This is an interesting dilemma,
and a question I hear regularly. It goes like this:
“We have a lot a vendors that
don’t want to fill questionnaires out at all. What do vendors think of
My answer to this is always the same…
3 or 4 years ago, when vendor
risk management programs were largely nonexistent, vendors would push back on
security questionnaires. They would dodge, avoid, argue irrelevance,
hide, ignore, answer cryptically, lie (in some cases, yes they do), get answers
wrong, etc. Basically everyone was trying to avoid having to fill out any
information about security programs.
Now that we’re a few years down the road, vendors are used to this, especially in any regulated industry or anyone that works with healthcare orgs, finance, etc. We’re a vendor, and we expect our customers to ask us about our security.
So at this point, if I have a vendor that doesn’t want to give up information about their security, that’s a GIANT red flag for me.
There are only a few reasons for not being forthcoming to a customer or prospect:
What the vendor does is highly sensitive, and they have to protect that information from everyone, including customers.
The vendor is a big enough company that they don’t need to respond to prospective customers.
A security program isn’t in place or the vendor doesn’t know how to answer the questions.
Each scenario is bad for me as a risk manager:
Even if you say you’re highly secure, it’s my responsibility to make sure. So in scenario one, they would still have to have something they can provide me as evidence they know what they’re doing. From my side, I can’t just take their word for it. So give me something.
Although they’re a huge company (i.e. AWS, Microsoft, Google) they still pose a risk to us.
If they avoid/resist, give excuses, or want to argue about why they don’t need to provide us any information, I assume they don’t have a security program.
When deciding if you should “fire” a vendor, there are many things to consider:
Someone in your organization likely wants to do
business with this vendor.
It could be a significant deal for your organization. That
adds pressure to push them through.
How significant is the risk and what could happen to you if they
There are many more factors
obviously, but the point is that it is usually extremely hard to
fire a vendor that the business wants to work with. If you have the
authority to pull that trigger, then I would advise using it sparingly.
We enlist the business to help us get the assessment results back if needed,
and we prefer to push them into remediation rather than firing them.
SecurityStudio makes remediation really easy, so we prefer to just build
remediation plans they can work on. That way everyone is winning!
I would only fire a vendor if all these questions get answered “yes”:
They simply won’t give us information.
They argue and avoid enough that they give me the sense that they don’t have a security program.
The business has alternative vendors that they can use, and they are ok with the firing.
Short of that, we opt for remediation, or if the vendor won’t cooperate at all, then we opt to have the business waiver the vendor. That way as a risk manager I can show that I did my due diligence but that the business decided to pursue the relationship anyway. This is more than just CYA, it’s an important part of the partnership between security and the business. We don’t want to shut them down, we just want to manage our risk. They have the right to accept the risk of a vendor that won’t cooperate. (document, document, document)
The feedback we get regarding vendor willingness to use SecurityStudio has been really good. Yes, we have definitely seen the same types of patterns (avoidance, arguing, ignoring) but that’s what SecurityStudio is built to overcome. Automated reminders, questions written in common language, an appealing interface, etc. all contribute to a positive experience for vendors too. So yes, they have to do something, but the feedback we’re getting is that vendors like the way SecurityStudio works for them. Make it easier for yourself and company, and schedule your demo for SecurityStudio today!
https://securitystudio.com/wp-content/webpc-passthru.php?src=https://securitystudio.com/wp-content/uploads/2019/03/SecStu_Banner_FireAVendor_1200x628.jpg&nocache=16281200SecurityStudiohttps://securitystudio.com/wp-content/webpc-passthru.php?src=https://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.png&nocache=1SecurityStudio2019-03-11 13:03:162021-09-01 21:41:37How To Know If You Should “Fire” a Vendor
Within a busy organization, vendor risk management (VRM) can feel like an ideal concept, but can also seem far out of reach. Armed with a vendor risk management checklist and VRM software, like SecurityStudio, and establishing a vendor risk management program is well within grasp and can take less time, energy, and resources than expected. The first step to creating a VRM program is to develop a plan.
