In The Face of Increased Concern About Vendor Cybersecurity Risk, Company Behind SolarWinds Vulnerability and GoldenTax Discoveries Creates Fully Scalable Solution
SYDNEY, AUSTRALIA – Trustwave, a leading managed security services provider focused on managed detection and response, has launched a first-of-its-kind cyber supply chain risk assessment solution for enterprises and SMBs in the Pacific region. The service, called Managed Vendor Risk Assessment (MVRA), gives organizations access to deep, fully scalable cybersecurity vendor assessments formerly prohibitively expensive.
Demand for this solution has been driven by organizations increasingly reliant on external vendors for the provision of data processing and storage services, as well as a range of other cloud-based or security-sensitive services. Greater outsourcing and deeper integration with vendors means heightened supply chain risk exposure.
In addition, recent supply chain breaches discussed extensively in the media, including the SolarWinds Orion breach, have raised awareness of the need to move away from ad hoc vendor assessments or those built solely on technology which frequently miss vulnerabilities or lead to bad commercial outcomes for both parties.
“Part of the reason we built MVRA is our concern for the cyber resilience of the enterprise space. We are encountering gaps in organizations where vendors are left unassessed because of the perceived cost. MVRA gives organizations the ability to assess a large number of vendors with a consistency of measurement not possible before while still leveraging the expertise of genuine security consultants. For these organizations and the wider community, scalability brings safety,” said Nick Ellsmore, global head of strategy, consulting & professional services at Trustwave.
Ellsmore said that MVRA is a solution informed by decades of real-world consulting experience on the cybersecurity frontlines married to best-in-class risk assessment technology.
This technology has been developed by Findings – whose platform is a global solution of choice in VRM automation for enterprises and vendors of all sizes. By automating the labour-heavy process of vendor assessments, Findings allows for fuller coverage of the organization’s supply chain, and therefore heightened security and lower supply chain risk.
“While conventional methods apply a Pareto cutoff to invest their manual resources in some of their vendors, current attacks have shown this approach’s vulnerabilities and the need for wider coverage,” says Kobi Freedman, co-founder and chief executive officer of Findings. “Security friction is becoming a global challenge on supply chains, whether from regulatory or objective risk.”
Ellsmore added, “MVRA uses Findings’ technology to accelerate and harmonize critical elements of the audit. Riding on top of this is a layer of experience and strategic human cybersecurity thinking specifically applied to deliver the best outcomes.”
“It takes people to assess people. Purely technological solutions to the vendor supply chain risk are sometimes adequate but often come up short because they tend to minimize real risk while amplifying smaller risks. They don’t apply a business thinking lens.”
Ellsmore also said that part of the challenge is what he calls “Go/No Go” decisions about third-party suppliers. These decisions are being made without enough information and consistency. For example, a fully automated supply chain assessment might lead a company to rule out a vendor too quickly without considering the business implications.
“What we’re seeing is unintended cybersecurity consequences,” Ellsmore said. “A marketing department, for instance, gets rid of a very effective customer engagement technology based on a superficial vendor risk assessment, only to find three months later everyone on the team is surreptitiously using a handful of different, unvetted solutions to fill this gap.”
Based on 25 years of cybersecurity services experience and thousands of risk assessments, the service encompasses both an automated and specialist-led assessment, built on a software-as-a-service (SaaS) platform that is easy to use by organizations of all sizes.
The MVRA service provides:
- Streamlined process to onboard vendors and collect essential data, including penetration test reports, audit reports, and technical and organizational data;
- Comprehensive security maturity questionnaire built on the NIST Cybersecurity Framework that is both reasonable and realistic for vendors to complete;
- A further review of each vendor’s responses and data conducted by a skilled Trustwave specialist who understands possible indications and implications of vendor risk. Each answer and security asset is reviewed by our experts for completeness and accuracy;
- For each vendor assessed, a report is delivered within eight days. The report identifies the vendor’s maturity and risk rating on a consistent scale, helping clients understand the potential risk exposure as it pertains to the nature of their business – the type of system, sensitivity and volume of data, and nature of the supply chain link;
- Assessment reports also importantly deliver an impact analysis with recommendations for remediating gaps and issues for each vendor.
For more information about Managed Vendor Risk Assessment (MVRA) from Trustwave, please contact cpspacific@trustwave.com. You can also view our offering overview here.
About Trustwave
As a recognized global cyber defender that stops cyber threats all day, every day – we enable our clients to conduct their business securely.
Trustwave detects threats that others can’t see, enabling us to respond quickly and protect our clients from the devastating impact of cyberattacks. We leverage our world-class team of security consultants, threat hunters and researchers, and our market-leading security operations platform to relentlessly identify and isolate threats with the right telemetry at the right time for the right response.
Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security, and email security. Our elite Trustwave SpiderLabs team provides award-winning threat research and intelligence, which is infused into Trustwave services and products to fortify cyber resilience in the age of advanced threats.