It’s easy to be on the other side of a breach and point fingers. When we understand how a breach happened, the solutions seem like they should have been simple. These simple solutions (and preventative measures) are not always common sense though. In fact, as a whole, we don’t do a great job using these breaches to teach us the lessons they should.

We can use the 2013 Target breach as an example.  Target wasn’t breached due to a lack of their own network security. Instead, an attacker was able to access their system through a vendor. This vendor (an HVAC vendor, not even one that regularly interacts with Target’s network) was required by Target to access Target’s vendor portal. Attackers were able to retrieve log-in credentials from someone at the vendor to access Target’s portal. That was enough.

What’s not enough are the improvements that have been made across all organizations in vendor risk management since this incident occurred.

But we can still use it as a teachable moment now.


Where Target Went Wrong

When determining the vendor risk, there are two initial steps every organization should begin with.

First, organizations need to know who all of their vendors are. If you don’t have an inventory of every company you work with, how can you possibly know all the risks that your organization faces because of the vendors? Many organizations fail even this first step.

The second step (and where Target missed the mark) is classifying your vendors. It’s not enough to just know who your vendors are. Organizations also need to know the amount of risk the vendors pose to you. You can do this a number of ways, but the key is to categorize your vendors based on the types of information they touch (very sensitive or not sensitive) and how much data they have access to.

This is where Target went wrong.

How This May Have Been Avoided

It’s likely that Target (and many organizations, frankly) would look at an HVAC provider like Fazio Mechanical and immediately write them off as a low-risk vendor. In actuality, and because of the vendor’s access to Target’s online portal, Fazio Mechanical probably should have been classified as a medium-risk vendor.

Doing your due diligence in classifying a vendor as low risk is often enough to brush them off to the side and reevaluate their status in another year. However, in strong vendor risk management programs, medium-risk vendors are required to go through a vendor risk assessment process where the organization can get an understanding of the amount of risk that exists before allowing that vendor to continue to access its critical information.

It’s likely that Target did just that— brushed off their HVAC provider as a low-risk vendor and pushed them off to the side for reevaluation down the road.

Had they gone through an assessment with the vendor as if it were medium risk, they likely would have caught the lack of protection that was the reason behind the breach.

Vendor Risk Management is About Logic

Making assumptions in information security is detrimental. Making assumptions provides a vehicle for avoiding issues that may be hyper-pertinent to your business. You may think that a vendor is low risk when it actually belongs in a more sensitive category.

When organizations take objectivity out of the classification step of vendor risk management, they take out any assumptions and guesses. Assumptions and guesses erode your credibility.

If Target had gone through proper and objective steps to classify Fazio Mechanical (even if they classified them incorrectly) at least they would have been able to prove that they did their due diligence and that the breach was not a cause of their negligence.


How You Can Prevent This

Vendor risk management is all about simplifying, standardizing and making yourself defensible.

Build a list of your vendors first.

Then, work through standardized criteria to determine how much risk they pose to your organization. Get an understanding of exactly how they work with your organization and what kinds of data they touch. By doing that, you get an immediate grasp on how important it is that they handle their own information security practices well. If you do that, it’ll make sure you are defensible if something does go wrong, and likely help limit the amount of vendor-caused incidents you experience.

You can simplify this process by implementing a vendor risk management tool like VENDEFENSE to help you automate your vendor identification and classification. With VENDEFENSE, it’s likely that Fazio Mechanical would have been flagged as a medium risk vendor, and then steps would have been taken to improve their security once the risk assessment was completed.

For more information on vendor risk management and for a live look at the tool that can help make your organization’s vendor risk management program simplified, standardized and defensible, visit

Information security demands are increasing at a dramatic rate. Security services are expected to grow to more than $100 billion by the year 2020 and nearly 40% of all contracts will be bundled with other security services and broader IT outsourcing projects. Becoming a managed security service provider (MSSP) and partnering with a security firm allows you to get ahead of this curve, and allows you to provide security services and enhancements to those customers that need and ask for them.

The Right Tools

Security tools are a key benefit of partnering with an information security company. By offering a broad range of products and offerings, you not only improve your customers’ security postures, but you’re also providing your organization the opportunity for strong monthly recurring revenue (MRR) and professional services revenue. This all starts with the assessment. Your customers won’t know how to improve their information security posture without first knowing what needs to be improved.



SecurityStudio offers the most robust and comprehensive risk assessment tool on the market. Information Security is a complex mastery of many moving parts. To simplify this complexity, we needed a common language around security that anyone could understand. From this need came the FISASCORE. FISASCORE is a numeric scoring system that measures risk by evaluating the Administrative, Physical and Technical Controls of an organization. It’s built on the same scale as a credit score and translates to any organization, which makes it a simple and comprehensive way for anyone to speak to security.



Often, when a breach or information security incident occurs, it comes from vendors of the company impacted and not the company itself. Not only do organizations struggle to manage the risk their vendors can bring to their information security, many of them aren’t even aware of who all their vendors are. Vendefense allows you to find, list, categorize and assess your third parties. Utilizing FISASCORE as the risk assessment metric, your customers can easily manage the risk of their vendors.

Understanding Requirements

Your customers may simply want to be more secure. However, there are many lines of business that have security requirements that they need to comply with. An additional benefit of becoming an MSSP by partnering with an information security organization is the knowledge base around audits, compliance and regulatory requirements. Working with security experts gives you training and assistance on these requirements so that you can ensure both you and your customers comply with regulatory requirements for your industry. In turn, you’ll also dramatically improve your customers’ security postures.

Set Up to Succeed

Even with great products, a partnership will not succeed without solid relationships and mutual engagement. It’s important that when you choose a security expert to partner with, you choose one that will continue to work in conjunction with your organization to help you succeed. Good security expert partners give you sales and analyst training, sales and lead generation tools, marketing content and more through a channel partner program. Not only does this put your organization in a position to satisfy all its customers’ needs and wants, but it also allows you to continue to expand your client and customer base. By leveraging techniques, practices and materials of expert partners, your organization quickly becomes a trusted security organization that your customers will continuously look to lean on and build off.

Information security demands are increasing at a dramatic rate. By becoming a partner of a security expert, you can provide your customers and clients with the right products and services to increase their information security, while driving a profit for your own organization simultaneously.

To learn more about how you can become an MSSP for your clients, visit our become a partner page.