How to Build a Vendor Risk Management Program
Time to update your vendor risk management program? In this article, Graeme Payne, Kudelski Security’s practice leader for strategy, risk, and compliance, covers the four essential areas for consideration in building a robust VRM program.
- Objectives of a Vendor Risk Management Program
- Identifying Risk within Your Vendor Landscape
- Evaluating and Monitoring Vendors for Risk
- Integrating Vendor Risk Management into Incident Response
- Measuring and Reporting on Vendor Risk to the Board
- Get in Touch
Table of contents
Objectives of a Vendor Risk Management Program
You may have a grasp on your own organization’s security with good data and threat visibility, but beyond your environment, you are blind.
You have limited control over the security measures taken by external service providers, IT vendors, and related third parties. Their vulnerabilities become your vulnerabilities. Any breach they experience becomes a potential breach of your environment, too.
In short, their risk is yours.
If it’s just a question of a few vendors, you may be able to surface, assess, and mitigate their risks. But most businesses have a vendor list that can reach thousands — from parts suppliers, cloud solutions providers, and law firms to call centers, consultants, and human resource benefit providers. The list of data they potentially have access to is equally long — from trade secrets and IP to personal data and company policies.
All this is at risk if your vendors do not have adequate security and privacy protections in place.
So, how should you, as a security leader, design, establish, and maintain a vendor risk management program that will help you sleep better at night? You start with the following objectives:
- Identify the cybersecurity risks within the supply chain and business vendor landscape.
- Continuously evaluate and monitor the effectiveness of vendors in managing cybersecurity risk to an acceptable level.
- Provide a mechanism to respond to a vendor’s security failures that impact your business.
- Provide awareness to senior management and the board regarding vendor risks.
As you consider these objectives, build out your vendor risk management program based on industry best practices. The following best practices should be considered as you design your program.
Identifying Risks within Your Vendor Landscape
Identifying risks within your supply chain and business vendor landscape starts with building an inventory of vendors and placing them into risk tiers. A good place to start is your vendor master within the organization’s accounts payable system. This will identify all the vendors that you are paying for goods and services.
Once you have the inventory, you can place them in risk tiers. Your risk modeling approach should consider:
- the type of data accessed by the vendor,
- the criticality of the vendor to your business process,
- the connectivity of the vendor to your data, systems, and networks,
- and any recently observed experiences with the vendor.
Creating risk tiers will allow you to build a program that is responsive to the risk in each tier and to focus your limited resources on the areas of greatest risk.
As you build your vendor risk program, you should work closely with procurement, legal, and other functions. Your cybersecurity vendor risk program should integrate with your organization’s vendor lifecycle processes as such:
- Identification of new vendors. Security requirements should be defined and utilized in new vendor identification.
- Selection, negotiation, and contracting should include security and privacy protections in contracts.
- Onboarding and implementation should include appropriate security review, and termination processes should ensure destruction or removal of sensitive data.
With strong collaboration across functions a more unified vendor risk program can be implemented that addresses all key risk areas including financial viability, safety, and legal compliance.
Evaluating and Monitoring Vendors for Risk
There are many approaches to evaluating and monitoring vendors. Popular techniques to evaluate how vendors are addressing their cybersecurity risk include:
- surveys and questionnaires
- review of third-party audits and certifications
- onsite visits
- technical testing
- continuous monitoring
As you design your program, include flexibility in your approach to evaluating and monitoring vendors. A risk-based approach should be used to determine the extent and frequency of evaluation. Higher risk vendors will need higher levels of assurance such as completion of security questionnaires, onsite visits or audits, security certification, or ongoing intelligence monitoring. Lower risk vendors might need to complete a simplified questionnaire or be subject to less frequent review.
|Evaluating High-Risk Vendors||Evaluating Low-Risk Vendors|
Also be reasonable in what you expect from vendors. Don’t ask for information that you are not using to evaluate risk. Far too many vendor questionnaires request data that is never used in the risk management process.
Your vendor risk program should use automation to help efficiently manage many of the vendor risk processes. Over the last several years there has been a significant growth in the number of tools that can help automate aspects of your vendor risk management program. Gartner now tracks this as a separate category of software.
Many of the integrated risk management or governance, risk, and compliance tools provide third-party risk management modules. There are also many solutions that just focus on vendor risk. Most of these solutions now run on a software-as-a-service model.
Many include the ingestion of intelligence about a vendor’s cybersecurity profiles, financial condition, and business conduct to complement other frequently used evaluation methods (such as security questionnaires and onsite visits). Integration with procurement, ERP, and service management tools is also becoming commonplace.
Vendor risk management is still a relatively new field and continues to evolve. VRM-as-a-service offerings are emerging to help offload some of the “heavy lifting” in managing a vendor risk program. Several exchanges and shared assessment programs are now in place to reduce the burden on vendors completing literally hundreds of questionnaires. Security certification programs are gaining more prominence as vendors seek to provide assurance that their security programs meet acceptable industry standards.
Integrating Vendor Risk Management into Incident Response
When a vendor suffers a data breach or significant security incident, your business may also be impacted. Your program design should integrate vendor risk management into your incident response process.
Studies indicate that 60% of data breaches involve a third party. Your vendor cybersecurity requirements should stipulate how soon you should be notified of a potential security breach or incident. Your incident response playbooks should address the actions your incident response team should take when a vendor incident occurs. Critical vendors should be included in your incident response tabletops and simulations.
60% of data breaches involve a third party.
Measuring and Reporting on Vendor Risk to the Board
Boards of directors are increasingly asking security leaders about third-party risks. Your program should include dashboards and metrics that measure and report on third-party risk.
Senior leaders and governance boards want to know how third-party risk is being addressed. Your program should capture and report on key metrics such as:
- percentage of vendors included in the program
- percentage of higher risk vendors evaluated or under continuous monitoring
- exception rates
- reduction of risk achieved
As a security leader, you need to develop and continuously evolve your vendor risk management program. Just like most things in cybersecurity, this is not a “one and done effort”.
- Continue to find ways to build in more continuous monitoring and alerting to augment your periodic reviews.
- Monitor your coverage and third-party risk profile over time, and periodically refer to your objectives and validate your program is appropriately focused and resourced.
- Keep senior management and the board updated on vendor risk. Ask yourself: “Do I know who my high-risk vendors are and am I comfortable about the cyber risk we are accepting”? If the answer is “no”, it is time to update your vendor risk program.
To hear Graeme discuss more vendor risk management questions, register for our on-demand webinar.