Point-in-time assessments are outdated as soon as they're made. They don't take into account changes in security posture. If a vendor is breached, you might not know until your vendor decides to alert you—or until the next assessment. By that time, a cyber attacker may already have broken in to your network.
This is part 2 of a series in which we show you how to improve your vendor risk management process. In this VRM series, we cover:
- How to Improve Your Vendor Risk Management: Start with an audit of known risks and vendors
- Replace Point-In-Time Third Party Vendor Risk Assessments with Continuous Monitoring
- How to Establish Fourth Party Insight to Know Your Vendor's Real Risk
In part 1 of our series, we showed you how to identify and tier third party vendor risks that are critical to you, allowing you to optimize assessment methods and properly manage vendor risk. Now, we’re going to show you how to continually assess your vendors to manage risk on an ongoing basis, rather than just through point-in-time assessments.
The problem with point-in-time risk assessments
The information collected through point-in-time assessments quickly becomes outdated and doesn’t take into account changes in a vendor’s security posture between assessments. If the worst-case scenario is realized and a vendor is breached, you might not be aware until your vendor decides to alert you – or until the next assessment. By that time, a hacker already may have entered your network.
With vulnerabilities being exploited faster than ever, being aware of your vendor’s security posture on an ongoing basis gives you the information and opportunity to react faster and mitigate issues. A PWC Third Party Risk Management report on the finance industry notes that 58% of respondents that monitor third parties on an ad hoc basis experienced a third party service disruption or data breach, compared to only 37% of respondents that regularly monitor third parties.
Most companies still have high exposure to risk
Unfortunately, the current state of vendor risk management does not look good when it comes to third party monitoring. 93.5% of respondents in a Deloitte study on Third Party Risk Management expressed moderate to low levels of confidence in their risk management and monitoring mechanisms.
According to PWC’s The Global State of Information Security Survey 2016, only 52% of respondents even have security baselines or standards in place for third parties. Just 27% of respondents from the Ponemon Institute’s Tone at the Top and Third Party Risk study say their assessments of third party controls are effective. Only 12% have a formal process that is applied consistently.
These figures show that the current practice of vendor risk management (VRM) is not good enough. Companies are unnecessarily exposing themselves to higher risk, which can prove to be costly. The Ponemon’s 2016 US Cost of Data Breaches studied noted that the organizational cost of breaches average $7.01 million. Their measures include costs of investigation, incident responses, providing free services such as identity theft monitoring, and customer loss and churn.
Continuous risk monitoring is the best practice
Continuous, or ongoing, monitoring is increasingly becoming part of a recommended vendor risk management process. The US Treasury OCC, which provides security frameworks and guidelines for the finance industry, has included third-party continuous monitoring as part of an effective vendor risk management framework.
Here’s how to incorporate continuous third-party monitoring as part of your vendor risk management program by establishing a centralized VRM office, defining controls and processes to monitor, and collaboratively engage in tracking, reporting, and remediation processes with your vendor.
Step 1: Establish a centralized VRM office
Vendor risk management has an accountability problem. The Ponemon Institute surveyed over 17,000 IT and IT security practitioners and found a lack of consistency in the departments owning the vendor risk management process. The compliance department came first with only 23%, followed by security/information security (17%), legal (15%), and procurement (15%), with more departments rounding out the rest of the responses.
Nor is risk management given a high priority. Only 17% said their Board of Directors has significant involvement in overseeing risk management.
What is a VRM office?
A centralized VRM office allows a unified team (whether cross functional or a single department) to:
- Communicate with vendors
- Establish standardized practices
- Track and report risks with third party service providers
- Take ownership and responsibility for fixing problems
- Be a point of contact for business units that have relationships with vendors
The central VRM office will make critical decisions, quickly inform business unit owners, and escalate priorities should critical issues arise.
