Protecting cyber assets is a daunting task, even for the most seasoned cybersecurity team. Moreover, many companies outsource day-to-day business functions to third-party companies who in turn often outsource to other third-party companies creating a vast digital footprint that requires cyber protection and monitoring. Managing cybersecurity risks in the supply chain or vendor network requires relationship management more than ever.
Why is vendor risk management necessary?
The Software as a Service (SaaS) model has seen a dramatic rise which has introduced new cybersecurity challenges for businesses. According to the Harvey Nash/KPMG 2018 CIO Survey, almost 75% of respondents reported a moderate or significant investment in cloud infrastructure. Many businesses already outsource critical business services such as human resources, billing, finance, customer relationship management (CRM), and enterprise resource planning (ERP). Although these services may be convenient to businesses, they complicate the vendor risk management process by introducing networks not owned by the business. As you add more vendors, you also add their vendors. To manage your vendor supply chain, you need to establish a vendor risk management program that incorporates metrics for vendor performance.
Lack of experienced cybersecurity staff poses an increased business risk
The depth and breadth of information security controls required by a business often require a significant team of qualified cybersecurity staff. Unfortunately, the supply of qualified people has not kept up with demand. In May 2018, the National Institute of Standards and Technologies (NIST) released a report detailing the limited supply of cybersecurity professionals compared to the demand for them. Additionally, the lack of cybersecurity educators indicates that the current skills gap will likely widen. The cybersecurity skills gap in conjunction with the increasing complexities third-party partner companies bring to your ecosystem makes vendor management a continually evolving process.
8 best practices for successful vendor risk assessments
Vendor risk assessments give you an in-depth understanding of any potential risks posed by each of your vendor relationships. Here are some vendor risk assessment best practices to implement:
1. Risk assess individual vendor relationships at the product and/or service level
Each vendor provides a different service that enables your business. Starting by categorizing vendors allows you to determine which ones pose the highest risk based on the information and systems they access. However, since vendors bring their third parties with them, you need to assess individual vendors based on the risk their supply chain poses. To thoroughly understand all risks posed, it’s vital to also complete risk assessments on each product and/or service, as well as the entire vendor relationship.
2. Define vendor performance metrics
If you’re planning to engage in a long-term relationship with a vendor, you need to make sure that you define key performance indicators (KPIs) that govern the relationship. Your vendor IT’s important to you since their risks become your risks. While defining KPIs for product delivery is easy, defining them for cybersecurity is more complicated.
3. Create robust vendor contracts
Your contracts need to clearly define your risk tolerance. Using the KPIs you establish, you can define metrics for terminating the relationship. If your vendor doesn’t secure their environment and ecosystem after the contract is signed, you need to have a way out that protects you.
4. Establish a clear line of communication for vendors and the Board
With your vendors bringing their vendors along with them, you also need to establish a clear line of communication down your supply chain. One fourth-party data breach can ruin your business by leaving you responsible for your customers’ information being stolen. For that reason, it’s important to maintain communication with your vendors to reduce misunderstandings. This allows you to proactively address potential issues before they become full-blown security breaches.
In addition, it’s important to notify the Board and senior management team when you change or add vendors to your supplier mix and when you encounter any critical risk as a result of a third-party relationship. Communicating with the Board and senior management team can be daunting, but it is vital for organizations to ensure that the appropriate people are involved in the vendor management process. Keeping the appropriate people informed helps when it comes to allocating resources and protecting the organization at large from any future vulnerabilities.
5. Assess vendor relationships at the product or service level
To gain an in-depth understanding of all risks posed by a third party, you must complete a risk assessment on each individual product or service used, in addition to your overall vendor risk assessment. A vendor risk management questionnaire provides you with the questions you need to ask to properly understand each aspect of your vendor’s cybersecurity environment.
6. Know if your vendors have direct network access
It’s important to know what kinds of data your vendors have access to and whether each vendor has direct access to your network. If your vendors have direct access to your network, or a higher level of access than is appropriate, you must be able to manage and control that access. Vendors should only have access to the information that they need to perform their job duties.
7. Determine due diligence requirements
Cybersecurity due diligence refers to the process of identifying and mitigating cyber risks across your network ecosystem. Cyber due diligence allows organizations to effectively monitor the security posture of their vendors, collecting insights into potential gaps in their network security systems. In doing so, organizations can better manage their third-party relationships, as well as determine and enforce the due diligence requirements for your vendors. If the vendor is high risk or more critical, you may want to increase the requirements to ensure you and your vendors are protected.
8. Plan risk response options
A crucial part of successful vendor risk assessments and management is deciding exactly what to do once you detect a risk. Here are four risk response options to consider:
- Transfer: Transferring risks refers to the process of getting third-party or other external agencies to take on some or all responsibility for the risk. While outsourcing does not eliminate the risk, the supplier will have more resources and competency to effectively reduce risks.
- Avoid: Risk avoidance refers to employing a different strategy or tactic to eliminate activities, exposures, and vulnerabilities that pose a threat to the organization.
- Accept: Risk acceptance means that the organization is willing to acknowledge the level of risk associated with a specific activity or process. Typically, organizations will either recognize and accept the risk and then choose not to take any immediate action unless it occurs.
- Treat: Treating the risk means taking security measures that will reduce or eliminate the risk. When deciding on how to treat risk, consider the number of treatment options you need to get the risk down to an acceptable level or eliminate it.
How SecurityScorecard can help
Managing one’s cybersecurity posture is hard enough. Ensuring that effective security measures are in place across an ecosystem of vendors or supply chains was near impossible until the recent emergence of automated and intelligent cybersecurity VRM solutions.
SecurityScorecard helps businesses understand vendor or supply chain cybersecurity risk across ten important risk factor areas. The solution helps businesses establish categories of risk and vendor performance KPIs. Additionally, they can review individual vendors in their ecosystem as well as individual members of the supply using a common and consistent cybersecurity rating system. The easy-to-navigate platform and easy-to-understand cybersecurity ratings help manage the cybersecurity skills gap in a vendor management program while also enabling a company to engage in independent oversight should the line of communication fail.

