Time to update your vendor risk management program? In this article, Graeme Payne, Kudelski Security’s practice leader for strategy, risk, and compliance, covers the four essential areas for consideration in building a robust VRM.
You may have a grasp on your own organization’s security and have good data and threat visibility, but beyond your environment, you are blind. You have limited control over the security measures taken by external service providers, IT vendors, and related third parties. Their vulnerabilities become your vulnerabilities. Any breach they experience becomes a potential breach of your environment, too.
In short, their risk is yours.
You may be able to surface, assess, and mitigate their risks, if it’s just a question of a few vendors, but most businesses have a vendor list that can reach thousands — from parts suppliers, cloud solutions providers, law firms, to call centers, consultants, and human resource benefit providers. The list of data they potentially have access to is equally long — from trade secrets and IP, to personal data and company policies. All this is at risk if your vendors do not have adequate security and privacy protections in place.
So, how, as a security leader, should you design, establish, and maintain a vendor risk management program that will help you sleep better at night? You start with the following objectives:
- Identify the cybersecurity risks within the supply chain and business vendor landscape
- Continuously evaluate and monitor the effectiveness of vendors in managing cybersecurity risk to an acceptable level
- Provide a mechanism to respond to a vendor’s security failures that impact your business
- Provide awareness to senior management and Board regarding vendor risks
As you consider these objectives, build out your vendor risk management program based on industry best practices. The following best practices should be considered as you design your program:
Identifying risks within your supply chain and business vendor landscape starts with building an inventory of vendors and placing them into risk tiers. A good place to start is your vendor master within the organization’s accounts payable system. This will identify all the vendors that you are paying for goods and services. Once you have the inventory, you can place them in risk tiers. Your risk modeling approach should consider the type of data accessed by the vendor, the criticality of the vendor to your business process, the connectivity of the vendor to your data, systems and networks, and any recently observed experiences with the vendor. Creating risk tiers will allow you to build a program that is responsive to the risk in each tier and to focus your limited resources on the areas of greatest risk.
As you build your vendor risk program, you should work closely with procurement, legal, and other functions. Your cybersecurity vendor risk program should integrate with your organization’s vendor life cycle processes. Security requirements should be defined and utilized in new vendor identification. Selection, negotiation and contracting should include security and privacy protections in contracts- Onboarding and implementation should include appropriate security review, and termination processes should ensure destruction or removal of sensitive data. With strong collaboration across functions a more unified vendor risk program can be implemented that addresses all key risk areas including financial viability, safety, and legal compliance.
There are many approaches to evaluating and monitoring vendors. Popular techniques to evaluate how vendors are addressing their cybersecurity risk include: surveys and questionnaires; review of third-party audits and certifications; onsite visits; technical testing; and continuous monitoring. As you design your program include flexibility in your approach to evaluating and monitoring vendors. A risk-based approach should be used to determine the extent and frequency of evaluation. Higher risk vendors will need higher levels of assurance such as completion of security questionnaires, onsite visits or audits, security certification, or ongoing intelligence monitoring. Lower risk vendors might need to complete a simplified questionnaire or be subject to less frequent review. Also be reasonable in what you expect from vendors; don’t ask for information that you are not using to evaluate risk. Far too many vendor questionnaires request data that is never used in the risk management process.
Your vendor risk program should use automation to help efficiently manage many of the vendor risk processes. Over the last several years there has been a significant growth in the number of tools that can help automate aspects of your vendor risk management program. Gartner now tracks this as a separate category of software. Many of the integrated risk management or governance risk and compliance tools provide third party risk management modules. There are also many solutions that just focus on vendor risk. Most of these solutions now run in a software-as-a-service mode. Many include the ingestion of intelligence about a vendor’s cybersecurity profiles, financial condition, and business conduct to complement other frequently used evaluation methods (such as security questionnaires and onsite visits). Integration with procurement, ERP and service management tools is also becoming common place.
Vendor risk management is still a relatively new field and continues to evolve. VRM-as-a-service offerings are emerging to help offload some of the “heavy lifting” in managing a vendor risk program. Several exchanges and shared assessment programs are now in place to reduce the burden on vendors completing literally hundreds of questionnaires. Security certification programs are gaining more prominence as vendors seeks to provide assurance that their security programs meet acceptable industry standards.
When a vendor suffers a data breach or significant security incident, your business may also be impacted. Your program design should integrate vendor risk management into your incident response process. Studies indicate that 60% of data breaches involve a third party. Your vendor cybersecurity requirements should stipulate how soon you should be notified of a potential security breach or incident. Your incident response playbooks should address the actions your incident response team should take when a vendor incident occurs. Critical vendors should be included in your incident response tabletops and simulations.
Boards of Directors are increasingly asking security leaders about third party risks. Your program should include dashboards and metrics that measure and report on third party risk. Senior leaders and governance boards want to know how third-party risk is being addressed. Your program should capture and report on key metrics such as the percentage of vendors included in the program, the percentage of higher risk vendors evaluated or under continuous monitoring, exception rates, and the reduction of risk achieved.
As a security leader you need to develop and continuously evolve your vendor risk management program. Just like most things on cybersecurity this is not a “one and done effort”. Continue to find ways to build in more continuous monitoring and alerting to augment your periodic reviews. Monitor your coverage and risk profile over time and periodically refer to your objectives and validate your program is appropriately focused and resourced. Keep senior management and the Board updated on vendor risk. Ask yourself: “Do I know who my high-risk vendors are and am I comfortable about the cyber risk we are accepting”? If the answer is “no”, it is time to update your vendor risk program.
Join our webinar on the 21st to hear Graeme discuss your vendor risk management questions. Click here to register.