Now that you’ve completed your vendor inventory, it’s time to classify them according to the risk they pose on your organization. Third-party classification is about rating your third-party providers according to the amount of inherent risk they present to your organization. The term”inherent risk” isn’t necessarily in everyone’s vocabulary, so let’s explain what it is. Inherent risk is the amount of risk that your vendor poses to your company based strictly on how you intend to use them. It’s a very simple process to classify your third-party providers according to inherent risk.  The point in doing this is to make sure we only spend your valuable time, and the valuable time belonging to your partners, on the risks that really matter.

Inherent Risk Questionnaire

The classification process starts with the Inherent Risk Questionnaire. This is a simple questionnaire that is completed by the person within your organization who is responsible for the third-party relationship.  This is usually the person who relies on the third party to complete certain tasks on behalf of your organization, or it’s the person who arranged for using the third party in the first place.

The questionnaire is very simple and straightforward, consisting of less than 10 questions.

VENDFENSE is very flexible and meant for all organizations. We pre-populate the system with default inherent risk questions to include in the Inherent Risk Questionnaire; however, we can also include custom questions.


Third-party providers are classified according to the inherent risk they pose to your organization. The classification is automatic, based on objective criteria defined and built into the SecurityStudio Classification Scoring System. The responses provided in the Inherent Risk Questionnaire lead to a classification of High, Medium, or Low. You could choose different words or different classifications, depending on your needs. The point is that the classification criteria should be objective, be a representation of inherent risk, and the classification levels you choose should be simple and logical.

A very important reason for classifying vendors according to inherent risk is to support the reasoning that not all vendors should be subjected to the same level of scrutiny because not all vendors pose the same amount of inherent risk.

High and Medium Impact

High and Medium impact (or inherent risk) third parties require additional review.  The third parties that were classified as High or Medium impact are moved into processing at Phase 3 – Third-Party Risk Assessment.

Low Impact

Low impact third parties are not a significant concern for most organizations. The processing of Low impact third parties is done after the classification. Low impact third parties are usually not reviewed again until the next cycle (quarter, semi-annual, annual, etc.)

In some cases, the percentage of third parties who are Low impact risk is as high as 80%. This is important to note. If an organization has 1,000 third parties that they work with, as many as 800 (or more) of these third-parties don’t need any further review beyond the initial inherent risk classification. This also means that there are 800 less questionnaires to keep track of and 800 less third parties that we need to secure.  Also important is the fact that we have demonstrated our due diligence by ensuring that all third parties were classified according to objective criteria.

Once the Classification step is complete, you’re ready to start  Phase 3 – Assessment.

In the simplest sense, a good vendor risk management program is made up of four phases: Inventory, Classification, Assessment and Treatment. These four phases make up a well-designed third-party information security risk management program.

Phase 1 – Vendor Inventory

We can’t effectively protect the things we don’t know we have from the things we don’t know about. Every third party that the organization does business with must be included in the third-party inventory. It’s not that every third party poses a significant risk, it’s that we must show our due diligence regardless.

Everything starts with third-party inventory. The inventory of third-party providers is what feeds the SecurityStudio system. The purpose of the inventory phase is to get all your third parties into the system and ensure that your third-party inventory remains current.

The bulk of the work comes during implementation. After the system is set up and running, you rarely make any significant changes. Occasionally, you may decide to audit the third-party inventory by comparing the list of third parties maintained within SecurityStudio with the list of third parties maintained in other areas of the business. After the initial system setup, the inventory can be easily audited on an ongoing basis.

There are two parts to vendor inventory if you’re just getting started: the initial inventory and the onboarding process. Once you’re up and running, you will mostly focus on third-party onboarding.

Vendor Inventory

Most organizations don’t know who all their third-party providers are, and the place to start building your third-party inventory is through your finance department. The theory is that if you have a third-party provider, you must be paying for them somehow. There are three places to look for third-party providers initially for your inventory:

  • Third-party providers who are sending you invoices
  • Third-party providers who are being paid with a corporate credit card
  • Third-party providers who are paid by an employee who is being reimbursed for the expense.

