Got a vendor risk management strategy defined? Need help? You’re not alone.
People are not inherently good at defining strategies. This is a problem. The problem is worse when considering information security strategy, and more worse when considering vendor (and third-party) security risk management strategy. These assertions come from observations made over more than 25 years, working with a wide variety of organizations.
If you engage in vendor risk management activities, you should have a strategy defined. If you don’t have a strategy, then you’re going to be less effective in achieving anything meaningful to the organization.
This article is dedicated to helping you define an effective vendor security risk management strategy. An effective strategy will help you achieve your organization’s goals with measurable results.
Rule of Thumb: The larger the effort, the more important the strategy. In terms of vendor risk management:
- More vendors = more important.
- More people involved in vendor management = more important.
Now, let’s define a basic strategy together.
Start with why.
Strategies start with why. If yours doesn’t, it’s probably not a good strategy.
Another word for why is purpose. I prefer why because it seems that people can relate to it better. I think this is because they can keep asking themselves why for every piece, part, and process in whatever it is we’re trying accomplish.
Simple question. Why are you doing, or thinking about doing, vendor security risk management? If you don’t know the answer to this, then you have no “why”. If you struggle with your “why”, look at some of these common ones, and consider them when developing yours:
- We want to manage vendor security risk well.
- We have to do it because our regulator told us we had to.
- We want to be defensible, meaning to be able to defend ourselves in court when/if a vendor-related breach occurs.
- Everybody else is doing it, so we should do it too.
- We suffered from a vendor-related security breach in the past, and we don’t want it to happen again.
I’ll tell you our why, where I work. We believe that managing risk is core to the definition of information security. We can’t manage information security without managing risk. Vendors pose a risk to the security of our information, so managing risk must include vendors; therefore, vendor security risk management is core to our security program.
There it is; we do vendor security risk management because we believe that it is core to our security program.
You can have more than one why, and I actually encourage it. The more you have, the more focus it can bring. Now, document your why. Document it so you don’t forget it, so you can share it with others, and so you can make sure other parts of your strategy align with it.
Our goals are set by what we define as success.
Goals must be…
- Associated with some function of time (timeline, timeframe, deadline, etc.).
- Aligned with our why.
Think of the ways you can set measurable goals on a timeline that enables your why to be adequately supported. Your why may be different than ours, but I’ll use us as an example again. We’ll use SecurityStudio in our example. Not only do we sell SecurityStudio , but we certainly use it too!
We believe that vendor security risk management is core to our security program
To support our vendor security risk management efforts, we have defined the following goals:
- 100% of all vendors will be inventoried in a central repository by 3/1/2019.
- 100% of all vendors will be classified according to inherent risk (sometimes called “impact”) by 6/1/2019.
- All high and medium impact vendors will be assessed for residual risk by 1/1/2020.
- Every vendor will be re-classified on an annual basis by the 1st of each year.
- All high impact vendors will have a FISASCORE® of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
- All medium impact vendors will have a FISASCORE® of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
- At no time will a vendor FISASCORE® of 600 or less be accepted by the organization.
Now this is where the rubber meets the road. A strategy is worthless if it can’t be enacted or executed against. How will we accomplish our goals? In order to achieve the goals that we’ve set, we’re probably going to need something, or maybe a lot of somethings.
Obviously, one of things that we leverage is SecurityStudio. If you don’t use SecurityStudio, you can either choose to use it, or you’ll need to find something else. If you’re unsure of SecurityStudio and/or how to implement it, schedule a demo with us today. Whatever you use, it must allow you to accomplish all of your goals. SecurityStudio is one thing, but you’re going to need more. You’ll also need (at a minimum):
- A policy. See our previous article about developing and using a vendor security risk management policy (/blog/vendor-risk-management-policy/). There’s even a free policy template there.
- Personnel (or time). Somebody will need to do the work. SecurityStudio takes all of the dirty-work out of way, but there still needs to be some involvement. We have a vendor risk management ROI calculator (/roi/) if you’re interested in how much time and money is saved when you use SecurityStudio versus manual processes.
- Training. The people who will be involved with vendor risk management are going to require some training. SecurityStudio is simple to use, but it’s still good to do some brief training anyway.
- Procedures. Step-by-step guidance will ensure that the same thing is done every time. This gives us the ability to tweak things and make things more efficient.
- Budget. Everything costs money nowadays, hard and soft dollars.
That does it for the how. Now combine the high-level how information into your strategy, and give everything a sanity check. Does everything fit, or do you need to adjust? I’ve gone through this same exercise with large companies, and it’s not uncommon to revisit all, or part of the strategy many times before you nail it.
Good luck! If you need help, contact us! (/contact/).