Posted on Oct 15, 2018
Protecting cyber assets is a daunting task, even for the most seasoned cyber security team. Moreover, many companies outsource day-to-day business functions to third-party companies who in turn often outsource to other 3rd party companies creating a vast digital footprint that requires cyber protection and monitoring. Managing cyber security risks in the supply chain or vendor network requires relationship management more than ever.
The Software as a Service (SaaS) model has seen a dramatic rise which has introduced new cyber security challenges for businesses. According to the Harvey Nash/KPMG 2018 CIO Survey, almost 75% of respondents reported a moderate or significant investment in cloud infrastructure. Many businesses already outsource critical business services such as human resources, billing, finance, customer relationship management (CRM), and enterprise resource planning (ERP). Although these services may be convenient to businesses, they complicate the vendor risk management process by introducing networks not owned by the business. As you add more vendors, you also add their vendors. To manage your vendor supply chain, you need to establish a vendor risk management program that incorporates metrics for vendor performance.
The depth and breadth of information security controls required by a business often require a significant team of qualified cyber security staff. Unfortunately, the supply of qualified people has not kept up with demand. In May 2018, the National Institute of Standards and Technologies (NIST) released a report detailing the limited supply of cyber security professionals compared to the demand for them. Additionally, the lack of cyber security educators indicates that the current skills gap will likely widen. The cyber security skills gap in conjunction with the increasing complexities third-party partner companies bring to your ecosystem make vendor management a continually evolving process.
Each vendor provides a different service that enables your business. Starting by categorizing vendors allows you to determine which ones pose the highest risk based on the information and systems they access. However, since vendors bring their third-parties with them, you need to assess individual vendors based on the risk their supply chain poses.
If you’re planning to engage in a long-term relationship with a vendor, you need to make sure that you define key performance indicators (KPIs) that govern the relationship. Your vendor IT’s important to you since their risks become your risks. While defining KPIs for product delivery is easy, defining them for cyber security is more complicated.
Your contracts need to clearly define your risk tolerance. Using the KPIs you establish, you can define metrics for terminating the relationship. If your vendor doesn’t secure their environment and ecosystem after the contract is signed, you need to have a way out that protects you.
With your vendors bringing their vendors along with them, you also need to establish a clear line of communication down your supply chain. One fourth-party data breach can ruin your business by leaving you responsible for your customers’ information being stolen.
Managing one’s cyber security posture is hard enough. Ensuring that effective security measures are in place across an ecosystem of vendor or supply chains was near impossible until the recent emergence of automated and intelligent cyber security VRM solutions.
SecurityScorecard helps businesses understand vendor or supply chain cyber security risk across ten important risk factor areas. The solution helps businesses establish categories of risk and vendor performance KPIs. Additionally, they can risk review individual vendors in their ecosystem as well as individual members of the supply using a common and consistent cyber security rating system. The easy-to-navigate platform and easy-to-understand cyber security ratings help manage the cyber security skills gap in a vendor management program while also enabling a company to engage in independent oversight should the line of communication fail.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.