Vendor Onboarding

Onboarding is focused on ensuring that all new third-party providers are accounted for in the vendor risk management program before they begin providing their product or service. Uploading third parties into the SecurityStudio system is a snap. You can either upload them one at a time or do a mass upload using a spreadsheet. Employees and finance personnel can enter new vendor information directly into SecurityStudio or we can link to an existing intranet site that you already have set up.

Once the Inventory and Onboarding steps are complete, you’re ready to start  Phase 2 – Vendor Classification.

Information security programs are around to protect the data of the businesses they are a part of. Understanding risk is an important part of that, but ultimately it’s the business’s job to make decisions on what types of risks they are willing to accept. It’s the information security program’s job to make informed recommendations about those risks. Sometimes, though,  those recommendations are ignored.

While it’s important to make decisions that are best for the business, deviating from security recommendations can pose challenges. It’s important that you maintain a simple, standardized, and defensible information security program (and vendor risk management specifically). Certain business decisions detract from that.



We fully understand that a business’s first goal is to make money. That’s why businesses exist. Security programs are meant to create efficiencies that align with your business objectives to be a driving force for profit— not the other way around. However, if you chose to make decisions independent of our security teams’ recommendations, you can actually do the opposite.

Information security programs (and their vendor risk management initiatives in particular) can have a monumental impact on the efficiencies of an organization— especially as it pertains to employee time.

People in information security programs are often required to chase down vendors. You need to have an inventory of all of our vendors so that we know who poses threats to you. In order to do that, your security team will start at accounts payable, get a list of the current vendors your business works on, and then spend ludicrous amounts of time trying to understand the level of risk that vendor poses.

Because your information security professionals have a limited understanding of what each vendor does, they have to get an idea from the person who works with them most closely how their interactions may pose security threats. You now have two employees taking up their time to get this information figured out.

Once this is finally determined, the information security employee is going to send out a questionnaire or spreadsheet to the vendor in hopes that the person on the other end is the right contact, that they’ll fill it out correctly, and that they won’t have to be chased down every three weeks to see if it’s been completed yet.

Do you see how time-consuming this can be?

A vendor risk management tool automates many of these processes. It eliminates the chasing, the back-and-forth, and the manual entry your information security employees would otherwise go through. Because of this, their time can instead be used on the things that will make the most positive impact on your bottom line. The same is true with the non-security employees that have to assist.

You may decide that you don’t want to spend the money on an automated solution to help you smooth down these processes. Doing these things without systems, though, creates unnecessary complexities— and complexity is the enemy of security and business.



Standards are crucial when it comes to information security. There are rules, guidelines, principles, and best practices that should help feed your information security decision-making.

Information Security Industry Standards

Certain industries have requirements and regulations they are asked to follow with regards to information security. If your organization fits their threshold, you likely have no choice but to comply. While these standards don’t necessarily provide the perfect example of what security is, they do provide good foundational rules to follow. Deviating from the rules of industry standards can have two effects.

This is actually an example of where deviating from rules and standards can be a good thing. As mentioned before, security standards often provide a good foundational base for your security programs, but they are often just that— a minimum requirement that helps you get started. Businesses can (and should) deviate from industry standards by adding to them. Adding measures on top of what the industry standards suggest you accomplish in your security program is an important step in bolstering your protections.

The opposite side of that coin is choosing to skip or ignore standards that are required by your industry regulations. Doing this can severely damage your business. Payment card industry (PCI) compliance is a good example of this. Many small businesses choose not to go through the steps of being PCI compliant because of the time, effort, and money that goes into complying. However, a breach that impacts your customers’ credit card information often creates irreprehensible financial and reputational losses that could end up forcing you to close your doors permanently.

When it comes to vendor risk management, the same concern applies. You can choose to deviate from acceptable industry norms, here too. Some organizations choose to change up the assessment questions that they ask their vendors to complete regarding their risk. Doing so may push you outside the compliance threshold within your industry standards and it also requires someone to justify the changes. Justification relies on subjectivity, rather than objectivity, and makes it significantly more challenging to explain if you needed to defend your decision.