1. Develop a Plan
The first step in creating a VRM program is to create a plan. Simple enough, especially with a VRM software program like SecurityStudio. The great thing about using a program like SecurityStudio is that the vendor risk management workflow is already built in along with most communication. Everything is centrally located in the program, and vendors move from one phase to the next with everything in plain view. Most quality VRM programs include a classification phase, and then vendors are typically assessed followed by a treatment plan. Then there’s steps to repeat the process. With a plan like this the risk manager (administrator) will need to surround themselves with a quality team to execute the plan.
2. Assemble your Team
As with any vendor risk management program, the risk manager will want a group of professionals to help with inventorying vendors and classifying them. Talking to your team members and making sure that everyone is onboard will help with participation, and most importantly that they are given context as to how important information security and this particular vendor risk management checklist are to the organization. Team members can lose focus as to how important their role is partly due to the tedious nature of tracking down information. Putting a date on task also helps with motivating people with completing them.
3. Determine a Timeline
Putting a timeline on tasks for both the team members and vendors helps with moving the process along. If there’s not a timeline, then it’s easy for the vendor risk management program to be put to the side. Software programs, such as SecurityStudio, have built-in timelines, but the due dates and timelines can be customized if needed.
4. Inventory of Vendors
Taking inventory of the organization’s vendors is a key step in becoming defensible. Whether the organization is using a software program or a spreadsheet, there needs to be a list of vendors that can pose a possible risk in order to be defensible. This would seem like common sense, but in a lot of situations where organizations don’t utilize a vendor risk management software program, there are incomplete, inaccurate, or outdated spreadsheets floating around in employees’ inboxes. This alone could make a case for software program like SecurityStudio, where all vendors are located in one centralized location.
5. Designating a Relationship Owner
The security analyst, risk manager, administrator of the program, or
whoever is assigned these responsibilities (usually the same person) is not
necessarily the right person who would have access to contact information or
would have direct vendor information to accurately answer classification
questions. Generally, the person who
works directly with the vendor will be able to answer the questions most
accurately. Of course, this can vary
6. Categorizing/Classifying Vendors
Classifying and Categorizing vendors is arguably the most important stage
of any VRM program. VRM programs will measure
the risk of each vendor, and with software programs like SecurityStudio, this is
done efficiently and objectively. The
decisions made at this stage will set the tone and precedence for all future
stages. In short, if you’re going to get
one stage right, this is the one. An
assessment is sent based on this classification.
7. Assess your Vendors
After the classification stage, an assessment is sent based on the
results. This is especially true for
vendor software programs like SecurityStudio.
Assessments vary in length and scope based on classification, but it’s
best practice to have binary answers to assessment questions of either true,
false, or N/A. If a vendor does have a
conditional answer they will be able to explain the answer in another stage
(usually during remediation). Having
binary answers to assessments will create a stronger, more objective,
8. Establish your Threshold
As vendors start completing assessments, it becomes time to establish
best practices if the organization hasn’t already done so. For whatever method your organization chooses
to assess vendors, there should be a minimum threshold as to how much risk the
organization wants to take on. In
SecurityStudio, where the scoring is based on a scale similar to a credit score,
the program has a recommended threshold, but organizations are able to set
their own threshold based on objective results.
Whichever method is chosen, it’s best practice to apply the same
standards for all vendors or vendors within a set industry.
9. Choosing a Treatment Plan
Once the assessment results come back, then it’s up to the organization
to determine what to do with the results.
At times it’s a matter of just approving the results, but if the results
are not as favorable as expected, then an organization should have a plan in
place. This is another sample of a
situation where best practices should be established. If a vendor is far too
risky to work with, or if the organization wants to give the vendor a chance to
improve their results, there should be clear plan. In programs, such as SecurityStudio, it’s
relatively easy to look back on assessment results, and then choose a plan
based on them.
10. Objectively Repeat the Process
risk management is a never-ending process, and the VRM program needs to be
repeatable in order to be effective at all.
Business relationships change and morph over time, so it would only make
sense that the VRM program should adjust to these changes. Not only would business relationships change
over time, but VRM practices will update with time. Updating the VRM program as new threats
present themselves is just as important.
