Posts

Historical Use of Vendors Over Time

Before we address the purpose of vendor risk management we need to spend a few moments to understand how we got here. Looking back 20 years ago third-party vendors were used differently and not used as much.  We did not perform any sort of vendor risk management.  Considerations to use a vendor would be primarily based on cost.  Today is a much different picture.  We can easily create an entirely new business with a laptop, internet connection and a credit card.  Software solutions can be purchased and used within organizations without getting IT involved; therefore, skipping the chance to properly evaluate the potential risk.  The threat landscape has changed vastly and continues to evolve seemingly faster all the time.

Shift Control from Internal to Third Party

I reminisce about my first job coming out of college.  The large company I worked for didn’t have internet access, we didn’t have email and we didn’t exchange data or allow others to access our data.  All the control was in our hands.  If we suffered some sort of incident it was up to us to fix it and get back on track.  Today we outsource to third-party vendors for strategic reasons (increased efficiencies, new services, focus on core business objectives, etc.). Risky vendors will then increase our risk if not properly evaluated and managed.  The control is shifted from us to the vendor.  How much data are we giving to the vendor?  Does a disruption in the vendor’s ability to provide services create an unaccepted situation?  Does the vendor have a formal approach to securing your data?  Do they have a risk management program that’s formally mandated and supported by their executive management?  Do they treat your data with the same standards as you do?

Purpose of Vendor Risk Management

A lack of a complete and effective vendor risk management puts organizations at risk.  Regulated industries like Finance, Healthcare and Public Utilities all require ongoing risk assessments.  The use of third-party vendors needs to be incorporated into the risk assessment.  A thorough and efficient vendor risk management program can make a difficult process run more smoothly. 

Another reason you should consider a formal vendor risk management approach is to address the business impact risk that’s introduced by utilizing third party vendors.  Your reputation could be tarnished by the actions of a vendor you use.  Your organization could suffer unacceptable downtime or lack of service due to a vendor’s internal (or lack of) business practices.  You could also be affected by a third-party vendor’s financial situation.  If a vendor provides a critical or unique service that is not easily replaced, it’s in your best interest that their finances are in good order.  Can they keep their lights on and provide you with the critical services you pay them for?

In a simple form, the purpose of vendor risk management is ensuring the use of third-party vendors and making sure they do not introduce a negative impact, business disruption or damage your reputation. It also puts you in a defensible position by showing you’re practicing proper due care and due diligence regarding information security and vendor risk management. 

Vendor Risk Management Process

The vendor risk management process comprises of four steps.  Once the initial process is started, new vendor and annual vendor reviews will be much faster and simpler to manage.

  1. Identify your vendors – Any individual or company who provides you paid services.  Working with Accounts Payable will cast the biggest net.  Don’t forget about services purchased on a credit card – so check those statements!
  2. Classify your vendors – Now you have the master vendor list you need to classify the vendor into high, medium and low risk categories.  Department managers are typically the best to determine this since they have an idea of the types and amount of data the vendor has access to as well as how the vendor is used and what impact the vendor has on the business.  This can sometimes be difficult at first because some managers might not understand their role in the vendor risk management process.
  3. Assess vendor risk – A risk assessment should be performed on all high and medium risk vendors.  The risk assessment should be the same criteria for all classes of vendors.  Higher risk vendors will be under the microscope a bit more than the medium risk vendors.  Low-risk vendors simply need to be evaluated for risk and documented.  It’s important to show you’ve evaluated and classified ALL vendors, not just the ones you feel are important. 
  4. Risk treatment – Once risks are identified you need to determine if the risk is acceptable or if you will ask\require the vendor to mitigate identified risks.  Remediation efforts by the vendor should be monitored and assurance made to you by the vendor that they did indeed address the risks identified.  This might come in the form of policy developed, audit results or verified risk assessment performed certified information security expert.

The entire process is repeated on a regular basis, preferably annually.  The initial startup of a vendor risk management program can be daunting but with the correct tools, it doesn’t have to be.

Who Do We Work For?

We all work for someone.  Our industries might be vastly different but the common item we all have is we work for people.  People entrust us with their finances, healthcare data, personal data, retirement funds, school grades, etc., the list goes on and on.  Behind all that data are mothers, fathers, grandparents, aunts, uncles, nieces, nephews, sons, daughters, friends and neighbors.  We owe it to them to do everything we can to protect their data as if it were our own.  This is the REAL purpose of vendor risk management.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

free information security risk assessment tool

Information security programs are around to protect the data of the businesses they are a part of. Understanding risk is an important part of that, but ultimately it’s the business’s job to make decisions on what types of risks they are willing to accept. It’s the information security program’s job to make informed recommendations about those risks. Sometimes, though,  those recommendations are ignored.

While it’s important to make decisions that are best for the business, deviating from security recommendations can pose challenges. It’s important that you maintain a simple, standardized, and defensible information security program (and vendor risk management specifically). Certain business decisions detract from that.

Simplify

We fully understand that a business’s first goal is to make money. That’s why businesses exist. Security programs are meant to create efficiencies that align with your business objectives to be a driving force for profit— not the other way around. However, if you chose to make decisions independent of our security teams’ recommendations, you can actually do the opposite.

Information security programs (and their vendor risk management initiatives in particular) can have a monumental impact on the efficiencies of an organization— especially as it pertains to employee time.