A VRM office is essential to establish a foundation the business can rely on for all aspects of vendor risk management, from technical to process to financial
As PWC states, a central VRM office is a “key ingredient to a successful [VRM] program, particularly as firms expand nationally and globally”. McKinsey’s Working Paper on Third Party Risk has deemed it as an essential element in excellent vendor risk management.
Establishing a VRM office begins with hiring an in-house VRM team or transitioning existing employees to move into a VRM position. The VRM office is a highly specialized department that functions beyond information security. Deloitte has an excellent guide and outlines ten pillars an effective VRM office should specialize in:
- Contract management
- Financial and Commercial Management
- Issue and Dispute Management
- Service Performance Management
- Multi-Service Provider Integration
- Transition and Transformation PMO and Oversight
- Document Management
- Service Request Management
- Risk Management and Third Party Compliance
This will be the most extensive and complicated step to take but it will reap huge benefits, making all aspects of VRM simpler and more efficient.
After setting up a central office, you can start defining what you will be monitoring.
Step 2: Define controls and processes to monitor and establish vendor reporting methods
Continuous monitoring takes more resources than most VRM processes, so optimizing those resources is crucial. You have to define what aspects of your vendor you will be monitoring – including data, assets, processes, and/or controls. These decisions are based on several criteria, including how critical a risk is, how likely things are changing, and how feasible it is to monitor
As we described in part 1 of our VRM series, defining what is most risk-critical to your company will inform your monitoring choices. If your third party is processing or storing sensitive information, then you should monitor the security controls and systems that protect that third party’s network and endpoints.
Likelihood of information/status change
Group your risk-critical vendor services and systems byfrequency of status change over time. If a vendor is hiring rapidly, that means the number of endpoints is increasing, so you should pay more attention to endpoint security. However, a system that is likely to not change over a long period of time – such as a hosting or CMS provider – won’t need continuous monitoring.
Feasibility of monitoring
When you have a list of the vendor’s risk-critical controls, systems, and processes,assess the resources and time necessary to continuously monitor these elements. Basic security controls such as the use of two-factor authentication is important, but impossible to monitor among all your critical vendors. If a monitoring process takes a long time to get information, then perhaps monitoring should be done as part of an annual assessment.
Step 3: Establish communication, tracking, and reporting processes collaboratively with vendors
Vendor collaboration and communication is key to successful ongoing monitoring. Your VRM office should clearly communicate with your vendors what will be monitored and tracked. This helps improve the security posture of everyone involved.
For your own security, you should already be using continuous monitoring tools, solutions, and other processes. Often, these same tools and processes can be used to monitor any integrated systems that your vendors use or provide. If you’re using tools that won’t alert your vendors, then if any issues arise your VRM office should be ready to reach out to them to begin remediation.
To begin the continuous monitoring process, your central VRM office should begin implementing the following:
Monitoring and tracking is near-useless without relevant KPIs or specifying how data change over time affects security and risk. Designate goals such as lowering average number of days it takes to apply a software patch, or the increasing frequency of open port scans. As time passes, you’ll begin to identify vendors who aren’t meeting your standards.
Your VRM office should begin monitoring and tracking your vendors using any technologies or tools already in place. Work with your vendors to plan and implement any new processes. Working with your vendor to get information already produced from their own monitoring efforts will save you time and resources.
The VRM office should establish reporting methods for vendors and relay them to the respective business unit owners. The VRM office is responsible for alerting both vendors and business unit owners of any potentially critical issues that arise in reports.
Engaging in Remediation
The foundational work you’ve done will help the VRM office identify issues and abnormalities more quickly and clearly. When any vendor security issues pop up, the VRM office should work in tandem with business unit owners in order to remediate issues.
Engaging in vendor continuous monitoring takes some effort but produces compounding results. This improves not only your vendor risk management, but your own total security posture as well.
Tip for SecurityScorecard Customers – Our platform was built with continuous monitoring in mind. Your VRM office can quickly load any number of vendors and begin tracking their security posture across a number of security categories. To communicate issues to vendors, you can share the ‘partnership’ report or invite them to the platform to view their SecurityScorecard.