Internal Standards

Standards are one way to get everyone within your business on the same page about things like acceptable risk levels, information security spending, incident response measures, and more. Implementing a set of policies and procedures that are standard across your organization, and across organizations similar to yours, ensures that you’re taking the appropriate measures to mitigate risks and protect your business.

Deviating from your internal standards proves that they aren’t the right standards. If you feel that you need to make decisions that go against the standards of your organization, they clearly aren’t working for your business. And you won’t be able to expect others to follow them if you aren’t either.

Your risk increases as you deviate from standards too. Take the FISASCORE® for example. You can use risk assessment metrics like FISASCORE to set a risk threshold you want your organization and vendors to uphold. You might make a decision that everyone needs to be above a 650 in order to continue working with them. Sometimes, though, the business might feel the need to make a decision outside the standards set in place. You may work with an organization whose business is critical to the success of yours. Therefore, you may want to accept them as a vendor despite their FISASCORE being 550 instead. While it’s important you make these kinds of decisions if you feel they’re critical to the business, it’s also important to understand that this increases the likelihood your data is compromised.



Ultimately, creating standards and sticking to them is all about making your organization more defensible in the event that something does go awry and your data is compromised. Breaches do happen. Often. It’s impossible to prevent all breaches.

Deviating from standards makes your business less defensible when a breach happens.

If your business feels they need to make exceptions to rules for its benefit, that’s fine. If you make a system standard, you just have to defend the standard. Make sure you’re taking a logical and objective approach to all of your exceptions before implementing them. This will help you stay defensible (and help you ensure that your decisions aren’t going to have a negative impact on your security).

If you make decisions that deviate from standards, customize systems too much, etc., it becomes increasingly more difficult to explain your case to those who are asking. Unfortunately, a breach’s impact stretches beyond your boardroom. Customers, news outlets, lawyers, and more will be asking questions about how and why things happened the way they did— and what you plan to do about it.

Particularly on the legal side and the industry regulator side of this, you’re going to have to explain why this incident happened. If you make exceptions to rules, you have to defend the logic behind the exception. Why you didn’t go with your standard? This is important to think about as we consider making decisions that extend beyond the scope of industry and internal standards that have already been implemented.


While it’s important for businesses to take information security recommendations seriously, it’s also important to remember that information security programs are around to supplement the business’s objectives. For that reason, businesses should be allowed to make decisions outside the scope of industry and internal security regulations. If they do though, there can and will be consequences. Weighing those consequences can be challenging, and it can be difficult to defend the logic behind any deviations. At the end of the day, make if you’re going to make decisions outside the recommendations of information security standards, ensure they still help your business simplify, standardize, and defend.

It’s easy to be on the other side of a breach and point fingers. When we understand how a breach happened, the solutions seem like they should have been simple. These simple solutions (and preventative measures) are not always common sense though. In fact, as a whole, we don’t do a great job using these breaches to teach us the lessons they should.

We can use the 2013 Target breach as an example.  Target wasn’t breached due to a lack of their own network security. Instead, an attacker was able to access their system through a vendor. This vendor (an HVAC vendor, not even one that regularly interacts with Target’s network) was required by Target to access Target’s vendor portal. Attackers were able to retrieve log-in credentials from someone at the vendor to access Target’s portal. That was enough.

What’s not enough are the improvements that have been made across all organizations in vendor risk management since this incident occurred.

But we can still use it as a teachable moment now.


Where Target Went Wrong

When determining the vendor risk, there are two initial steps every organization should begin with.

First, organizations need to know who all of their vendors are. If you don’t have an inventory of every company you work with, how can you possibly know all the risks that your organization faces because of the vendors? Many organizations fail even this first step.

The second step (and where Target missed the mark) is classifying your vendors. It’s not enough to just know who your vendors are. Organizations also need to know the amount of risk the vendors pose to you. You can do this a number of ways, but the key is to categorize your vendors based on the types of information they touch (very sensitive or not sensitive) and how much data they have access to.

This is where Target went wrong.

How This May Have Been Avoided

It’s likely that Target (and many organizations, frankly) would look at an HVAC provider like Fazio Mechanical and immediately write them off as a low-risk vendor. In actuality, and because of the vendor’s access to Target’s online portal, Fazio Mechanical probably should have been classified as a medium-risk vendor.

