The Importance of Vendor Risk Management
A common theme for many organizations is that they don’t have time to do third-party information security risk management, or they don’t have the time to do it right. There are so many competing initiatives in an information security professional’s life, I get it. Do you have a case for not prioritizing third-party information security risk management, or not prioritizing it higher?
Let’s use logic to figure this out together.
NOTE: Notice I use the words “third-party information security risk management” in place of “vendor risk management”, this is because I think one is a little more accurate than the other. Third-party information security risk management usually fits within the scope of a larger vendor risk management program. For this article we’re going to focus on third-party information security risk management.
Three primary questions come to mind when thinking about the importance of third-party information security risk management:
- Is there a problem with NOT doing third-party information security risk management?
- If so, how big is the problem?
- What should you do about it?
Is there a problem?
So, you’ve got other priorities that prevent you from assessing and managing information security risks related to your vendor/third-party relationships. The fact that you have other priorities isn’t a problem, it’s reality. The fact that you may not be prioritizing third-party information security risk management, or that you may not be prioritizing high enough, could be a big problem.
Inherently, I know two things when it comes to third-party information security risk management:
- Nobody cares about the security of my information more than I do.
- Third-parties are the cause (directly or indirectly) of most known data breaches.
Nobody cares about the security of my information more than I do.
You know this is true, right? You spend thousands of hours, and many dollars trying to implement and manage good security controls within your organization. You’ve developed sound policies, worked tirelessly to make sure people are trained and aware of good security practices, you’ve spent thousands (maybe millions) on expensive technological controls like firewalls, intrusion prevention, data loss prevention, endpoint protection, and on and on.
You use third-parties to provide certain services to your organization. Maybe printing, maybe hosting, maybe IT support, who knows? Do you think the third-parties you use have spent the same amount of effort in protecting your information? Is thinking they’re protecting your information the same way you are, good enough? Play it out. Stay with me on the logic here.
We know that no matter what we do, we cannot possibly prevent all bad things from happening. We cannot eliminate risk, but risk elimination isn’t the goal anyway. Risk management is the goal and it’s the only thing that’s even remotely attainable.
Let’s say a vendor loses your information (this is more likely than you know, read the next section). Or, let’s say that an attacker gains access to your information through some sort of access that we’ve granted them. What happens next?
You conduct an investigation. Maybe there are lawyers involved. Maybe there’s customer data involved. Maybe you’re not sure. One thing is for certain, somebody isn’t going to happy. When the right (or wrong) somebody isn’t happy, somebody else needs to pay. The unhappy “somebody” might be a customer or group of customers, a government regulator, or the board of directors. The unhappy “somebody” might be all of the above.
The unhappy somebody is going to want answers. What answers do you think they’re going to want? They’ll want answers to questions like:
- Did you know that your vendor was doing x, y, and z?
- Did you ask how the vendor was protecting our information?
- What sorts of questions did you ask the vendor about protection?
The quality of your answers will often dictate what and how much you’ll have to pay. No answers or bad answers will cost you more. Somebody almost always pays when something bad happens, the degree to which they pay, will largely be dependent on what answers they’ll have to defend themselves. This, in a nutshell, is defensibility.
Can ignorance be defensible, claiming you didn’t know any better? Short answer is “no”. The reason is outlined in the next section.
Third-parties are the cause (directly or indirectly) of most known data breaches.
Soha Third-Party Advisory Group conducted a study (Source: http://www.marketwired.com/press-release/soha-systems-survey-reveals-only-two-percent-it-experts-consider-third-party-secure-2125559.htm) last year that concluded the following; “third parties cause or are implicated in 63 percent of all data breaches.” You might be skeptical of this number, but the Soha Third-Party Advisory Group consists of some heavy-hitters in our industry, security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec. I didn’t write the study, but I believe that much of the findings represent the truth.
Soha Third-Party Advisory Group
Can you claim you didn’t know better? When you’re tasked with answering the inevitable questions that are coming your way after a breach, do you really think you can claim you didn’t know?
To compound our ignorance as a defense problem, are the following facts:
Third-party data breaches are on the rise, at least in the United States. A study by Opus concluded the “percentage of companies that faced a data breach because of a vendor or third party was higher at 61 percent, which is up 5 percent from last year and 12 percent from 2016”. (Source: https://www.pymnts.com/news/security-and-risk/2018/third-party-data-breaches-cybersecurity-risk/)
A study conducted by Kaspersky Lab concluded that the costliest data breaches are those that involved a third-party, especially for small to medium-sized businesses (SMBs). (Source: https://mobile.itbusinessedge.com/blogs/data-security/breaches-from-third-parties-are-the-costliest.html)Opus & Kaspersky Lab
Do you need more justification for re-prioritizing third-party information security risk management? Maybe you run a security program based on compliance, only doing what you’ve been told to do. This isn’t a good idea because information security is about risk management, not compliance, but let’s say it’s the way you do things anyway. Compliance is king. What if I told you that regulators and examiners are aware of the risks, and they read the same news we do. They are increasing the pressure around third-party information security risk management, and they’re losing patience with organizations that haven’t taken the risk seriously. It’s better to get ahead of this curve now.
Back to our original question; Is there a problem with NOT doing third-party information security risk management? My opinion, using the logic we’ve outlined together, is “yes”. There is definitely a problem with you NOT doing third-party information security risk management.
Are you convinced that you need a third-party information security risk management solution? If so, let’s figure out the right solution. If not, we’ll still be here to help when you become convinced. I promise.
How big of a problem is it?
Our next question was how big of a problem is it, meaning how pervasive is the third-party information security risk management problem in our industry? I promise to provide a short answer.
At a macro-level, relying on my unscientific observations from working with (up to 1,000) clients and discussions with other information security professionals, I would estimate that as many as 90% of the companies ranging in size from 20 – 30,000 employees do not have a third-party information security risk management program of any substance (or formality).
The problem is big in our industry. I would caution against using this as justification for not have your own (program); however. The herd mentality seems to be less and less defensible too.
Our last question: what you should do about it (meaning third-party information security risk management)?
What should you do about it?
For your own good, hopefully I’ve convinced you that not doing anything or deferring this issue until it becomes a higher priority, is not a good option. If not, like I stated previously, we will be here for you when you change your mind.
A well-designed third-party information security risk management program fits the following characteristics:
- It’s not disruptive to the business. After all, your business is in business to make money (and/or serve a mission). If information security gets in the way, you’ve got problems.
- It’s measurable in a way that you can show progress. Going from nothing, or next to nothing, to a fully implemented third-party information security risk management program is not feasible or encouraged. A solution that allows for gradual adoption over time is the right way to go.
- Doesn’t take shortcuts. The definition of information security accounts for administrative, physical, and technical controls. Only accounting for technical controls isn’t going to cut it, especially when we consider the fact that your most significant risk is people.
- Organized, standardized, and repeatable. These things make your program scalable and useable. The way to accomplish this is to automate all parts of the program that can be automated, without taking shortcuts.
- Intuitive, easy to use, and easy to understand. Third-party information security risk management shouldn’t be rocket science. A well-designed third-party information security risk management solution should be logical, so much so, that you don’t need vast amounts of experience and expertise to run it.
We specifically designed SecurityStudio to fit all the criteria necessary in a best-in-class third-party information security risk management platform. We did so by using more than a combined 100 years of information security experience, and at a reasonable price that doesn’t unnecessarily take away from your other competing information security priorities.
I invite you to speak to a SecurityStudio representative about how SecurityStudio will work for you. Schedule a demo too while you’re at it!