies

January 2015

Continuous Third-PartySecurity Monitoring PowersBusiness Objectives AndVendor Accountability

Introduction

As concerns around data guardianship, targeted attacks, and advancedsecurity threats have risen, so too have the number and significance ofvarious types of third-party relationships, such as those with suppliers andpartners. Therefore, more potential vulnerabilities are being exposed at thesame time that regulator, customer, and business scrutiny of such is reachingan apex. In October 2014, BitSight Technologies commissioned ForresterConsulting to examine the current practices of IT decision-makers as theyrelate to monitoring and managing third-party risk, along with theirperceptions of the potential impacts of objective and reliable continuousmonitoring that aren’t apparent from manual efforts like qualitativequestionnaires.

Enterprises are experiencing increased pressure from regulators,frameworks, and other sources to expand third-party oversight while alsoincorporating more line-of-business objectives and input when sourcingvendors and evaluating their worthiness. As such, there is significant appetitefor monitoring various elements of third-party security, yet few firms have theresources to do so with adequate frequency or objectivity. To rectify this gap,the majority of survey respondents see benefit from a continuous third-partymonitoring capability. This includes significant improvement in metrics,ranging from the vendor sourcing process to incident identification andremediation.

This BitSight-commissioned profile of enterprise IT security decision-makersin the US, UK, France, and Germany evaluates attitudes and capabilitiesregarding third-party security compliance, based on Forrester’s own marketdata and a custom study of the same audience.

1

Regulations And Frameworks AreDriving Increased Third-PartySecurity Scrutiny

Today’s IT security professionals certainly have no shortageof concerns and priorities on their plates. Forrester’sBusiness Technographics Global Security Survey, 2014,however, shows that among those in US and Europeanenterprises, ensuring regulatory compliance is of particularimportance, with 82% ranking it as a “critical” or “high”priority (see Figure 1). Seventy-nine percent reported thatanother top priority is ensuring business partners and thirdparties — which are increasingly in the mix due to modernbusiness objectives and resources, and whose policies andpractices may be opaque — comply with their securityrequirements.

The importance of such concerns is underscored bydismally low levels of compliance, including on the part ofthird parties with whom so many firms do business today.Forrester data shows that across 18 regulations,professional frameworks, and best practice guidancedocuments, an average of only 29% of firms are fully

compliant (see Figure 2). But these firms will likely soonhave even more onus for protecting their data, as the levelof regulatory oversight is only increasing. As of September2014, the US Congress is considering 112 pieces oflegislation addressing privacy and data breaches, and theEU Commission is preparing to significantly tighten dataregulations in an update to its 1995 Data ProtectionDirective.1 Federal contractors, in particular, are currently inthe unenviable position of navigating the intentionally vagueguidelines set forth in the massively overhauled NationalInstitute of Standards and Technology (NIST) framework.2

They will need to conduct thorough reviews of their partnersto ensure compliance.

Third Parties Are Being HeldAccountable For IncreasinglySecurity-Minded Business Goals

Forrester estimates that in 2014, IT departments amongenterprises in the US, UK, France, and Germany allocated21% of their overall IT spending to third parties.3 Thatequates to over $270 billion annually in the US alone.4 With

FIGURE 1Regulatory Compliance And Third-Party Security Concerns Are Top IT Priorities

Base: 375 IT decision-makers at enterprises in the US, UK, France, and GermanySource: Business Technographics Global Security Survey, 2014, Forrester Research, Inc.

2

such a large portion of spend going to service providers, itfollows logically that IT decision-makers are expecting a lotfrom these relationships. And indeed, they are taking stepsto ensure they get maximum value. Fifty-six percent of our

survey respondents said they are better coordinating withtheir business counterparts to define outcomes, 51% aredirectly involving them in defining metrics, and 50% arewriting business outcomes and performance metrics directly

FIGURE 2Full Regulatory Compliance Is Rare

Base: 1,039 IT decision-makers at enterprises in the US, UK, France, and GermanySource: Business Technographics Global Security Survey, 2014, Forrester Research, Inc.