Doing your due diligence in classifying a vendor as low risk is often enough to brush them off to the side and reevaluate their status in another year. However, in strong vendor risk management programs, medium-risk vendors are required to go through a vendor risk assessment process where the organization can get an understanding of the amount of risk that exists before allowing that vendor to continue to access its critical information.

It’s likely that Target did just that— brushed off their HVAC provider as a low-risk vendor and pushed them off to the side for reevaluation down the road.

Had they gone through an assessment with the vendor as if it were medium risk, they likely would have caught the lack of protection that was the reason behind the breach.

Vendor Risk Management is About Logic

Making assumptions in information security is detrimental. Making assumptions provides a vehicle for avoiding issues that may be hyper-pertinent to your business. You may think that a vendor is low risk when it actually belongs in a more sensitive category.

When organizations take objectivity out of the classification step of vendor risk management, they take out any assumptions and guesses. Assumptions and guesses erode your credibility.

If Target had gone through proper and objective steps to classify Fazio Mechanical (even if they classified them incorrectly) at least they would have been able to prove that they did their due diligence and that the breach was not a cause of their negligence.


How You Can Prevent This

Vendor risk management is all about simplifying, standardizing and making yourself defensible.

Build a list of your vendors first.

Then, work through standardized criteria to determine how much risk they pose to your organization. Get an understanding of exactly how they work with your organization and what kinds of data they touch. By doing that, you get an immediate grasp on how important it is that they handle their own information security practices well. If you do that, it’ll make sure you are defensible if something does go wrong, and likely help limit the amount of vendor-caused incidents you experience.

You can simplify this process by implementing a vendor risk management tool like SecurityStudio to help you automate your vendor identification and classification. With SecurityStudio, it’s likely that Fazio Mechanical would have been flagged as a medium risk vendor, and then steps would have been taken to improve their security once the risk assessment was completed.

For more information on vendor risk management and for a live look at the tool that can help make your organization’s vendor risk management program simplified, standardized and defensible, visit

Vendor security risk management is not easy. It’s often a monotonous combination of spreadsheets, questionnaires, following up with people, and uncertainty. It’s often frustratingly tedious, and it can actually cause otherwise strong information security programs to falter. The best relief is to take a three-step approach to vendor risk management. Simplify. Standardize. Defend.


Managing information security risk amongst a population of vendors and third-parties is a complex problem for most organizations, and therefore most organizations either don’t manage vendor information security risk management at all, or they don’t do it well.

Don’t Manage Vendor Information Security Risk at All

There are five common reasons why organizations don’t manage vendor information security risk:

  • They don’t have enough confidence in their own information security program.
  • They don’t have experience managing vendor information security risk; where to start or what it’s supposed to look like.
  • They don’t know what questions or things that they should inquire about.
  • They don’t know who all their vendors are.
  • They have other priorities, and don’t get the time to tackle vendor information security risk management.

Question: Why don’t you do vendor information security risk management?

Don’t Manage Vendor Information Security Well

There are five common reasons why organizations don’t manage vendor information security well:

  • Their vendor information security risk management program is incomplete; missing vendors, missing parts of information security, incomplete questionnaires, no scoring/comparison, shortcut inherent risk and/or residual risk, etc.
  • The vendor information security risk management program is painful to manage.
  • The vendor information security risk management is program is disorganized.
  • The vendor information security risk management program relies too much on subjectivity or opinion.
  • They’re just doing something for the sake of doing something. There’s no commitment to doing it right.

Question: What pains do you experience, or what concerns do you have about your vendor information security risk management approach?


A vendor information security risk management program must be repeatable and standardized. Standardization enables the other two important features (Simplify and Defend). You need to be doing vendor information security risk management first to truly appreciate the value in standardization. A lack of standardization leads to run-away complexity and a program that is not defensible (against litigation, inquiry from regulators, etc.).


Defense comes in two forms:

  • Defense against the breach risk posed by your vendors
  • Defense against the lawyers, regulators, and angry customers if or when a breach occurs.

