Posted on Oct 8, 2015
Vendor Risk Management (VRM) is stuck in tradition, leaving it far behind when it comes to the security risks and challenges of today. While organizations are using using more vendors and exposing themselves to higher risk, they’re largely still using periodic onsite assessments, questionnaires, and point-in-time penetration tests to assess their vendor’s risk. While these methods are still useful, there have been new developments in vendor risk management technologies that can stand up to the modern challenges of vendor risk management. In this blog post, we’ll show you how new technologies can dramatically improve a VRM program.
Over 50% of professionals surveyed in the Ponemon’s Institute ‘Tone at the Top’ study on Third Party Risk Management believe that big data analytics and mobile devices will have significant impact on third party risk. And over 70% believe the same for the Internet of Things (IoT) and cloud computing. PWC’s 2016 Global State of Information Security Survey also noted that attacks have increased on mobile devices, embedded systems, consumer technologies, and operational systems.
With this increase in attack surface, device usage, and new areas of risk to keep track of, vendor risk management has a lot of room left for improvement. From the previously mentioned Ponemon Institute survey, only 29% of respondents have a formal program in place, only 21% would rate their ability to mitigate third party risk at a 7 or higher on a 10-point scale, and only 17% know what high value assets are in hands of third parties.
New technologies are being taken advantage of by hackers but vendor risk managers can also utilize technologies to their own benefit to engage in accurate and more reliable vendor risk management.
As more time passes, the board of directors and c-level executives will continue to see cybersecurity as an increasing priority and look to the VRM department for answers. PWC’s Global Economic Crime Survey of 2016 reports that 88% of CEOs are concerned about cybersecurity and 45% of boards are participating in the overall security strategy, a number that is increasing year over year. A Deloitte 2016 Study on Vendor Risk Management also noted that the finance and healthcare industry were the most likely to consistently and periodically feature third party risk on the Board Agenda.
The issues with common vendor risk management programs are clear. They aren’t very effective in mitigating risk, they don’t provide enough of the right kind of information, and stakeholders are expecting better results from these programs. But leveraging new technologies and tools is one of the major ways vendor risk managers can improve their program in a variety of ways.
There are a number of technologies aimed to improve a vendor risk program (including ours), and many come with a number of benefits including:
Many VRM technologies offer a variety of different data points that VRM teams can use to assess potential or incoming vendors. Depending on the data and metrics, KPIs and KRIs can be set in place for specific vendors, varied by how risk-critical vendors are and what specific services they are providing.
Having consistent standards in place for critical, high-risk, moderate-risk, and low-risk vendors becomes possible with new technologies being used for vendor risk management. This benefit pays off in the long run as any new vendors can be held to the same standards, allowing for a stronger standardized risk assessment process to take place.
Continuous security monitoring complementing regularly implemented assessment methods is becoming an increasing priority for most security standards, including the OCC. New technologies allow you to monitor and assess your most critical and high-risk vendors, allowing you to assess vendor security at any time and giving you more information should a vendor fall to a data breach.
While new technologies require an onboarding and training period for any new users, the automated processes technologies provide provide a huge time and potentially cost-saving benefit in the long run.
VRM teams also have the capability to engage in a ‘trust but verify’ security model, allowing you to validate the security posture reported by a vendor or a returned questionnaire. And if any high-risk issues pop up, you can validate efforts made by your vendor to know they’ve improved their security.
The efficiency and cost-saving benefits of using various tools and technologies allow VRM teams to further their vendor risk assessment reach. Security assessments won’t have to be limited to critical vendors only and stronger due diligence can take place when potential vendors come into a discussion. Other departments can also take advantage of these security assessments like supply chain managers and the M&A department.
CEOs and the board of directors interested in the performance and results of a VRM program can receive reports and metrics that can easily communicate how effective the VRM department is.
New technologies should not be ignored when it comes to improving vendor risk management. If you’re interested in the other ways technology is changing the way vendors are assess, register for our live webinar co-hosted with Forrester here.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.