1 A Custom Technology Adoption Profile Commissioned By BitSight Technologies Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability Introduction As concerns around data guardianship, targeted attacks, and advanced security threats have risen, so too have the number and significance of various types of third-party relationships, such as those with suppliers and partners. Therefore, more potential vulnerabilities are being exposed at the same time that regulator, customer, and business scrutiny of such is reaching an apex. In October 2014, BitSight Technologies commissioned Forrester Consulting to examine the current practices of IT decision-makers as they relate to monitoring and managing third-party risk, along with their perceptions of the potential impacts of objective and reliable continuous monitoring that aren t apparent from manual efforts like qualitative questionnaires. Enterprises are experiencing increased pressure from regulators, frameworks, and other sources to expand third-party oversight while also incorporating more line-of-business objectives and input when sourcing vendors and evaluating their worthiness. As such, there is significant appetite for monitoring various elements of third-party security, yet few firms have the resources to do so with adequate frequency or objectivity. To rectify this gap, the majority of survey respondents see benefit from a continuous third-party monitoring capability. This includes significant improvement in metrics, ranging from the vendor sourcing process to incident identification and remediation. This BitSight-commissioned profile of enterprise IT security decision-makers in the US, UK, France, and Germany evaluates attitudes and capabilities regarding third-party security compliance, based on Forrester s own market data and a custom study of the same audience. January 2015
2 1 Regulations And Frameworks Are Driving Increased Third-Party Security Scrutiny Today s IT security professionals certainly have no shortage of concerns and priorities on their plates. Forrester s Business Technographics Global Security Survey, 2014, however, shows that among those in US and European enterprises, ensuring regulatory compliance is of particular importance, with 82% ranking it as a critical or high priority (see Figure 1). Seventy-nine percent reported that another top priority is ensuring business partners and third parties which are increasingly in the mix due to modern business objectives and resources, and whose policies and practices may be opaque comply with their security requirements. The importance of such concerns is underscored by dismally low levels of compliance, including on the part of third parties with whom so many firms do business today. Forrester data shows that across 18 regulations, professional frameworks, and best practice guidance documents, an average of only 29% of firms are fully compliant (see Figure 2). But these firms will likely soon have even more onus for protecting their data, as the level of regulatory oversight is only increasing. As of September 2014, the US Congress is considering 112 pieces of legislation addressing privacy and data breaches, and the EU Commission is preparing to significantly tighten data regulations in an update to its 1995 Data Protection 1 Directive. Federal contractors, in particular, are currently in the unenviable position of navigating the intentionally vague guidelines set forth in the massively overhauled National 2 Institute of Standards and Technology (NIST) framework. They will need to conduct thorough reviews of their partners to ensure compliance. Third Parties Are Being Held Accountable For Increasingly Security-Minded Business Goals Forrester estimates that in 2014, IT departments among enterprises in the US, UK, France, and Germany allocated 3 21% of their overall IT spending to third parties. That 4 equates to over $270 billion annually in the US alone. With FIGURE 1 Regulatory Compliance And Third-Party Security Concerns Are Top IT Priorities Base: 375 IT decision-makers at enterprises in the US, UK, France, and Germany Source: Business Technographics Global Security Survey, 2014, Forrester Research, Inc.
3 2 FIGURE 2 Full Regulatory Compliance Is Rare Base: 1,039 IT decision-makers at enterprises in the US, UK, France, and Germany Source: Business Technographics Global Security Survey, 2014, Forrester Research, Inc. FIGURE 3 IT Has Increased Coordination With Lines Of Business To Ensure Third-Party Relationships Are Valuable Base: 106 IT security decision-makers at enterprises in the US, UK, France, and Germany Source: A commissioned study conducted by Forrester Consulting on behalf of BitSight Technologies, November 2014 such a large portion of spend going to service providers, it follows logically that IT decision-makers are expecting a lot from these relationships. And indeed, they are taking steps to ensure they get maximum value. Fifty-six percent of our survey respondents said they are better coordinating with their business counterparts to define outcomes, 51% are directly involving them in defining metrics, and 50% are writing business outcomes and performance metrics directly
4 3 into their contracts (see Figure 3). In other words, thanks to greater appreciation of the legal, IT, public relations, and insurance costs (among others) that follow breaches often made possible by the new anytime, anywhere technologies customers demand, ensuring these capabilities and services follow policies and best practices is now directly 5 tied to the bottom line. FIGURE 4 IT Seeks The Ability To Track Supplier Risk Metrics Ironically, though hardly a surprise, the move toward outsourcing has not bypassed the security organization. In fact, as far back as 2012, an average of 62% of security decision-makers had implemented, were planning to implement, or were interested in implementing as-a-service approaches across 13 security categories, with the highest 6 number (71%) for vulnerability assessments. Two years later, that shift has only accelerated, with 70% of respondents to our custom survey indicating that leveraging cloud-based or managed security services is a high or critical priority at their organizations. IT Seeks Third-Party Security Tracking And Management Capabilities But Relies On Sporadic Intelligence IT decision-makers aren t just looking at the strategic value of their third-party relationships. In fact, they re very interested in getting down to brass tacks. According to Forrester s Forrsights Security Survey, Q3 2013, respondents from enterprises in the US, UK, France, and Germany show significant interest in tracking hard metrics from their suppliers around risk of critical data loss or exposure (63%), general security risks such as cyberattacks (62%), and risk of intellectual property theft (52%), among others (see Figure 4). In our custom survey, we asked respondents from the same population about more specific pieces of third-party security information they would see value in monitoring and uncovered significant appetite for insight into those firms own security practices. Roughly twothirds of respondents, for example, indicated a desire to know third-party threat and vulnerability management practices (68%), encryption policies and procedures (67%), security incidence response processes (66%), and threat intelligence practices (64%). Despite their enthusiasm for third-party security insights, respondents to our custom survey reported only sporadic updates to their knowledge of such information. In fact, no more than 37% reported formally tracking any one of these metrics on at least a monthly basis, thereby leaving them Base: 422 IT decision-makers at enterprises in the US, UK, France, and Germany Source: Forrester Forrsights Services Survey, Q vulnerable in the event of a breach or change in policy. On average, 59% of respondents claimed to glean valuable insight from these metrics, but fewer than half of that number (22%) have the opportunity to do so monthly (see Figure 5). What s more, firms that rely on disconnected governance, risk, and compliance (GRC) efforts, including overly manual processes such as surveys (which introduce human error and time lag considerations), provide cloudy insights at best and simply do not keep up with the pace demanded by the 7 business today. Continuous Third-Party Monitoring Improves IT And Business Performance Given that most firms today fail to formally track third-party security information with prudent frequency, continuous monitoring may seem like a pie-in-the-sky notion. Yet, when asked to consider such a capability, respondents to our custom survey showed a clear awareness of the shortcomings of their current approaches. A clear majority anticipate a major or moderate benefit resulting from continuous third-party monitoring for any one of the seven metrics we asked about.