Defense from Vendors

We know that no matter what we do, we cannot possibly prevent all breaches from occurring. So, where are breaches most likely to occur?  According to a recent study conducted by Soha Systems, 63% of all breaches are attributed to a vendor, directly or indirectly. * It’s hard to deny the fact that a breach occurring through a vendor is one of the most likely breach events. There’s no excuse for ignoring the risks posed by vendors or taking a half-hearted approach to vendor risk.

There are five common mistakes organizations make in assessing risk related to vendors:

  • Vendor information security risk management is primarily done to meet a regulatory requirement or to “check the box.”
  • Shortcut solutions are implemented to assess and manage information security vendor risk.
  • The logic behind the vendor information security risk decisions is not tied to how risk works (inherent risk or residual risk).
  • Vendor information security risks are accepted without a clear understanding of the risks or the most effective methods of remediation.
  • High (inherent) risk vendor responses are not adequately validated.

Question: Where are there gaps in your vendor information security risk management program?

Defense from the Crowd

We already know that the most likely source of a breach is through a vendor. Even if we do everything that we can to reduce this risk, some risk will remain. When a breach inevitably happens, we need a defense against a whole new breed of attackers. Lawyers, regulators, public opinion, and our own customers become our attackers. They want answers and they want retribution.

Our defense becomes something called due care. Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.

Nobody expects perfection, but everyone should expect due care. Due care is where defensibility lives, and it’s imperative in our vendor information security risk management program. The question becomes, what would an ordinarily prudent or reasonable party do if they knew a vendor breach was eventual? Not accounting for vendor information security risk is indefensible.

For organizations with vendor information security risk management programs, here are some of the most common reasons why they could be less defensible:

  • Vendor information security risk decisions are subjective— or opinion-based.
  • Seemingly obvious information security risks are not adequately considered.
  • The personnel making risk decisions are not qualified to do so.
  • Roles and responsibilities for vendor information security risk management are not shared amongst qualified groups or are not formally defined at all.
  • The methodology used for vendor information security risk management is not shared by a group outside of your organization, or it is shared by a small group or organizations.

Question: Where is your vendor information security risk management program defensible, and where is it not?


SecurityStudio is the most comprehensive solution to simplify, standardize, and defend. It’s a vendor information security management solution that was built by former vendor risk managers who have walked the walk.

To learn more about how a solution like SecurityStudio can help your vendor information security risk management processes, schedule a demo.


Cyber insurance is a rapidly-growing extension of the insurance industry. Data is now an important possession the same way your car and home are. However, insurance companies are having challenges in determining how much to charge and how much coverage that gets you. Luckily, there’s a metric for that.

Information security is a hot topic, and one that continues to be the concern of businesses all over the world. As more of our data lives online, and black-hat hackers become more sophisticated, the risk of our data being exposed is higher than ever. Unfortunately, there are many organizations who do not have the necessary skill sets or bandwidth to make information security a priority. Because of this, these organizations will often lean on their trusted managed service providers (MSPs) to assist them with their security objectives. Here are some statistics that show how offering information security as part of your service offering can make a big impact on both your clients, and your bottom line.

[click_to_tweet tweet=”‘Only a third of organizations believe they have adequate resources to manage security effectively.’ #cybersecurity #mssp” quote=”Only a third of organizations believe they have adequate resources to manage security effectively.”]

Source: Ponemon Institute

[click_to_tweet tweet=”‘Worldwide security spending is forecast to reach $96B in 2018, up 8% from 2017.’ #cybersecuirty #infosec #mssp” quote=”Worldwide security spending is forecast to reach $96B in 2018, up 8% from 2017.”]

Source: Gartner

[click_to_tweet tweet=”‘By 2019, total enterprise spending on security outsourcing services will be 75% of the spending on security software and hardware products, up from 63 percent in 2016.’ #cybersecurity #infosec #MSSP” quote=”Gartner predicts that by 2019, total enterprise spending on security outsourcing services will be 75 percent of the spending on security software and hardware products, up from 63 percent in 2016. “]

Source: Gartner

[click_to_tweet tweet=”‘Post data breach response activities include help desk activities, special investigative activities, remediation, legal expenditures, product discounts, identity protection services, etc. In the United States, these costs were $1.56 million per breach on average’ #infosec #databreach #MSSP” quote=”Post data breach response activities include help desk activities, special investigative activities, remediation, legal expenditures, product discounts, identity protection services, etc. In the United States, these costs were $1.56 million per breach on average.”]

