Spend Wisely On Your Vendor Security Risk Management Resources (Part 1)

The vendor risk management (VRM) process is broken.

Vendor security risk management continuously evaluates and monitors third parties ensuring alignment with an organization’s security requirements while holding them accountable for remediating weaknesses. Most companies don’t have a comprehensive risk and compliance review process in place. For those that do, it doesn’t hold up to the current rate of threats and exploits being discovered. A Deloitte study found that 20.6% of respondents have experienced a breach of sensitive customer data from third party actions.

Seventy-eight percent of respondents from a Ponemon Institute study on Third Party Risk say that cyber attacks will have a significant impact on a third party’s risk profile, and 76% percent say that IoT will also have a significant impact. Because of new technologies, current vendor security risk management processes are not equipped to handle the growing demand of security risk assessments for new and existing vendors.

The same Deloitte study referenced earlier reports that 45% of respondents identify flexibility and scalability as the strongest value-driver for VRM. Having a due diligence process is essential for mitigating third party cyber risk and ensures you’re not exposed to unknown risks through your vendors.

However, one of the major challenges for vendor security risk management is being able to differentiate the various levels of risk among vendors when delegating assessments. In the Shared Assessment’s 2015 Vendor Risk Management Benchmark Study measurement of the Vendor Risk Identification and Analysis Maturity sector, there was no improvement from 2014 to 2015. The grade remained the same - a 2.7 out of a 5.0 scale.

In this 3-part series, we’ll show you how to improve your VRM process, starting with identifying the level of risk for each vendor and accurately prioritizing vendor supplier verification audits such as continuous monitoring, penetration tests, and establishing insight into fourth-party risk.

Identify and analyze your specific risk factors

In a PWC viewpoint report on Third Party Risk Management, it’s recommended to understand ‘which vendors and services are within scope from an active risk management perspective’ to more efficiently assign risk assessment methods by necessity.

Not all risks are critical to your company. Depending on your industry, you need to first identify potential risks specific to your company and then tier them into low, medium, or critical risk buckets. This will help you prioritize vital security risks, ensuring you assess vendors based on the most important criteria to your organization.

A good security framework is to consider the following:

If a third party breach occurs, what discovered information can cause the most harm?

• Proprietary information
• Customer’s financial information
• Employee’s PII
• Other third party data
• Financially and strategically relevant information

These risk factors need to be specific to the kinds of interactions and dependencies your vendors have. In order to properly tier these risks, think of potential consequences. Will there be:

• Reputational damages?
• Financial penalties or costs?
• Litigation possibilities?
• Negative shareholder reactions?

This risk identification and analysis will give you a comprehensive look into your own risk factors.

Now you can move onto vendors.

Assign tiered risk factors to your vendors

In the same way that you defined risks specific to your company, you should define vendor service risks in terms of the type of relationship between your organization and the vendor.

• Do they have access to your human resources or customer data?
• Will they implement systems within your networks?
• Will their third parties or subcontractors interact with your information?
• If they’re interacting with credit card transactions, PCI compliance is necessary.

After defining your business associate’s service risks, rank those risks by criticality. The Deloitte study we mentioned earlier provides a 5-factor scale - minor, low, moderate, high, critical. Having tiers gives you a standardized method for assessing existing vendors and any incoming vendors in the future.

Understanding how vendor service risks align with your pre-defined risk factors is a major step in improving and updating your vendor risk management process. By differentiating the risks critical to your company and your vendor’s risks, you’re now able to confidently define your high, medium, and low-risk vendors. This will allow you to make the most impact with your supplier verification budget by delegating assessments to the most critical vendors first.

Map assessments to your high risk vendors

First take your assessment methods and segment them by the amount of resources necessary to perform the assessment. The three most important resources to consider are:

1. Financial costs
2. Time invested
3. Employees needed

High-resource methods such as onsite assessments are costly, need multiple employees to be onsite, and take time to produce results. You should only reserve these methods for high-risk vendors. For other vendors, you can delegate assessments that require fewer resources, such as questionnaires or vendor self-assessments.

After you’ve tiered your vendors and critical risks, you can begin managing vendor risk by mapping assessments to your vendors.This ensures you’re paying the right amount of attention to the vendors that are most relevant and most likely to impact you negatively should a breach occur.

This flexible and scalable framework can be applied to all existing and incoming vendors, optimizing your resources while mitigating your vendor risk.

