Metrics2Trust Suppliers

Started in December 2020

Almost every organisation uses third parties (suppliers) that provide services and products, ranging from cleaning companies to providers of cloud-based IT services. Dependence on these suppliers has increased in recent years.

The ultimate security level of an organisation and its services depends in part on the security level of the services a supplier provides to them and the security level of that supplier itself. 

That is why it is very important to have a good understanding of the security level of all suppliers. Security ratings are already used to classify suppliers, but there are different methods and no standardisation. The multiplicity of suppliers, with a lot of different services, makes this is a difficult process.

The starting point of this project is a research what metrics are available and how they can be used in a standardized way to understand (changes in) the level of trust in third parties (suppliers). Where trust is both related to the security of the services a supplier provides and the security level of suppliers themselves. 

Project results

Activities in Explore phase
In this phase the project team explored what internal and external metrics are available in current processes and on different security controls, how the concept trust can be modeled and how available metrics can be combined on a standardized (potentially automated) and reusable way to indicate (changes in) the level of trust.

Conclusion at the end of the Explore phase
The key finding is that there are numerous metrics with an abundance of relevant features. The key outcome is that the (conceptual) model on trust already added value during the explore phase, when incorporating it into day to day activities. The key result is that the model can ‘demystify’ the current measuring and processing of metrics, increasing re-usability and enabling automation’. The results of the Explore phase on a numerous existing metrics and a (conceptual) model will be explained in an article. Updates on publication will follow in the end of this year.

Activities in the Proof of Concept phase
In the Proof of Concept phase, the team aims to build an interactive dashboard where current features of metrics on specific control domains (for instance patch management) can be classified, processed and transformed to indicate (change in) the level of trust related to a supplier. 

End result after the Proof of Concept phase
We've developed a dashboard that provides insight in supply chain risk.


This project is part of the trend

9 Opportunity and threat May 2024

Growing interdependencies between parties in the (globalized) supply chain

Organizations are working together with and utilize products from software vendors and equipment vendors all over the world. This causes an increase in dependency on third parties which are sometimes not that familiar. Vendor lock-in is one of the possible consequences, and it decreases the overall transparency on how data is managed or where it is stored. Furthermore, the overall security of an organization becomes dependent on the quality of security in the products and services of third parties.
Beeldmerk PCSI
PCSI is a collaboration of
    ABN-AMRO Achmea ASML Belastingdienst ING TNO