Source: Ponemon Institue

[click_to_tweet tweet=”‘Global spending on cybersecurity products and services is expected to exceed $1 trillion cumulatively from 2017-2021, a 12-15% year-over-year increase.’ #infosec #cyberspending #MSSP” quote=”Global spending on cybersecurity products and services is expected to exceed $1 trillion cumulatively from 2017-2021, a 12-15% year-over-year increase.”]

Source: Cybersecurity Ventures

[click_to_tweet tweet=”#Demand for information security jobs is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million employees.’ #cybersecurity #securityjobs #infosec #MSSP” quote=”Demand for information security jobs is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million employees.”]

Source: Forbes

[click_to_tweet tweet=”‘70% of employers around the world want to increase their cybersecurity staff size by 15% this year.’ #infosecjobs #cybersecurity” quote=”70% of employers around the world want to increase their cybersecurity staff size by 15% this year.”]

Source: Global Information Security Workforce Study (GISWS)

[click_to_tweet tweet=”’61 percent of breach victims in 2017 were businesses with under 1,000 employees.’ #databreach #cybersecurity #MSSP” quote=”61 percent of breach victims in 2017 were businesses with under 1,000 employees. “]

Source: Verizon

[click_to_tweet tweet=”‘The U.S. was the most targeted country in the past three years, accounting for 27 percent of all targeted attack activity.’ #infosec #cyberattacks #hacking” quote=”The U.S. was the most targeted country in the past three years, accounting for 27 percent of all targeted attack activity.”]

Source: Symantec

[click_to_tweet tweet=”‘56% say they have made changes to their strategies and plans to take information security into account, but only 4% are confident they have fully considered their current strategy.’ #infosec #mssp” quote=”56% say they have made changes to their strategies and plans to take information security into account, but only 4% are confident they have fully considered their current strategy.”]

Source: EY

Most people are relatively aware of the Health Insurance Portability and Accountability Act (HIPAA). It was created to make sure that medical records of patients remain safe, and that the medical providers accessing them are doing their best to ensure that’s the case. When most people think of HIPAA, they often go right to medical providers and hospitals. It’s important to understand that dental providers are also expected to adhere to HIPAA requirements. However, being HIPAA compliant poses challenges for dental providers. Here are some of those challenges, and what dental providers can do to combat them.

Failure to Identify Your Dental Practice as a HIPAA “Covered Entity”

Covered entities are required to follow HIPAA requirements. A dental practice is considered a covered entity if it transmits an electronic claim, payment, etc. to a dental plan or on behalf of a dental practice. It’s very likely that your dental practice is a covered entity and should be considering HIPAA requirements.

Missing Business Associate Agreements (BAAs)

Outside people or entities often have access to patient records and information. If your dental practice works with third parties of this nature, it’s important that you’re keeping tabs on them. Third parties are often root causes of breaches and data exposure. Continuously review your third parties and be sure you have BAAs for them.

Security Policies and Procedures

Well thought out, written plans are needed to ensure that your practice stays in compliance. Your HIPAA compliance policy should clearly state the responsibilities of your office and each staff member in protecting your patients’ private health information. The policy should clearly outline how your office handles and remediates various kinds of security breaches.


Training employees is a critical component to HIPAA compliance, even for dental practices. Once you have your policies and procedures in place, it becomes critical that you train your employees on them. If someone’s job is affected by a change in your HIPAA policies or procedures, provide training on the change within a reasonable time after the change becomes effective. Training employees will limit the risk of breach.

Texting and Email

HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening. While HIPAA doesn’t prohibit using email or text to communicate patient information, it is important it’s done the proper way.

