Research Brief: Critical Infrastructure Organizations Continue to Minimize IT Vendor Security Audits

ESG surveyed security professionals working in the 18 public and private industry sectors designated as “critical infrastructure” by the U.S. Department of Homeland Security. This brief looks at how these organizations are auditing the security processes and procedures of their IT vendors and the extent to which vendor audit results factor in actual procurement decisions. Alarmingly, IT vendor audits frequently remain random, informal, “check-box” activities.