FIGURE 3IT Has Increased Coordination With Lines Of Business To Ensure Third-Party Relationships Are Valuable

Base: 106 IT security decision-makers at enterprises in the US, UK, France, and GermanySource: A commissioned study conducted by Forrester Consulting on behalf of BitSight Technologies, November 2014

3

into their contracts (see Figure 3). In other words, thanks togreater appreciation of the legal, IT, public relations, andinsurance costs (among others) that follow breaches oftenmade possible by the new anytime, anywhere technologiescustomers demand, ensuring these capabilities andservices follow policies and best practices is now directlytied to the bottom line.5

Ironically, though hardly a surprise, the move towardoutsourcing has not bypassed the security organization. Infact, as far back as 2012, an average of 62% of securitydecision-makers had implemented, were planning toimplement, or were interested in implementing as-a-serviceapproaches across 13 security categories, with the highestnumber (71%) for vulnerability assessments.6 Two yearslater, that shift has only accelerated, with 70% ofrespondents to our custom survey indicating that leveragingcloud-based or managed security services is a high orcritical priority at their organizations.

IT Seeks Third-Party SecurityTracking And ManagementCapabilities But Relies On SporadicIntelligence

IT decision-makers aren’t just looking at the strategic valueof their third-party relationships. In fact, they’re veryinterested in getting down to brass tacks. According toForrester’s Forrsights Security Survey, Q3 2013,respondents from enterprises in the US, UK, France, andGermany show significant interest in tracking hard metricsfrom their suppliers around risk of critical data loss orexposure (63%), general security risks such as cyberattacks(62%), and risk of intellectual property theft (52%), amongothers (see Figure 4). In our custom survey, we askedrespondents from the same population about more specificpieces of third-party security information they would seevalue in monitoring and uncovered significant appetite forinsight into those firms’ own security practices. Roughly two-thirds of respondents, for example, indicated a desire toknow third-party threat and vulnerability managementpractices (68%), encryption policies and procedures (67%),security incidence response processes (66%), and threatintelligence practices (64%).

Despite their enthusiasm for third-party security insights,respondents to our custom survey reported only sporadicupdates to their knowledge of such information. In fact, nomore than 37% reported formally tracking any one of thesemetrics on at least a monthly basis, thereby leaving them

vulnerable in the event of a breach or change in policy. Onaverage, 59% of respondents claimed to glean valuableinsight from these metrics, but fewer than half of thatnumber (22%) have the opportunity to do so monthly (seeFigure 5).

What’s more, firms that rely on disconnected governance,risk, and compliance (GRC) efforts, including overly manualprocesses such as surveys (which introduce human errorand time lag considerations), provide cloudy insights at bestand simply do not keep up with the pace demanded by thebusiness today.7

Continuous Third-Party MonitoringImproves IT And BusinessPerformance

Given that most firms today fail to formally track third-partysecurity information with prudent frequency, continuousmonitoring may seem like a pie-in-the-sky notion. Yet, whenasked to consider such a capability, respondents to ourcustom survey showed a clear awareness of theshortcomings of their current approaches. A clear majorityanticipate a major or moderate benefit resulting fromcontinuous third-party monitoring for any one of the sevenmetrics we asked about.

FIGURE 4IT Seeks The Ability To Track Supplier Risk Metrics

Base: 422 IT decision-makers at enterprises in the US, UK, France, andGermanySource: Forrester Forrsights Services Survey, Q3 2013

4

The most impressive number of respondents agreed on thetactical benefits in the case of a security event, such asevent identification time (76%), event remediation time(72%), and response time to high-profile events such asHeartbleed and POODLE (71%). Respondents alsoanticipate more strategic benefits of such a monitoringapproach. For instance, 65% predicted major or moderatebenefits to their ability to compare security postures amongthird parties, with 63% and 62% reporting the same for theirability to screen vendors based on risk and evaluateinfrastructure configuration of third parties, respectively (SeeFigure 6).