Social Media

A restaurant is very likely to respond to a Yelp, Facebook or Google review to either appreciate what has been said, or try to take corrective action. Dental practices must be a bit more careful. It’s easy to respond in a way that violates HIPAA rules. Ensure you and your employees understand privacy rules before responding to your practice’s reviews.

Other Media

As photos or videos are being taken of a patient there is the possibility that other patients may be included inadvertently. These photos and videos are quite often shared through social media and this can compromise those patients’ privacy. In addition, staff members of the practice might be included in the photo or video and this violates their privacy. Be cognizant of what is going on in the background of your images and videos so you do not compromise patient information.

Reporting Breaches

Breaches happen. It can and will happen to anyone at any time. It’s crucial that you understand what you need to report, and when. Covered dental practices must report all breaches of unsecured protected health information to the Office of Civil Rights, as well as to individuals and, in some cases, to the media. The bottom line is, have a plan for what to do in case an incident does occur, because it certainly can.

How can you get a better understanding of these challenges, so you know how to avoid and face them? A security assessment is a great tool to do that. Security assessments helps you identify where your gaps in security are. Once they’ve been identified, you can also use the assessment to develop action plans for improvement, meeting HIPAA regulations and proving to examiners that you have a strong data protection program. While there are many challenges as a dental provider to being HIPAA compliant and safeguarding patient information, getting a security assessment puts you on the fast track to understanding and preventing your patients’ data being compromised.

Information security demands are increasing at a dramatic rate. Security services are expected to grow to more than $100 billion by the year 2020 and nearly 40% of all contracts will be bundled with other security services and broader IT outsourcing projects. Becoming a managed security service provider (MSSP) and partnering with a security firm allows you to get ahead of this curve, and allows you to provide security services and enhancements to those customers that need and ask for them.

The Right Tools

Security tools are a key benefit of partnering with an information security company. By offering a broad range of products and offerings, you not only improve your customers’ security postures, but you’re also providing your organization the opportunity for strong monthly recurring revenue (MRR) and professional services revenue. This all starts with the assessment. Your customers won’t know how to improve their information security posture without first knowing what needs to be improved.



SecurityStudio offers the most robust and comprehensive risk assessment tool on the market. Information Security is a complex mastery of many moving parts. To simplify this complexity, we needed a common language around security that anyone could understand. From this need came the FISASCORE. FISASCORE is a numeric scoring system that measures risk by evaluating the Administrative, Physical and Technical Controls of an organization. It’s built on the same scale as a credit score and translates to any organization, which makes it a simple and comprehensive way for anyone to speak to security.



Often, when a breach or information security incident occurs, it comes from vendors of the company impacted and not the company itself. Not only do organizations struggle to manage the risk their vendors can bring to their information security, many of them aren’t even aware of who all their vendors are. Vendefense allows you to find, list, categorize and assess your third parties. Utilizing FISASCORE as the risk assessment metric, your customers can easily manage the risk of their vendors.

Understanding Requirements

Your customers may simply want to be more secure. However, there are many lines of business that have security requirements that they need to comply with. An additional benefit of becoming an MSSP by partnering with an information security organization is the knowledge base around audits, compliance and regulatory requirements. Working with security experts gives you training and assistance on these requirements so that you can ensure both you and your customers comply with regulatory requirements for your industry. In turn, you’ll also dramatically improve your customers’ security postures.

Set Up to Succeed

Even with great products, a partnership will not succeed without solid relationships and mutual engagement. It’s important that when you choose a security expert to partner with, you choose one that will continue to work in conjunction with your organization to help you succeed. Good security expert partners give you sales and analyst training, sales and lead generation tools, marketing content and more through a channel partner program. Not only does this put your organization in a position to satisfy all its customers’ needs and wants, but it also allows you to continue to expand your client and customer base. By leveraging techniques, practices and materials of expert partners, your organization quickly becomes a trusted security organization that your customers will continuously look to lean on and build off.

Information security demands are increasing at a dramatic rate. By becoming a partner of a security expert, you can provide your customers and clients with the right products and services to increase their information security, while driving a profit for your own organization simultaneously.

To learn more about how you can become an MSSP for your clients, visit our become a partner page.