With programs like SecurityStudio, the changes in security practices and updates
will be automatic and seamless.
This is what happened in the infamous case of Target Data Breach in 2013 and the vendor risk management checklist is something that might have prevented it.
If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!
Part of any vendor risk management program involves putting together a list of vendors. Sometimes this information can be scattered across an organization, and it takes some real wrangling to collect it all. This is why software programs like SecurityStudio are convenient- because they help create a centralized list of vendors that are easy to update as necessary. Here are key places to look for your full list of vendors:
1. Accounts Payable Specialist
The Accounts Payable Specialist is the
first place that most people look for vendors.
This is probably the most practical place to look, primarily because
most companies have to stay on top of their bills. The Accounts Payable Specialist will have all
the company invoices, and in most instances have the most comprehensive list of
2. Internal Bookkeeping Software
Sometimes if the company is small enough, all the company debits and credits are collected in a software program and updated by either an accountant or someone who assumes this role. Usually, this type of program is managed by an Accounts Payable Specialist, but this isn’t always the case in all circumstances.
3. Department Heads
Occasionally, not all vendors will provide an invoice. What about that free software that employees install on their computers? This is still considered a vendor and poses a risk. The department head would know the day to day tasks of their employees and would have a better idea as to what’s installed on their computers and other contact with vendors.
4. Tax Forms
Maintaining a current list of vendors is imperative to any vendor risk management program, but keeping a historical list of vendors is ideal. Even though the company may not have business transactions with a previous vendor, there’s a good chance that information is kept on file with the vendor and still poses a risk. Chances are good that this information will be stored on tax forms, so this is an ideal place to look for historical vendor information.
5. Bank Statements
Bank statements are a snapshot of invoices paid and is an excellent source to look up vendors. The information may not be complete, but it’s still a way to locate vendors that may be flying under the radar.
6. Credit Card Statements
While not all vendors are going to be included on a credit card statement or even be paid via credit card, it’s still a good place to look for one of those one-off vendors that aren’t necessarily used very often, but still poses a risk.
If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!
https://securitystudio.com/wp-content/webpc-passthru.php?src=https://securitystudio.com/wp-content/uploads/2019/07/SecStu_Banner_FullVendorList_1200x628.jpg&nocache=16281200SecurityStudiohttps://securitystudio.com/wp-content/webpc-passthru.php?src=https://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.png&nocache=1SecurityStudio2019-02-19 09:47:272021-09-01 21:41:536 Places You Can Get Your Full Vendor List
First, let’s start with the question, “why do I need to manage all vendors?”
We get asked this question all the time. If you have a vendor risk management program, then it’s likely you aren’t managing all your vendors (just the high-risk ones, or even a subset of those). The logic of focusing on the vendors that really matter seems rational, but here are some potential issues that arise with it:
How are you deciding which ones to manage?
Are you accounting for all the ways your vendors can impact you?
Are you just managing the handful of vendors that you directly share confidential data with?
Is there a specific trigger you use to pick vendors to manage? (sharing PHI for example)
From both a vendor risk and a defensibility standpoint, all those methods fall short. If you are using a manual process to manage VRM, this may be all you can accomplish given resource constraints and other priorities.
But, what happens if a breach happens within a different vendor that has access to information but hasn’t hit your radar? Or, what happens if the relationship with a vendor changes but you don’t know it changed?
There are many reasons to manage all vendors consistently. Here are a few:
You are accounting for more risk.
You can catch relationship changes and act accordingly.
You can show that you have a consistent process.
All the above reasons make you more defensible should something bad happen. And let’s be honest, you have hundreds of vendors- some of them have been breached, and some of them may be actively breached right now.
SecurityStudio makes it really easy to manage all vendors, as any good software should. Something that is basically impossible to do with a manual/spreadsheet process can be made very simple with a decent software solution.
Let’s make sure we clarify that I’m NOT saying all vendors go through the same end-to-end process. I’m saying account for them all, and once they are classified let their classification bucket (low, medium, or high risk) determine their path.
