Posted on May 22, 2018
The vendor risk management (VRM) process is broken.
Vendor security risk management continuously evaluates and monitors third parties ensuring alignment with an organization’s security requirements while holding them accountable for remediating weaknesses. Most companies don’t have a comprehensive risk and compliance review process in place. For those that do, it doesn’t hold up to the current rate of threats and exploits being discovered. A Deloitte study found that 20.6% of respondents have experienced a breach of sensitive customer data from third party actions.
Seventy-eight percent of respondents from a Ponemon Institute study on Third Party Risk say that cyber attacks will have a significant impact on a third party’s risk profile, and 76% percent say that IoT will also have a significant impact. Because of new technologies, current vendor security risk management processes are not equipped to handle the growing demand of security risk assessments for new and existing vendors.
The same Deloitte study referenced earlier reports that 45% of respondents identify flexibility and scalability as the strongest value-driver for VRM. Having a due diligence process is essential for mitigating third party cyber risk and ensures you’re not exposed to unknown risks through your vendors.
However, one of the major challenges for vendor security risk management is being able to differentiate the various levels of risk among vendors when delegating assessments. In the Shared Assessment’s 2015 Vendor Risk Management Benchmark Study measurement of the Vendor Risk Identification and Analysis Maturity sector, there was no improvement from 2014 to 2015. The grade remained the same - a 2.7 out of a 5.0 scale.
In this 3-part series, we’ll show you how to improve your VRM process, starting with identifying the level of risk for each vendor and accurately prioritizing vendor supplier verification audits such as continuous monitoring, penetration tests, and establishing insight into fourth-party risk.
In a PWC viewpoint report on Third Party Risk Management, it’s recommended to understand ‘which vendors and services are within scope from an active risk management perspective’ to more efficiently assign risk assessment methods by necessity.
Not all risks are critical to your company. Depending on your industry, you need to first identify potential risks specific to your company and then tier them into low, medium, or critical risk buckets. This will help you prioritize vital security risks, ensuring you assess vendors based on the most important criteria to your organization.
A good security framework is to consider the following:
If a third party breach occurs, what discovered information can cause the most harm?
These risk factors need to be specific to the kinds of interactions and dependencies your vendors have. In order to properly tier these risks, think of potential consequences. Will there be:
This risk identification and analysis will give you a comprehensive look into your own risk factors.
Now you can move onto vendors.
In the same way that you defined risks specific to your company, you should define vendor service risks in terms of the type of relationship between your organization and the vendor.
After defining your business associate’s service risks, rank those risks by criticality. The Deloitte study we mentioned earlier provides a 5-factor scale - minor, low, moderate, high, critical. Having tiers gives you a standardized method for assessing existing vendors and any incoming vendors in the future.
Understanding how vendor service risks align with your pre-defined risk factors is a major step in improving and updating your vendor risk management process. By differentiating the risks critical to your company and your vendor’s risks, you’re now able to confidently define your high, medium, and low-risk vendors. This will allow you to make the most impact with your supplier verification budget by delegating assessments to the most critical vendors first.
First take your assessment methods and segment them by the amount of resources necessary to perform the assessment. The three most important resources to consider are:
High-resource methods such as onsite assessments are costly, need multiple employees to be onsite, and take time to produce results. You should only reserve these methods for high-risk vendors. For other vendors, you can delegate assessments that require fewer resources, such as questionnaires or vendor self-assessments.
After you’ve tiered your vendors and critical risks, you can begin managing vendor risk by mapping assessments to your vendors.This ensures you’re paying the right amount of attention to the vendors that are most relevant and most likely to impact you negatively should a breach occur.
This flexible and scalable framework can be applied to all existing and incoming vendors, optimizing your resources while mitigating your vendor risk.
Tip for SecurityScorecard customers - To help prioritize assessments and dedicate resources to high risk and critical vendors in your ecosystem, sort your vendor portfolio by security rating to see vendors with an F, D or C grade.
In this 3-part series, we’ll show you how to improve your vendor risk management process. In this series, we’ll cover:
Let’s define our terms. VRM, also called vendor security risk management, is an ongoing process of ensuring that information technology service providers don’t create an unacceptable risk for disrupting the business. Now break it down:
The risk assessment starts starting with identifying the level of cyber security risk for each vendor and accurately prioritizing them. This should include vendor/supplier verification audits such as on-site assessments and penetration tests.
In a PwC viewpoint report on Third Party Risk Management, it’s recommended to understand “which vendors and services are within scope from an active risk management perspective” to more efficiently assign risk assessment methods by necessity.
Not all cyber security risks are critical to your company. Depending on your industry, you need to first identify potential security risks specific to your company and then tier them into low, medium, or critical risk buckets. This will help you prioritize vital cyber security risks, ensuring you assess vendors based on the most important criteria to your organization. (This also helps keep you from falling into the trap of focusing on what’s easy to measure instead of what’s actually important.)
If a third party security breach occurs, what discovered information can cause the most harm? For example:
These cyber security risk factors need to be specific to the kinds of interactions and dependencies your vendors have. In order to properly tier these risks, think of potential consequences. Will there be:
This risk identification and analysis will give you a comprehensive look into your own risk factors. Now you can move onto managing vendors.
In the same way that you defined risks specific to your company, you should do your due diligence by performing a vendor risk assessment. Here are some vendor management questions you can review:
After defining your vendor’s service risks, rank those security risks by criticality. The Deloitte study we mentioned earlier provides a 5-factor scale – minor, low, moderate, high, and critical. Having tiers gives you a standardized method for assessing and prioritizing current vendors and any new vendors in the future.
Understanding how vendor service security risks align with your pre-defined risk factors is a major step in improving and updating your vendor risk management process.
By differentiating the risks critical to your company and your vendor’s risks, you’re now able to confidently define your high, medium, and low-risk vendors. This will allow you to make the most impact with your supplier verification budget by delegating assessments to the most critical vendors first.
First take your assessment methods and segment them by the amount of resources necessary to perform the assessment. The three most important resources to consider are:
High-resource methods such as on-site assessments are costly, need multiple employees to be onsite, and take time to produce results. You should reserve these methods for high-risk vendors only. For other vendors, you can use assessments that require fewer resources, such as questionnaires or vendor self-assessments.
After you’ve tiered your vendors and critical risks, you can begin mapping risk assessments to your vendors. This ensures you’re paying the right amount of attention to the vendors that are most relevant and most likely to impact you negatively should a cyber security breach occur.
This flexible and scalable framework can be applied to all existing and incoming vendors, optimizing your resources while mitigating your vendor risk. And it lets you tailor your security requirements to the actual threat level of each risk.
Tip for SecurityScorecard customers: To help prioritize assessments and dedicate resources to high risk and critical vendors in your ecosystem, sort your vendor portfolio by security rating to see vendors with an F, D, or C grade.
NEXT UP - PART 2
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.