Vendor security risk management is not easy. It’s often a monotonous combination of spreadsheets, questionnaires, following up with people, and uncertainty. It’s often frustratingly tedious, and it can actually cause otherwise strong information security programs to falter. The best relief is to take a three-step approach to vendor risk management. Simplify. Standardize. Defend.
Managing information security risk amongst a population of vendors and third-parties is a complex problem for most organizations, and therefore most organizations either don’t manage vendor information security risk management at all, or they don’t do it well.
Don’t Manage Vendor Information Security Risk at All
There are five common reasons why organizations don’t manage vendor information security risk:
- They don’t have enough confidence in their own information security program.
- They don’t have experience managing vendor information security risk; where to start or what it’s supposed to look like.
- They don’t know what questions or things that they should inquire about.
- They don’t know who all their vendors are.
- They have other priorities, and don’t get the time to tackle vendor information security risk management.
Question: Why don’t you do vendor information security risk management?
Don’t Manage Vendor Information Security Well
There are five common reasons why organizations don’t manage vendor information security well:
- Their vendor information security risk management program is incomplete; missing vendors, missing parts of information security, incomplete questionnaires, no scoring/comparison, shortcut inherent risk and/or residual risk, etc.
- The vendor information security risk management program is painful to manage.
- The vendor information security risk management is program is disorganized.
- The vendor information security risk management program relies too much on subjectivity or opinion.
- They’re just doing something for the sake of doing something. There’s no commitment to doing it right.
Question: What pains do you experience, or what concerns do you have about your vendor information security risk management approach?
A vendor information security risk management program must be repeatable and standardized. Standardization enables the other two important features (Simplify and Defend). You need to be doing vendor information security risk management first to truly appreciate the value in standardization. A lack of standardization leads to run-away complexity and a program that is not defensible (against litigation, inquiry from regulators, etc.).
Defense comes in two forms:
- Defense against the breach risk posed by your vendors
- Defense against the lawyers, regulators, and angry customers if or when a breach occurs.
Defense from Vendors
We know that no matter what we do, we cannot possibly prevent all breaches from occurring. So, where are breaches most likely to occur? According to a recent study conducted by Soha Systems, 63% of all breaches are attributed to a vendor, directly or indirectly. * It’s hard to deny the fact that a breach occurring through a vendor is one of the most likely breach events. There’s no excuse for ignoring the risks posed by vendors or taking a half-hearted approach to vendor risk.
There are five common mistakes organizations make in assessing risk related to vendors:
- Vendor information security risk management is primarily done to meet a regulatory requirement or to “check the box.”
- Shortcut solutions are implemented to assess and manage information security vendor risk.
- The logic behind the vendor information security risk decisions is not tied to how risk works (inherent risk or residual risk).
- Vendor information security risks are accepted without a clear understanding of the risks or the most effective methods of remediation.
- High (inherent) risk vendor responses are not adequately validated.
Question: Where are there gaps in your vendor information security risk management program?
Defense from the Crowd
We already know that the most likely source of a breach is through a vendor. Even if we do everything that we can to reduce this risk, some risk will remain. When a breach inevitably happens, we need a defense against a whole new breed of attackers. Lawyers, regulators, public opinion, and our own customers become our attackers. They want answers and they want retribution.
Our defense becomes something called due care. Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.
Nobody expects perfection, but everyone should expect due care. Due care is where defensibility lives, and it’s imperative in our vendor information security risk management program. The question becomes, what would an ordinarily prudent or reasonable party do if they knew a vendor breach was eventual? Not accounting for vendor information security risk is indefensible.
For organizations with vendor information security risk management programs, here are some of the most common reasons why they could be less defensible:
- Vendor information security risk decisions are subjective— or opinion-based.
- Seemingly obvious information security risks are not adequately considered.
- The personnel making risk decisions are not qualified to do so.
- Roles and responsibilities for vendor information security risk management are not shared amongst qualified groups or are not formally defined at all.
- The methodology used for vendor information security risk management is not shared by a group outside of your organization, or it is shared by a small group or organizations.
Question: Where is your vendor information security risk management program defensible, and where is it not?
SecurityStudio is the most comprehensive solution to simplify, standardize, and defend. It’s a vendor information security management solution that was built by former vendor risk managers who have walked the walk.
To learn more about how a solution like SecurityStudio can help your vendor information security risk management processes, schedule a demo.