So where do you get the full list? Finance is the best place. You should be able to request a list of every vendor you have paid in the last 6 or 12 months from finance. This can be a large list. In our experience, 75% of those vendors will be low risk, which is ok. With SecurityStudio, each low risk vendor can be processed in 2 minutes per year.
So enlist finance to help. They can export a csv or xls file. Any good software, including SecurityStudio, should be able to import your vendor list. In this way, you can go from your current process to a mature VRM program basically overnight.
To get your easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!
https://securitystudio.com/wp-content/webpc-passthru.php?src=https://securitystudio.com/wp-content/uploads/2019/02/SecStu_Banner_GetFullVendorList_1200x6286.jpg&nocache=16281200SecurityStudiohttps://securitystudio.com/wp-content/webpc-passthru.php?src=https://securitystudio.com/wp-content/uploads/2021/05/ss-logooo-300x42.png&nocache=1SecurityStudio2019-02-13 12:19:452021-09-01 21:41:58How to Get Your Full Vendor List
Got a vendor risk management strategy defined? Need help?
You’re not alone.
People are not inherently good at defining strategies. This is a problem. The problem is worse when considering information security strategy, and more worse when considering vendor (and third-party) security risk management strategy. These assertions come from observations made over more than 25 years, working with a wide variety of organizations.
If you engage in vendor risk management activities, you
should have a strategy defined. If you don’t have a strategy, then you’re going
to be less effective in achieving anything meaningful to the organization.
This article is dedicated to helping you define an effective
vendor security risk management strategy. An effective strategy will help you
achieve your organization’s goals with measurable results.
Rule of Thumb:
The larger the effort, the more important the strategy. In terms of vendor risk
More vendors = more important.
More people involved in vendor management = more
Now, let’s define a basic strategy together.
Start with why.
Strategies start with why.
If yours doesn’t, it’s probably not a good strategy.
Another word for why
is purpose. I prefer why because it seems that people can
relate to it better. I think this is because they can keep asking themselves
why for every piece, part, and process in whatever it is we’re trying accomplish.
Simple question. Why
are you doing, or thinking about doing, vendor security risk management?
If you don’t know the answer to this, then you have no “why”. If you struggle with your “why”, look at some
of these common ones, and consider them when developing yours:
We want to manage vendor security risk well.
We have to do it because our regulator told us we had to.
We want to be defensible, meaning to be able to defend ourselves in court when/if a vendor-related breach occurs.
Everybody else is doing it, so we should do it too.
We suffered from a vendor-related security breach in the past, and we don’t want it to happen again.
I’ll tell you our why,
where I work. We believe that managing risk is core to the definition of
information security. We can’t manage information security without managing
risk. Vendors pose a risk to the security of our information, so managing risk
must include vendors; therefore, vendor security risk management is core to our
There it is; we do
vendor security risk management because we believe that it is core to our
You can have more than one why, and I actually encourage it. The more you have, the more focus
it can bring. Now, document your why.
Document it so you don’t forget it, so you can share it with others, and so you
can make sure other parts of your strategy align with it.
Our goals are set by what we define as success.
Goals must be…
Associated with some function of time (timeline,
timeframe, deadline, etc.).
Aligned with our why.
Think of the ways you can set measurable goals on a timeline that enables your why to be adequately supported. Your why may be different than ours, but I’ll use us as an example again. We’ll use SecurityStudio in our example. Not only do we sell SecurityStudio , but we certainly use it too!
We believe that vendor security risk management is core to
our security program
To support our vendor security risk management efforts, we
have defined the following goals:
100% of all vendors will be inventoried in a central repository by 3/1/2019.
100% of all vendors will be classified according to inherent risk (sometimes called “impact”) by 6/1/2019.
All high and medium impact vendors will be assessed for residual risk by 1/1/2020.
Every vendor will be re-classified on an annual basis by the 1st of each year.
All high impact vendors will have a S2SCORE of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
All medium impact vendors will have a S2SCORE of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
At no time will a vendor S2SCORE of 600 or less be accepted by the organization.