People in information security programs are often required to chase down vendors. You need to have an inventory of all of our vendors so that we know who poses threats to you. In order to do that, your security team will start at accounts payable, get a list of the current vendors your business works on, and then spend ludicrous amounts of time trying to understand the level of risk that vendor poses.

Because your information security professionals have a limited understanding of what each vendor does, they have to get an idea from the person who works with them most closely how their interactions may pose security threats. You now have two employees taking up their time to get this information figured out.

Once this is finally determined, the information security employee is going to send out a questionnaire or spreadsheet to the vendor in hopes that the person on the other end is the right contact, that they’ll fill it out correctly, and that they won’t have to be chased down every three weeks to see if it’s been completed yet.

Do you see how time-consuming this can be?

A vendor risk management tool automates many of these processes. It eliminates the chasing, the back-and-forth, and the manual entry your information security employees would otherwise go through. Because of this, their time can instead be used on the things that will make the most positive impact on your bottom line. The same is true with the non-security employees that have to assist.

You may decide that you don’t want to spend the money on an automated solution to help you smooth down these processes. Doing these things without systems, though, creates unnecessary complexities— and complexity is the enemy of security and business.

Standardize

Standards are crucial when it comes to information security. There are rules, guidelines, principles, and best practices that should help feed your information security decision-making.

Information Security Industry Standards

Certain industries have requirements and regulations they are asked to follow with regards to information security. If your organization fits their threshold, you likely have no choice but to comply. While these standards don’t necessarily provide the perfect example of what security is, they do provide good foundational rules to follow. Deviating from the rules of industry standards can have two effects.

This is actually an example of where deviating from rules and standards can be a good thing. As mentioned before, security standards often provide a good foundational base for your security programs, but they are often just that— a minimum requirement that helps you get started. Businesses can (and should) deviate from industry standards by adding to them. Adding measures on top of what the industry standards suggest you accomplish in your security program is an important step in bolstering your protections.

The opposite side of that coin is choosing to skip or ignore standards that are required by your industry regulations. Doing this can severely damage your business. Payment card industry (PCI) compliance is a good example of this. Many small businesses choose not to go through the steps of being PCI compliant because of the time, effort, and money that goes into complying. However, a breach that impacts your customers’ credit card information often creates irreprehensible financial and reputational losses that could end up forcing you to close your doors permanently.

When it comes to vendor risk management, the same concern applies. You can choose to deviate from acceptable industry norms, here too. Some organizations choose to change up the assessment questions that they ask their vendors to complete regarding their risk. Doing so may push you outside the compliance threshold within your industry standards and it also requires someone to justify the changes. Justification relies on subjectivity, rather than objectivity, and makes it significantly more challenging to explain if you needed to defend your decision.

Internal Standards

Standards are one way to get everyone within your business on the same page about things like acceptable risk levels, information security spending, incident response measures, and more. Implementing a set of policies and procedures that are standard across your organization, and across organizations similar to yours, ensures that you’re taking the appropriate measures to mitigate risks and protect your business.

Deviating from your internal standards proves that they aren’t the right standards. If you feel that you need to make decisions that go against the standards of your organization, they clearly aren’t working for your business. And you won’t be able to expect others to follow them if you aren’t either.

Your risk increases as you deviate from standards too. Take the S2SCORE for example. You can use risk assessment metrics like S2SCORE to set a risk threshold you want your organization and vendors to uphold. You might make a decision that everyone needs to be above a 650 in order to continue working with them. Sometimes, though, the business might feel the need to make a decision outside the standards set in place. You may work with an organization whose business is critical to the success of yours. Therefore, you may want to accept them as a vendor despite their S2SCORE being 550 instead. While it’s important you make these kinds of decisions if you feel they’re critical to the business, it’s also important to understand that this increases the likelihood your data is compromised.

Defend

Ultimately, creating standards and sticking to them is all about making your organization more defensible in the event that something does go awry and your data is compromised. Breaches do happen. Often. It’s impossible to prevent all breaches.

Deviating from standards makes your business less defensible when a breach happens.

If your business feels they need to make exceptions to rules for its benefit, that’s fine. If you make a system standard, you just have to defend the standard. Make sure you’re taking a logical and objective approach to all of your exceptions before implementing them. This will help you stay defensible (and help you ensure that your decisions aren’t going to have a negative impact on your security).

If you make decisions that deviate from standards, customize systems too much, etc., it becomes increasingly more difficult to explain your case to those who are asking. Unfortunately, a breach’s impact stretches beyond your boardroom. Customers, news outlets, lawyers, and more will be asking questions about how and why things happened the way they did— and what you plan to do about it.

Particularly on the legal side and the industry regulator side of this, you’re going to have to explain why this incident happened. If you make exceptions to rules, you have to defend the logic behind the exception. Why you didn’t go with your standard? This is important to think about as we consider making decisions that extend beyond the scope of industry and internal standards that have already been implemented.

Conclusion

While it’s important for businesses to take information security recommendations seriously, it’s also important to remember that information security programs are around to supplement the business’s objectives. For that reason, businesses should be allowed to make decisions outside the scope of industry and internal security regulations. If they do though, there can and will be consequences. Weighing those consequences can be challenging, and it can be difficult to defend the logic behind any deviations. At the end of the day, make if you’re going to make decisions outside the recommendations of information security standards, ensure they still help your business simplify, standardize, and defend.

free information security risk assessment tool