Other than in the heavily regulated banking and health care industries, vendor risk management remains cybersecurity’s second-class citizen, getting far less attention than it deserves.
Attacks originating from insecure vendors and other third parties generate more than half of reported breaches, yet most companies under-address that source of vulnerability.
Target’s breach in 2013 via an insecure HVAC vendor popularized the notion that a company is only as secure as its weakest link. The incident was a catalyst for the development of the vendor risk management (VRM) programs in place today. However, other factors also drive the need for VRM.
For one, data privacy regulations require companies to carefully track sensitive data entrusted to vendors and carry huge penalties for non-compliance.
Companies also have a natural motivation to hold their vendors more accountable for maintaining proper security standards. Rationalizing a vendor community can result in lower costs and better terms and conditions.
No two vendor risk management programs are alike. The factors to consider in assessing the maturity of a VRM program include:
Risks covered. Cybersecurity is one risk, but how likely is the vendor to go bankrupt? What safeguards are in place to minimize reputational risk or events that could compromise brand value? Does the vendor comply with sanctions regulations?
Process ownership. Mature programs have clear process ownership, with committee representation from across the organization.
Vendor coverage. Many companies lack a comprehensive inventory of their vendors. The 80/20 rule applies to vendor risk management, so the vendor list should be bucketed into tiers, with greater resources applied to the more sensitive ones.
Coverage persistence. Immature programs reactively investigate vendors. More mature programs schedule periodic assessments. It is now possible to continuously monitor the external risk factors that indicate the potential for a data breach.
Stage of involvement. Immature programs have limited or no influence on the selection of new vendors, and struggle to assert controls on existing vendors. In mature programs, VRM teams establish service levels before the contract is signed.
Why Is It Such a Challenge?
What is it about VRM that makes it more challenging to manage than other sources of cyber vulnerability?
No silver bullets. It’s natural to want a quick fix and technology providers invariably promote ‘plug and play’ solutions. However, doing VRM right is much more about people and process, and much less about technology.
It takes a village. Information security must work with legal (contracts, privacy), procurement and finance (risk management, internal audit) groups that can operate within silos, limiting cooperation.
Confrontation required. Having identified a vulnerability at the vendor level, the VRM team must get the business owner to confront the vendor and perhaps insist that they switch vendors. Effective VRM often requires uncomfortable confrontation.
Conventional approaches have limitations. Traditional tactics for vetting and monitoring security posture, such as questionnaires, penetration testing and on-site interviews, are periodic and can be incomplete and inaccurate. Both customers and vendors find these approaches to be tedious, time-consuming and expensive.
Limited pool of talent. Cybersecurity professionals are in short supply, affecting companies’ ability to staff VRM programs. VRM professionals must possess the rare combination of technical and diplomatic skills.
Despite these challenges, there are resources to help companies achieve a higher level of VRM program maturity.
Cyber risk ratings services are revolutionizing VRM by offering a scalable, cost-effective means of continuously monitoring the security posture of vendors. These firms measure all the risk factors that are visible from the outside, and can even predict a data breach. These services promote cyber transparency that can influence B2B market share.
ProcessUnity, MetricStream, and others firms automate the paper-intensive VRM process, enabling companies to move beyond spreadsheets to cloud-delivered platforms.
The Shared Assessments Program, managed by the Santa Fe Group, attempts to avoid wheel reinvention by developing and promoting standardized vendor questionnaires to its members. The program, and Santa Fe’s founder, won prestigious awards at the March 2019 RSA conference.
Cloud access security brokers enable companies to scan their log files to identify and risk assess cloud-based vendors that often go overlooked. Data maps based on responses to questionnaires are deficient.
Strong security and privacy compliance programs can represent a competitive advantage, but too many companies still consider them to be burdens to minimize. Emerging technology and other resources, as well as regulations with stiff penalties, are motivating companies to give VRM the support it demands.
Craig Callé is CEO of Source Callé LLC, a consulting firm focused on data security, privacy, and value creation. He is a former CFO of Amazon’s Digital Media and Books businesses and other companies, and was an investment banker at Salomon Brothers. Prior to starting his firm, he was chief strategy officer at SHI International.