Now this is where the rubber meets the road. A strategy is
worthless if it can’t be enacted or executed against. How will we accomplish
our goals? In order to achieve the goals that we’ve set, we’re probably going
to need something, or maybe a lot of somethings.
Obviously, one of things that we leverage is SecurityStudio. If you don’t use SecurityStudio, you can either choose to use it, or you’ll need to find something else. If you’re unsure of SecurityStudio and/or how to implement it, schedule a demo with us today. Whatever you use, it must allow you to accomplish all of your goals. SecurityStudio is one thing, but you’re going to need more. You’ll also need (at a minimum):
A policy. See our previous article about developing and using a vendor security risk management policy (/blog/vendor-risk-management-policy/). There’s even a free policy template there.
Personnel (or time). Somebody will need to do the work. SecurityStudio takes all of the dirty-work out of way, but there still needs to be some involvement. We have a vendor risk management ROI calculator if you’re interested in how much time and money is saved when you use SecurityStudio versus manual processes.
Training. The people who will be involved with vendor risk management are going to require some training. SecurityStudio is simple to use, but it’s still good to do some brief training anyway.
Procedures. Step-by-step guidance will ensure that the same thing is done every time. This gives us the ability to tweak things and make things more efficient.
Budget. Everything costs money nowadays, hard and soft dollars.
That does it for the how. Now combine the high-level how information into your strategy, and give everything a sanity check. Does everything fit, or do you need to adjust? I’ve gone through this same exercise with large companies, and it’s not uncommon to revisit all, or part of the strategy many times before you nail it.
It’s easy for an organization to get caught up in establishing policies, workflows, and procedures for vendor risk management. Without context as to why these policies are important and stressing this to your team, many will lose sight of the primary goal of vendor risk management – to put the organization in a defensible position. An organization owes it to their customers. The goal of vendor risk management is to position the organization in a defensible position by taking inventory of all vendors, measuring how much of a risk each vendor poses, assessing each vendor objectively, and then systematically repeating this process. That’s a hefty goal, so let’s break it down.
Inventory – Taking inventory of all vendors
The first step to mitigating risk is to take inventory of
all vendors. This list includes
everything from the organization’s HVAC technician, cleaning service, insurance
broker, and even the free online software provider. These are all considered vendors, and while
not all of them have the same access to sensitive information, many vendors will
have some access to the organization’s information either physically or
otherwise. The goal of taking inventory
of your vendors is to make sure that all the vendors within an organization is
accounted for. Quite simply, you don’t
know, what you don’t know.
Classify – Measuring how much of a risk each vendor poses
Not all vendors will have access to the same amount of
information, but it’s important to sort your vendors into buckets. Using the same classification method puts all
your vendors into perspective, and puts the organization in a defensible
position. The HVAC technician won’t
necessarily have the same impact as an insurance broker that has access to
sensitive information. However, both
vendors pose a risk – SecurityStudio has three impact levels – high, medium, and
low. By classifying vendors objectively,
the right course of action can be taken to assess them appropriately.
Assess – Assess each vendor so that the appropriate action
can be taken
The goal of the assessment process is to make sure that the
right questions are being asked, and that the same questions are being asked of
all vendors within the same bucket. This
again will put the organization in a more defensible position. The goal of the
assessment process is to be as objective as possible and to complete due
diligence. It’s important to ask these
questions now, so that in the case of an adverse event, the organization is
still defensible. Tools, like SecurityStudio,
makes it easy. SecurityStudio offers a
comprehensive list of questions, and the program tags who answers the questions
and timestamps when the questions are answered.
The ultimate goal of the assessment is to have an objective overview of
the vendor’s security posture so that the organization is able to make an
informed decision to either go into business or continue doing business with
the vendor. Once the results of the
assessment are given, then it’s a matter of replicating the process on a
regular timely basis, or as the business relationship changes.
Now that the goal is broken down, it puts things in
perspective. Yes, organizations are
pressured to develop a vendor risk management program by regulatory laws, but
it’s more than that. It’s just the right
thing to do. Organizations owe it to
customers to make sure that the information they provide is secure by
mitigating risk the best they can and putting themselves in a defensible
position. This is the primary goal of
vendor risk management.
