Before we dig in, let’s clarify “Vendor Risk Management”. The title of this article isn’t entirely accurate. The term “vendor risk management” and “vendor information security risk management” are two different things, but our industry often uses them interchangeably.
Vendor risk management (or “VRM” for short) rolls off the tongue better, ranks better in search results, and sells more products, but vendor information security risk management (or “VISRM” for short) is more accurate when discussing information security risk versus business risk. You might not be aware of the differences:
- Vendor risk management deals with business risk. Business risk includes financial risk, reputational risk, business process risk, legal risk, information security risk, and every other risk that a business deals with related to a vendor relationship.
- Vendor information security risk management deals with information security risk related to the vendor relationship. Information security risk is part of business risk, but it is not business risk.
The words “vendor”, “third-party”, and “supplier” are essentially the same, or close enough. Our preference is third-party because it accounts for vendors (people who sell things), suppliers (people who supply things), and all others third parties we might share data with.
Clarity in knowing that VISRM is part of a greater VRM program is important as you design and mature your approach to these things.
What is Vendor information security risk management?
It helps to break things down. A vendor is any person or organization who provides goods and/or services for a fee. Information security risk management (the “ISRM” part of the equation) requires more clarification. To “manage” information security risk, we simply ensure these three steps are followed:
- Assess – use a simple, objective, and measurable information security risk assessment. Information security must account for risks related to:
- Physical (controls)
- Technical (controls)
- Decide – Only four choices; accept (as-is), mitigate, transfer, or avoid.
- Implement – implement or do what the risk decision is/was.
Now that we’re on the same page about what vendor information security risk management is, here are the nine things we must do if we want to do it right!
#1 – Define why.
It’s common for people and organizations to rush into something without a clear understanding of why they’re doing it. Even if someone within an organization knows why, do the others? Don’t assume that everyone knows, especially the business stakeholders who will ultimately determine whether we’re successful or not. Questions we must have good answers for:
- Why are we doing Vendor Information Risk Management?
- What’s the purpose of our VISRM program?
- What will determine success in our Vendor information security risk management program?
Aimless VISRM programs are a waste of money and are frustrating to manage. Vendors who pose significant risk to the organization will be allowed to operate as-is if we don’t have the support of business leaders, and we only get support with a well-defined “why?”
Try this, “We are doing VISRM because:
- we need to meet our (insert regulation here) compliance requirements.”
- (insert competitor name here) is doing it.”
- we don’t want to be found liable for a vendor-related data breach.”
- we want to be defensible by demonstrating proper due diligence in managing vendor risk.”
- vendor relationships pose a significant risk, and we must account for the risk in our overall information security risk management program.”
Pick your reason, document it (maybe in a policy or charter) and stick to it in every VISRM thing you do.
#2 – Get buy-in.
Without business buy-in, we’ll be going through the motions at best and getting fired at worst. The best VISRM programs are championed from the top. Take the documented reason for VISRM (from above) and get executive management’s opinion. Refine statements and documentation if necessary and seek their support (not just approval). Without their support, we’re fighting an uphill battle, and it won’t turn out well.
When the business is bought in, good risk decisions can be made, and vendors can be held accountable for remediation (or face termination of the relationship). We won’t be able to push back on vendors without management/business support, and our vendors know it.
#3 – Sooner is better.
VISRM processes must be integrated early into procurement processes while information security risk decisions can still be made. If VISRM is the last or a late step in the procurement process, it may be too late to do anything about risk. If the business has already made necessary accommodations and adjustments for the purchase of the vendor’s goods and/or services, we’ll find it more difficult to conduct a proper risk assessment, and nearly impossible to get the vendor to perform any significant risk remediation.
We’re certain to accept more risk than originally intended and have more vendor relationship risk exceptions when we insert VISRM late into procurement processes.
#4 – Share the work.
VISRM is not a single person’s or team’s responsibility. VISRM is a shared responsibility between the business and information security (or risk) personnel.
Roles and responsibilities for VISRM must be defined, documented, and communicated. It’s common for an organization to assign all VISRM responsibilities to a single person, and this is a poor practice. A single person will not know how every vendor is used or who every vendor contact is.
Applying the concept of relationship manager and risk manager is a good approach. The person, or team within the organization who uses the vendor’s goods or services is the relationship manager and should be the person who completes the classification of the vendor relationship (see #5 below). The person, or team, within the organization who handles the VISRM process is the risk manager.
