Posted on Apr 1, 2020
Protecting cyber assets is a daunting task, even for the most seasoned cybersecurity team. Moreover, many companies outsource day-to-day business functions to third-party companies who in turn often outsource to other third-party companies creating a vast digital footprint that requires cyber protection and monitoring. Managing cybersecurity risks in the supply chain or vendor network requires relationship management more than ever.
The Software as a Service (SaaS) model has seen a dramatic rise which has introduced new cybersecurity challenges for businesses. According to the Harvey Nash/KPMG 2018 CIO Survey, almost 75% of respondents reported a moderate or significant investment in cloud infrastructure. Many businesses already outsource critical business services such as human resources, billing, finance, customer relationship management (CRM), and enterprise resource planning (ERP). Although these services may be convenient to businesses, they complicate the vendor risk management process by introducing networks not owned by the business. As you add more vendors, you also add their vendors. To manage your vendor supply chain, you need to establish a vendor risk management program that incorporates metrics for vendor performance.
The depth and breadth of information security controls required by a business often require a significant team of qualified cybersecurity staff. Unfortunately, the supply of qualified people has not kept up with demand. In May 2018, the National Institute of Standards and Technologies (NIST) released a report detailing the limited supply of cybersecurity professionals compared to the demand for them. Additionally, the lack of cybersecurity educators indicates that the current skills gap will likely widen. The cybersecurity skills gap in conjunction with the increasing complexities third-party partner companies bring to your ecosystem makes vendor management a continually evolving process.
Vendor risk assessments give you an in-depth understanding of any potential risks posed by each of your vendor relationships. Here are some vendor risk assessment best practices to implement:
Each vendor provides a different service that enables your business. Starting by categorizing vendors allows you to determine which ones pose the highest risk based on the information and systems they access. However, since vendors bring their third parties with them, you need to assess individual vendors based on the risk their supply chain poses. To thoroughly understand all risks posed, it’s vital to also complete risk assessments on each product and/or service, as well as the entire vendor relationship.
If you’re planning to engage in a long-term relationship with a vendor, you need to make sure that you define key performance indicators (KPIs) that govern the relationship. Your vendor IT’s important to you since their risks become your risks. While defining KPIs for product delivery is easy, defining them for cybersecurity is more complicated.
Your contracts need to clearly define your risk tolerance. Using the KPIs you establish, you can define metrics for terminating the relationship. If your vendor doesn’t secure their environment and ecosystem after the contract is signed, you need to have a way out that protects you.
With your vendors bringing their vendors along with them, you also need to establish a clear line of communication down your supply chain. One fourth-party data breach can ruin your business by leaving you responsible for your customers’ information being stolen. For that reason, it’s important to maintain communication with your vendors to reduce misunderstandings. This allows you to proactively address potential issues before they become full-blown security breaches.
In addition, it’s important to notify the Board and senior management team when you change or add vendors to your supplier mix and when you encounter any critical risk as a result of a third-party relationship. Communicating with the Board and senior management team can be daunting, but it is vital for organizations to ensure that the appropriate people are involved in the vendor management process. Keeping the appropriate people informed helps when it comes to allocating resources and protecting the organization at large from any future vulnerabilities.
To gain an in-depth understanding of all risks posed by a third party, you must complete a risk assessment on each individual product or service used, in addition to your overall vendor risk assessment. A vendor risk management questionnaire provides you with the questions you need to ask to properly understand each aspect of your vendor’s cybersecurity environment.
It’s important to know what kinds of data your vendors have access to and whether each vendor has direct access to your network. If your vendors have direct access to your network, or a higher level of access than is appropriate, you must be able to manage and control that access. Vendors should only have access to the information that they need to perform their job duties.
Cybersecurity due diligence refers to the process of identifying and mitigating cyber risks across your network ecosystem. Cyber due diligence allows organizations to effectively monitor the security posture of their vendors, collecting insights into potential gaps in their network security systems. In doing so, organizations can better manage their third-party relationships, as well as determine and enforce the due diligence requirements for your vendors. If the vendor is high risk or more critical, you may want to increase the requirements to ensure you and your vendors are protected.
A crucial part of successful vendor risk assessments and management is deciding exactly what to do once you detect a risk. Here are four risk response options to consider:
Managing one’s cybersecurity posture is hard enough. Ensuring that effective security measures are in place across an ecosystem of vendors or supply chains was near impossible until the recent emergence of automated and intelligent cybersecurity VRM solutions.
SecurityScorecard helps businesses understand vendor or supply chain cybersecurity risk across ten important risk factor areas. The solution helps businesses establish categories of risk and vendor performance KPIs. Additionally, they can review individual vendors in their ecosystem as well as individual members of the supply using a common and consistent cybersecurity rating system. The easy-to-navigate platform and easy-to-understand cybersecurity ratings help manage the cybersecurity skills gap in a vendor management program while also enabling a company to engage in independent oversight should the line of communication fail.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.