5 4 FIGURE 5 IT Sees Value In Third-Party Security Monitoring But Relies On Sporadic Intelligence Base: 106 IT decision-makers at enterprises in the US, UK, France, and Germany Source: A commissioned study conducted by Forrester Consulting on behalf of BitSight Technologies, November 2014 The most impressive number of respondents agreed on the tactical benefits in the case of a security event, such as event identification time (76%), event remediation time (72%), and response time to high-profile events such as Heartbleed and POODLE (71%). Respondents also anticipate more strategic benefits of such a monitoring approach. For instance, 65% predicted major or moderate benefits to their ability to compare security postures among third parties, with 63% and 62% reporting the same for their ability to screen vendors based on risk and evaluate infrastructure configuration of third parties, respectively (See Figure 6). FIGURE 6 Continuous Monitoring Is Seen As Beneficial To Critical Metrics Base: 106 IT decision-makers at enterprises in the US, UK, France, and Germany Source: A commissioned study conducted by Forrester Consulting on behalf of BitSight Technologies, November 2014
6 5 Conclusion In the midst of high-profile data breaches and an increased awareness by the public and regulators of the importance of good data guardianship, firms today are allocating significant portions of their IT budgets hundreds of billions of dollars per year in the US alone to third parties. In addition, IT professionals are making efforts to better align their vendor contracts with business objectives. As a result, there is an appetite among the majority of these professionals to track and monitor important third-party metrics, such as the risk of losing critical company data and event identification and remediation times. Yet most firms fail to do so with adequate frequency. Across the nine types of third-party information we surveyed IT security decision-makers on, an average of 59% indicated a desire to track and monitor. Yet across those same nine information types, an average of only 22% were tracking with monthly or greater frequency. Enterprises overwhelmingly anticipate major or moderate improvement to many metrics around third-party evaluation, such as the ability to compare security postures, screen vendors based on risk, and evaluate infrastructure configurations. Additionally, enterprises anticipate reductions in times required for security event identification and remediation times and responses to high-profile events. Real-time security monitoring can benefit many industries and departments beyond IT. Potential use cases include merger and acquisition due diligence for law and investment firms, federal agencies monitoring the ongoing security practices of the nation s critical infrastructure, or insurance actuaries determining the appropriate insurance rates for cyberinsurance coverage. What s more, agencies such as the Office for Civil Rights can use security monitoring tools to triage their HIPAA audit scheduling, and healthcare providers can use the technology to assess their in-network physicians and centers to assess the risk of those third parties. It s fair to say that continuous security monitoring can find an appropriate role in nearly any organization. Methodology This Technology Adoption Profile was commissioned by BitSight Technologies. To create this profile, Forrester leveraged its Forrsights Services Survey, Q and Business Technographics Global Security Survey, Forrester Consulting supplemented this data with custom survey questions asked of 106 IT security and risk management decision-makers at firms with over 1,000 employees in the US and over 500 employees in the UK, France, and Germany. Survey respondents included IT security professionals from various industries with manager or above seniority and responsibility for third-party IT service sourcing and management. The auxiliary custom survey was conducted in November For more information on Forrester s data panel and Tech Industry Consulting services, visit Endnotes 1 Source: How Dirty Is Your Data? Forrester Research, Inc., September 16, Source: Brief: New NIST Cybersecurity Guidelines Target Firms With US Federal Agency Customers, Forrester Research, Inc., July 11, Source: Forrester s Business Technographics Global Business and Technology Services Survey, A recent Forrester study estimates total IT spend by businesses and government in the US at over $1.3 trillion. Source: US Tech Market Outlook For 2014 And 2015 Solid, Steady Growth, Forrester Research, Inc., April 24, Source: Build The Business Case For GRC, Forrester Research, Inc., December 10, Source: Security s Cloud Revolution Is Upon Us, Forrester Research, Inc., August 2, 2013.
7 6 7 Source: Choose The Right Technologies To Support Your GRC Program, Forrester Research, Inc., April 28, ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to 1-S27AU1