To put your goals to action and get an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!
For most organizations, measuring vendor risk management is extremely difficult, if not, impossible. That’s because they’re either doing nothing to manage vendor security risk or they are using a method that isn’t conducive to measurement.
Here are a few helpful statistics to measure in any VRM
Overall risk exposure
Trending of overall risk
Riskiest vendors both from an operational risk
standpoint as well as impact
Individual vendor trending
Number of total vendors
Number of high risk vendors
Specific areas that are a significant risk
across multiple vendors
Your VRM program should be reportable. Most C-suites or boards would like an update
at some frequency on both the overall security program but also the VRM
program. Having these types of
statistics easily reportable is a huge plus to the information security program
Use statistics like these to keep leadership informed of the
current state of the program as well as to justify the need to continue
managing 3rd party risk.
SecurityStudio leverages S2SCORE in order to be able to give you all the statistics and reports you need to stay on top of your VRM program. Schedule a demo with us today so see how we can help with your VRM program!
We don’t need another policy that nobody will read! Policies are a waste of
time, especially a Vendor Risk Management Policy!”
I get it. People aren’t thrilled by policies. They’re not exciting.
They’re not fun either. For some, policies can even be painful.
Policies get a bad rap. Not because they’re evil or anything, but because people rarely use them well. The fact is, information security policies play a very important role in supporting all information security efforts, and a vendor risk management policy plays a very important role in supporting our vendor risk management efforts.
I don’t like wasting people’s time, so I’ll get right to the point. Most policy problems are founded in the confusion about what a policy is, why they need one, and how they should be used. So, let’s address this as simply as possible. After all, complexity is the enemy of good information security (remember this always).
some organizations, vendor risk management and third-party information security
risk management have slightly different meanings. Third-party information
security risk management is part of a greater vendor risk management effort.
For the purposes of this article, we’re using vendor risk management and
third-party information security risk management synonymously.
What a Vendor Risk Management Policy is
The “what” for any policy are the rules. Think of this in
terms of a game. A policy defines the rules for the game. A vendor risk
management policy defines the rules for the vendor risk management game.
If you’ve never played the vendor risk management game
before, this could be a difficult policy for you to define. If this is you, ask
someone you trust for help. Here are two options for you right now:
You can download our template. Change the rules to fit the game that you’re willing to play and make it yours.
Contact SecurityStudio – The experts at SecurityStudio will make sure you get all the answers you need.
There are some typical structural things that should found
in every policy, including this one. Policies should contain a purpose
statement, note the audience for the policy, the policy status (draft,
approved, adopted, etc.), version, date, the policy itself (the rules),
references (to standards and/or other documentation), enforcement intentions,
and version history.
Your game, your policy. Don’t expect someone else’s policy
to fit as-is, and don’t include rules that you don’t intend to play by.
Why you need a Vendor Risk Management Policy
If the “what” for policy are the rules, the “why” for policy
is communication. Policies are used to communicate the rules to others. You don’t
need a policy if you don’t have anyone to communicate the rules to. Good news,
Before you rejoice, it’s very unlikely that you have no one
else to communicate the rules to. There’s almost certainly someone else who
needs (or wants) to know the rules.
Think about who needs to know the rules for your vendor risk
management game. The list could include:
Anyone else within your organization that
participates in vendor risk management activities.
Anyone who’s interested in your organization’s
vendor risk management activities (examiners, regulators, partners, etc.)
Anyone who’s ultimately responsible for your
organization’s vendor risk management activities, including executive management
and the board of directors (if one exists).
The more people who need to know about your rules, the more
important the policy becomes. In a small organization where there is a single
person who does all the vendor risk management activities, there’s less
importance. Not “no” importance, just less importance.
How to use a Vendor Risk Management Policy
Once you’ve written a policy, it’s time to figure out how to
use it. Every policy, including this one, must be approved, communicated,
adopted, and adjusted (or revised). This is a policy lifecycle that is well
understood by most.