FIGURE 5IT Sees Value In Third-Party Security Monitoring But Relies On Sporadic Intelligence

Base: 106 IT decision-makers at enterprises in the US, UK, France, and GermanySource: A commissioned study conducted by Forrester Consulting on behalf of BitSight Technologies, November 2014

FIGURE 6Continuous Monitoring Is Seen As Beneficial ToCritical Metrics

Base: 106 IT decision-makers at enterprises in the US, UK, France, andGermanySource: A commissioned study conducted by Forrester Consulting on behalfof BitSight Technologies, November 2014

5

Conclusion

In the midst of high-profile data breaches and an increased awareness by the public and regulators of the importance ofgood data guardianship, firms today are allocating significant portions of their IT budgets — hundreds of billions of dollars peryear in the US alone — to third parties. In addition, IT professionals are making efforts to better align their vendor contractswith business objectives. As a result, there is an appetite among the majority of these professionals to track and monitorimportant third-party metrics, such as the risk of losing critical company data and event identification and remediation times.

Yet most firms fail to do so with adequate frequency. Across the nine types of third-party information we surveyed IT securitydecision-makers on, an average of 59% indicated a desire to track and monitor. Yet across those same nine informationtypes, an average of only 22% were tracking with monthly or greater frequency. Enterprises overwhelmingly anticipate majoror moderate improvement to many metrics around third-party evaluation, such as the ability to compare security postures,screen vendors based on risk, and evaluate infrastructure configurations. Additionally, enterprises anticipate reductions intimes required for security event identification and remediation times and responses to high-profile events.

Real-time security monitoring can benefit many industries and departments beyond IT. Potential use cases include mergerand acquisition due diligence for law and investment firms, federal agencies monitoring the ongoing security practices of thenation’s critical infrastructure, or insurance actuaries determining the appropriate insurance rates for cyberinsurancecoverage. What’s more, agencies such as the Office for Civil Rights can use security monitoring tools to triage their HIPAAaudit scheduling, and healthcare providers can use the technology to assess their in-network physicians and centers toassess the risk of those third parties. It’s fair to say that continuous security monitoring can find an appropriate role in nearlyany organization.

Methodology

This Technology Adoption Profile was commissioned by BitSight Technologies. To create this profile, Forrester leveraged itsForrsights Services Survey, Q3 2013 and Business Technographics Global Security Survey, 2014. Forrester Consultingsupplemented this data with custom survey questions asked of 106 IT security and risk management decision-makers atfirms with over 1,000 employees in the US and over 500 employees in the UK, France, and Germany. Survey respondentsincluded IT security professionals from various industries with manager or above seniority and responsibility for third-party ITservice sourcing and management. The auxiliary custom survey was conducted in November 2014. For more information onForrester’s data panel and Tech Industry Consulting services, visit www.forrester.com.

Endnotes

1 Source: “How Dirty Is Your Data?” Forrester Research, Inc., September 16, 2014.2 Source: “Brief: New NIST Cybersecurity Guidelines Target Firms With US Federal Agency Customers,” ForresterResearch, Inc., July 11, 2014.3 Source: Forrester’s Business Technographics Global Business and Technology Services Survey, 2014.4 A recent Forrester study estimates total IT spend by businesses and government in the US at over $1.3 trillion. Source: “USTech Market Outlook For 2014 And 2015 — Solid, Steady Growth,” Forrester Research, Inc., April 24, 2014.5 Source: “Build The Business Case For GRC,” Forrester Research, Inc., December 10, 2014.6 Source: “Security’s Cloud Revolution Is Upon Us,” Forrester Research, Inc., August 2, 2013.

6

7 Source: “Choose The Right Technologies To Support Your GRC Program,” Forrester Research, Inc., April 28, 2014.

ABOUT FORRESTER CONSULTINGForrester Consulting provides independent and objective research-based consulting to help leaders succeed in theirorganizations. Ranging in scope from a short strategy session to custom projects, Forrester’s Consulting servicesconnect you directly with research analysts who apply expert insight to your specific business challenges. For moreinformation, visit forrester.com/consulting.

© 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources.Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total EconomicImpact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go towww.forrester.com. 1-S27AU1