Tip for SecurityScorecard customers - To help prioritize assessments and dedicate resources to high risk and critical vendors in your ecosystem, sort your vendor portfolio by security rating to see vendors with an F, D or C grade.

Vendor security risk management doesn’t have to be broken

In this 3-part series, we’ll show you how to improve your vendor risk management process. In this series, we’ll cover:

1. How to Improve Your Vendor Risk Management: Start with an audit of known risks and vendors
2. Replace Point-In-Time Third Party Vendor Risk Assessments with Continuous Monitoring
3. How to Establish Fourth Party Insight to Know Your Vendor's Real Risk

Part 1: How to improve your vendor risk management

Step 1: Start with an audit

Let’s define our terms. VRM, also called vendor security risk management, is an ongoing process of ensuring that information technology service providers don’t create an unacceptable risk for disrupting the business. Now break it down:

• Ongoing – VRM isn’t a one-time task you cross off the list
• Process – You develop and use a structured approach, not a series of inconsistent, ad hoc assessments
• Unacceptable Risk – Risk is expensive to eliminate completely; VRM should enable you to determine how much a damage a risk may pose, then to invest in prevention proportionately to the threat.

The risk assessment starts starting with identifying the level of cyber security risk for each vendor and accurately prioritizing them. This should include vendor/supplier verification audits such as on-site assessments and penetration tests.

Step 2: Identify and analyze your specific security risk factors

In a PwC viewpoint report on Third Party Risk Management, it’s recommended to understand “which vendors and services are within scope from an active risk management perspective” to more efficiently assign risk assessment methods by necessity.

Not all cyber security risks are critical to your company. Depending on your industry, you need to first identify potential security risks specific to your company and then tier them into low, medium, or critical risk buckets. This will help you prioritize vital cyber security risks, ensuring you assess vendors based on the most important criteria to your organization. (This also helps keep you from falling into the trap of focusing on what’s easy to measure instead of what’s actually important.)

A good risk management framework is to consider the following:

If a third party security breach occurs, what discovered information can cause the most harm? For example:

• Proprietary information
• Customer’s financial information
• Employee’s PII
• Other third party data
• Financially and strategically relevant information

These cyber security risk factors need to be specific to the kinds of interactions and dependencies your vendors have. In order to properly tier these risks, think of potential consequences. Will there be:

• Reputational damages?
• Financial penalties or costs?
• Litigation possibilities?
• Negative shareholder reactions?

This risk identification and analysis will give you a comprehensive look into your own risk factors. Now you can move onto managing vendors.

Step 3: Assign tiered cyber security risk factors to your vendors

In the same way that you defined risks specific to your company, you should do your due diligence by performing a vendor risk assessment. Here are some vendor management questions you can review:

• Do they have access to your employee or customer data?
• Will they implement systems within your networks?
• Will their third parties or subcontractors interact with your information?
• If they’re interacting with credit card transactions, PCI compliance is necessary.

After defining your vendor’s service risks, rank those security risks by criticality. The Deloitte study we mentioned earlier provides a 5-factor scale – minor, low, moderate, high, and critical. Having tiers gives you a standardized method for assessing and prioritizing current vendors and any new vendors in the future.

By differentiating the risks critical to your company and your vendor’s risks, you’re now able to confidently define your high, medium, and low-risk vendors. This will allow you to make the most impact with your supplier verification budget by delegating assessments to the most critical vendors first.

Step 4: Map assessments to your high risk vendors

First take your assessment methods and segment them by the amount of resources necessary to perform the assessment. The three most important resources to consider are:

1. Financial cost
2. Time invested
3. Employees needed

High-resource methods such as on-site assessments are costly, need multiple employees to be onsite, and take time to produce results. You should reserve these methods for high-risk vendors only. For other vendors, you can use assessments that require fewer resources, such as questionnaires or vendor self-assessments.

After you’ve tiered your vendors and critical risks, you can begin mapping risk assessments to your vendors. This ensures you’re paying the right amount of attention to the vendors that are most relevant and most likely to impact you negatively should a cyber security breach occur.

This flexible and scalable framework can be applied to all existing and incoming vendors, optimizing your resources while mitigating your vendor risk. And it lets you tailor your security requirements to the actual threat level of each risk.

Tip for SecurityScorecard customers: To help prioritize assessments and dedicate resources to high risk and critical vendors in your ecosystem, sort your vendor portfolio by security rating to see vendors with an F, D, or C grade.