Draft – The policy is drafted (as v1 in new policies, as incremented version in subsequent cycles).
Approve – The policy must be approved by someone with authority (executive management, BoD, etc.).
Communicate – The policy must be communicated to all personnel who are affected by it.
Adopt – Gap analysis (or audit) coupled with plans and projects to ensure compliance.
Policies are reference documents and should be written this
way. Let’s go back to our game comparison.
When you sit down with friends to play a new board game, how
many people read the rules? Just one, and this is the de-facto person who
oversees the game. How many people should read your policies (rules)? Just the
person (or group) who oversees the game. As the game is played, the rules are
referenced whenever a question comes up. Same goes for policies.
That’s it. Simple. Define the rules for vendor risk
management, communicate the rules, and manage the rules. Vendor risk management
policy in a nutshell.
Having a policy in place is great, but also having a workflow that evaluates all third-party vendors and brings your weakest links to the surface is even better. Schedule a demo with us today to get your easy-to-use vendor risk management program.
A common theme for many organizations is that they don’t
have time to do third-party information security risk management, or they don’t
have the time to do it right. There are so many competing initiatives in an
information security professional’s life, I get it. Do you have a case for not
prioritizing third-party information security risk management, or not
prioritizing it higher?
Let’s use logic to figure this out together.
NOTE: Notice I use the words “third-party information
security risk management” in place of “vendor risk management”, this is because
I think one is a little more accurate than the other. Third-party information
security risk management usually fits within the scope of a larger vendor risk
management program. For this article we’re going to focus on third-party
information security risk management.
Three primary questions come to mind when thinking about the
importance of third-party information security risk management:
Is there a problem with NOT doing third-party
information security risk management?
If so, how big is the problem?
What should you do about it?
Is there a problem?
So, you’ve got other priorities that prevent you from
assessing and managing information security risks related to your
vendor/third-party relationships. The fact that you have other priorities isn’t
a problem, it’s reality. The fact that you may not be prioritizing third-party
information security risk management, or that you may not be prioritizing high
enough, could be a big problem.
Inherently, I know two things when it comes to third-party
information security risk management:
Nobody cares about the security of my
information more than I do.
Third-parties are the cause (directly or
indirectly) of most known data breaches.
Nobody cares about
the security of my information more than I do.
You know this is true, right? You spend thousands of hours,
and many dollars trying to implement and manage good security controls within
your organization. You’ve developed sound policies, worked tirelessly to make
sure people are trained and aware of good security practices, you’ve spent
thousands (maybe millions) on expensive technological controls like firewalls,
intrusion prevention, data loss prevention, endpoint protection, and on and on.
You use third-parties to provide certain services to your
organization. Maybe printing, maybe hosting, maybe IT support, who knows? Do
you think the third-parties
you use have spent the same amount of effort in protecting your information? Is
thinking they’re protecting your information the same way you are, good enough?
Play it out. Stay with me on the logic here.
We know that no matter what we do, we cannot possibly
prevent all bad things from happening. We cannot eliminate risk, but risk
elimination isn’t the goal anyway. Risk management is the goal and it’s the
only thing that’s even remotely attainable.
Let’s say a vendor loses your information (this is more
likely than you know, read the next section). Or, let’s say that an attacker
gains access to your information through some sort of access that we’ve granted
them. What happens next?
You conduct an investigation. Maybe there are lawyers
involved. Maybe there’s customer data involved. Maybe you’re not sure. One
thing is for certain, somebody isn’t going to happy. When the right (or wrong)
somebody isn’t happy, somebody else needs to pay. The unhappy “somebody” might
be a customer or group of customers, a government regulator, or the board of directors.
The unhappy “somebody” might be all of the above.
The unhappy somebody is going to want answers. What answers
do you think they’re going to want? They’ll want answers to questions like:
Did you know that your vendor was doing x, y,
Did you ask how the vendor was protecting our
What sorts of questions did you ask the vendor
The quality of your answers will often dictate what and how
much you’ll have to pay. No answers or bad answers will cost you more. Somebody
almost always pays when something bad happens, the degree to which they pay,
will largely be dependent on what answers they’ll have to defend themselves.
