Vendor Risk Management best practices (VRM) conjures up all manner of interpretation. As a business leader, I’m concerned with all aspects….
- Are my vendors financially stable enough to fulfill our agreements?
- Are my vendors operationally capable of fulfilling our SLA’s and contractual requirements?
- Are my vendors doing enough to protect the data I’m sharing with them?
Numbers one and two are easy to measure and offer a mathematically sound position by which vendors may be held accountable. Number three scares me.
What are we to do in the face of daily news, very public and embarrassing news, of vendors’ indiscretions leading to the breach of sensitive information? More questions lead to more questions and on and on it goes.
As a company on the rise, including an ever-growing number of vendors and third-parties in the ecosystem, the need to do due diligence on data protection is ever increasing. Here’s the thing – it doesn’t have to be technical or out of reach if you’re not a technically-minded person. Understanding risk is the lynchpin to the process.
Defensible position is the mantra of VRM. Say it with me – “Defensible Position.”
Start here – put ALL of your vendors through the same wringer. When doomsday (a breach) happens, the only defense you have is that a process was followed and that exceptions to that process were minimal and for a VERY good reason.
- Jerry’s lawn service handles landscaping services for your business. Jerry and his team never set foot into your office, they just mow the lawn and keep the flowers alive. Still, Jerry should be able to withstand a brief questioning of the nature of your relationship be filed under the “low risk” designation and put into a queue to review in a year. If, by next year, Jerry is also providing maintenance services INSIDE your building, you should ask more questions because Jerry and his team may have physical access to information they didn’t have before. Make sense?
Jerry’s likely not a risk if he’s outside your doors. He’s a potential HUGE risk once he has access to the office. Keep an eye on that with a standard process to reevaluate all vendors like Jerry on (at least) an annual basis.
Once you’ve put your vendors through the “smell test” of risk (officially called ‘classification’) then move onto assessing whether or not they are doing the right things with their access to your information. There are a number of ways to do this, but in the interest of being in a DEFENSIBLE POSITION, make sure all vendors of a particular classification (high, medium, critical, etc.) get the same assessment.
Lawyers love words like “assume, thought, maybe, about, approximately, etc.” so eliminate that possibility. By measuring your vendors with the same ruler, you take subjectivity out of the equation. Starting to see the advantage, here?
- You cannot protect yourself from the breach. There, I said it. The skill and nature of the “bad guys” are such that total immunity is impossible. Accept that and move on to managing the risk of the situation. What is the likelihood of a breach? How bad would it be if you were breached? If you don’t have the math to lean on for answers to those questions, you’re VRM (and overall security strategy) is inadequate. Period.
Five years ago, achieving a well-measured VRM program was incredibly expensive and often reliant on specialized expertise that was in increasingly short supply. Times have changed and there are options out there that have real effectiveness, such as SecurityStudio , which automates the process and put you in a defensible position.
So, now you’re in a defensible position and at least feel good that you’re doing what’s expected and being responsible. But, there’s a greater responsibility…
2. Help your vendors practice better security. You’re in a position to help the organizations who wouldn’t naturally care about security. Put the basics in place to better protect themselves and you. VRM is a GREAT way to lead your suppliers to best practices while also protecting yourself in a more effective way. It costs you nothing and has (potentially) enormous benefits.
The soapbox if officially unattended. To recap…
- Get all of your vendors in a common process.
- Rank your vendors according to the same criteria.
- Assess your vendors’ security and get some math around their risk to you.
- Help your vendors get better – don’t just point out problems and wish them luck.
Please get in touch with me, John Harmon, if you have any questions. There’s a lot of uncertainty and lip-service out there trying to profit from your uncertainty. Lean on people who have the experience and the propensity to serve to help you with VRM, or any other security concerns you have. The good guys are within reach and ready to help.
For an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!