Distributing the work between relationship managers and risk managers makes the VISRM a collaborative effort between the business and information security (or risk) personnel. It also makes things more accurate and efficient.
#5 – Relationships are unique.
Two types of risk that are important to remember, inherent risk and residual risk.
- Inherent risk – risk associated with something (a vendor relationship) without accounting for controls to address risk.
- Residual risk – risk associated with something (a vendor relationship) after accounting for controls to address risk.
Inherent risk (called “impact” in some tools) is used to classify the vendor relationship based on how the vendor is used, usually as “High”, “Medium”, or “Low”. A vendor with access to thousands of sensitive or confidential records poses a higher inherent risk than a vendor who has no access to data (a toilet paper supplier for instance).
It’s inefficient and senseless to treat all vendors the same, a waste of time and resources.
#6 – Keep it simple.
Complexity is the worst enemy of information security. Simplify, but don’t oversimplify. There are only four steps, no more and no less:
- Inventory – an accounting of vendor relationships is critical because we can’t possibly secure things we don’t know about. Compiling an inventory for the first time will require some work, and the best place to start is probably the accounting (accounts payable) department. Vendors are paid through invoices, reimbursements, and/or corporate card payments. Once the inventory is compiled, we’ll need to make sure it stays current. This is where we’ll need to insert VISRM into the organization’s procurement processes.
- Classification – Keep this simple. Think of ten or fewer questions we could ask to classify a vendor relationship as “High”, “Medium”, or “Low” based on inherent risk. These should be questions that a vendor relationship manager can answer.
- Assessment – Higher inherent risk relationships need to be assessed for residual risk (see above). Low inherent risk relationships can probably be ignored while we focus on “High” and “Medium” vendors. The most common method of assessment is a questionnaire.
- Decision-Making – When we have a risk, we only have four options:
- Accept – risk is acceptable as-is.
- Mitigate – risk is unacceptable, and the vendor needs to implement a control or change one.
- Transfer – hand risk to someone else, usually through insurance and/or contractual language.
- Avoid – risk is unacceptable, and remediation isn’t an option; therefore, the relationship will be terminated.
If our VISRM program doesn’t include these four steps, or includes more than these four steps, we’re probably not doing it right.
#7 – Manage requires measure.
“You can’t manage what you can’t measure.”
Measurements are important for comparison, context, trending, and objectivity.
For example, let’s say we score vendor relationship risk on a scale of 300 (high risk) to 850 (no risk). If scoring is consistently applied within the assessment and between assessments, we can compare risks with each other, we can track risk over time, and we could set objective thresholds for acceptable versus unacceptable risk.
VISRM without measurement is less effective and less defensible.
#8 – Automate without shortcuts.
Automate everything we can without taking shortcuts. The “IS” in VISRM stands for “information security” and information security must account for administrative, physical, and technical controls (and risks). The most common shortcut is to treat information security as an IT or technical issue rather than a holistic business issue.
Think about it. Isn’t it easier to go through the secretary than the firewall, and who cares about the antivirus software running on a server when someone steals the server?
Information security is NOT an IT issue, it IS a business issue.
#9 – Progress over perfection.
VISRM can seem daunting, and it’s impossible if the pursuit is perfection.
The goal is progress, and progress is defensible. Start with building the initial vendor inventory. Next, implement processes to ensure the inventory stays current, meaning integration with procurement process(es). Getting here could take a year in some organizations. Fine. It’s progress.
Set attainable risk management goals. Let’s say we have 1,000 vendor relationships. Maybe an appropriate goal for a twelve-month period is to classify all vendor relationships and conduct a dozen or so “High” risk assessments (step #3 from above). Again, more progress.
Then continue down the path. This is a maturation process and a journey, not a magic process and a teleportation.
The case for VISRM is indisputable, given the facts and regardless of what motivates.
- Driven by risk – according to some studies as much as 60% of all data breaches come through a vendor relationship, directly or indirectly. The impact ranges from thousands or millions of dollars to bankruptcy.
- Driven by compliance – most industry regulations require VISRM, including HIPAA, GLBA, and others.
- Driven by legal liability – the absence of a VISRM program makes the organization less legally defensible in a civil action (resulting from a data breach).
Ignorance will not protect the organization. The most common risks from vendor relationships are data loss, ransomware (or other malware), and network entry through remote access (VPN, RDP, etc.).
The cost of a good VISRM tool like S2Vendor, provided by SecurityStudio, can be a little as $200/month. You can choose to do VISRM now or be forced to do it later. From experience, I can tell you doing it now is a lot less painful.