This, in a nutshell, is defensibility.
Can ignorance be defensible, claiming you didn’t know any
better? Short answer is “no”. The reason is outlined in the next section.
the cause (directly or indirectly) of most known data breaches.
Soha Third-Party Advisory Group conducted a study (Source: http://www.marketwired.com/press-release/soha-systems-survey-reveals-only-two-percent-it-experts-consider-third-party-secure-2125559.htm) last year that concluded the following; “third parties cause or are implicated in 63 percent of all data breaches.” You might be skeptical of this number, but the Soha Third-Party Advisory Group consists of some heavy-hitters in our industry, security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec. I didn’t write the study, but I believe that much of the findings represent the truth.
Soha Third-Party Advisory Group
Can you claim you didn’t know better? When you’re tasked
with answering the inevitable questions that are coming your way after a
breach, do you really think you can claim you didn’t know?
To compound our ignorance as a defense problem, are the
Do you need more justification for re-prioritizing
third-party information security risk management? Maybe you run a security
program based on compliance, only doing what you’ve been told to do. This isn’t
a good idea because information security is about risk management, not
compliance, but let’s say it’s the way you do things anyway. Compliance is
king. What if I told you that regulators and examiners are aware of the risks,
and they read the same news we do. They are increasing the pressure around third-party
information security risk management, and they’re losing patience with
organizations that haven’t taken the risk seriously. It’s better to get ahead
of this curve now.
Back to our original question; Is there a problem with NOT
doing third-party information security risk management? My opinion, using the
logic we’ve outlined together, is “yes”. There is definitely a problem with you
NOT doing third-party information security risk management.
Are you convinced that you need a third-party information
security risk management solution? If so, let’s figure out the right solution.
If not, we’ll still be here to help when you become convinced. I promise.
How big of a problem is it?
Our next question was how big of a problem is it, meaning
how pervasive is the third-party information security risk management problem
in our industry? I promise to provide a short answer.
At a macro-level, relying on my unscientific observations
from working with (up to 1,000) clients and discussions with other information
security professionals, I would estimate that as many as 90% of the companies
ranging in size from 20 – 30,000 employees do not have a third-party
information security risk management program of any substance (or formality).
The problem is big in our industry. I would caution against
using this as justification for not have your own (program); however. The herd
mentality seems to be less and less defensible too.
Our last question: what you should do about it (meaning third-party information security risk management)?
What should you do about it?
For your own good, hopefully I’ve convinced you that not
doing anything or deferring this issue until it becomes a higher priority, is
not a good option. If not, like I stated previously, we will be here for you
when you change your mind.
A well-designed third-party information security risk
management program fits the following characteristics:
It’s not disruptive to the business. After all,
your business is in business to make money (and/or serve a mission). If
information security gets in the way, you’ve got problems.
It’s measurable in a way that you can show progress.
Going from nothing, or next to nothing, to a fully implemented third-party
information security risk management program is not feasible or encouraged. A
solution that allows for gradual adoption over time is the right way to go.
Doesn’t take shortcuts. The definition of
information security accounts for administrative, physical, and technical
controls. Only accounting for technical controls isn’t going to cut it,
especially when we consider the fact that your most significant risk is people.
Organized, standardized, and repeatable. These
things make your program scalable and useable. The way to accomplish this is to
automate all parts of the program that can be automated, without taking
Intuitive, easy to use, and easy to understand.
Third-party information security risk management shouldn’t be rocket science. A
well-designed third-party information security risk management solution should
be logical, so much so, that you don’t need vast amounts of experience and
expertise to run it.
We specifically designed SecurityStudio to fit all the criteria necessary in a best-in-class third-party information security risk management platform. We did so by using more than a combined 100 years of information security experience, and at a reasonable price that doesn’t unnecessarily take away from your other competing information security priorities.
I invite you to speak to a SecurityStudio representative about how SecurityStudio will work for you. Schedule a demo too while you’re at it!