Vendor Risk Management

How Does Third Party Risk Management Relate to IT?

Bryana Dacri | May 1, 2018

As advances in cloud computing and managed services have made IT operations more streamlined, the focus of IT leaders has shifted to improving efficiency, agility, and risk management. Managing risk, in particular, has become an even more central concern.

Every few months, another company discloses that their confidential data has been breached. These security lapses have major consequences, ranging from regulatory scrutiny to fines, lawsuits, and consumer dissatisfaction.

This comes into play when dealing with your own organization’s vendors. Who wants to work with a partner that’s been careless with data? Their reputation can ultimately affect that of your own organization’s. However, outside vendors are an essential part of the IT ecosystem for many large companies; it’s simply impossible to perform key functions without them. How do you determine whether they will handle your data with the utmost care? This is the essence of third party risk management in the IT space: Have your vendors taken the appropriate measures to ensure your data is not at risk?

Third Parties are Often the Weakest Link

When protecting your organization’s data, you’re only as good as your third party risk management program. While vendor risk management is important for all areas of a business, it’s perhaps the most crucial for IT. Failing to properly manage this risk can lead to loss of confidential information, trade secrets, and customer data — all leading to serious business repercussions. Additionally, the lag time between a breach and when a business is notified of it by their vendor can be significant, making it more difficult to react effectively.

In order to protect against this, businesses should map out their data flow and determine how this intersects with their vendors, while also assessing the security risk that each may present. Even the best internal data protection policies can be undermined by vendors who have lower security standards.

Security Should be a Factor in Choosing a Vendor

While vendor management has become an important component of IT, other concerns have often outweighed a focus on security. In the past, service quality, cost, and other more fundamental business concerns have been key areas of evaluation.

Increasingly, however, large organizations have learned that security risk management is an important area to consider. In fact, it can underpin the business calculus of using a certain vendor. For example, if one vendor has a much stronger security posture but is more expensive, they may ultimately be preferable to a lower cost vendor with a less robust security infrastructure. Such factors must be a part of the vendor contracting and management process.

Risk management should be a priority for IT leaders, from the CISO and CIO on down. It’s also important for these IT officials to make the case to the whole leadership team that vendor risk management is an important business consideration. It’s easy for cost-based decision to crowd out all other factors. IT leadership must build a business case that shows the importance of vendor security standards.

Putting a Policy In Place

Most large businesses have robust internal risk management plans. These can be applied to vendors as well. Key components include understanding current data vulnerabilities and screening any new vendors you contract with using the highest standards possible. Of course, the largest enterprises use thousands of vendors. The process of risk management, therefore, hinges on prioritization. You have to determine where your most critical data is going. These vendors should be evaluated in terms of their business relationship with your company, integrity, technology, and overall track record.

Prioritizing third party risk management is the first step toward getting results and shoring up the overall security of your company’s data.  From there, organizations must develop an effective strategy for carrying out this objective. This includes revising or supplementing any existing cybersecurity policies to fully reflect the risk posed by vendors.

Additionally, a plan should be put into place to actively manage and monitor vendor relationships. This typically involves the completion of vendor assessments and mapping to identify where the most sensitive information flows. If your business handles sensitive personal information, for example, you should track every vendor that may have access to this information on their systems at a given point in time.  

After identifying this data, look to the vendors and review their security and risk controls they have in place. For instance, if your payment processor has weaknesses or gaps in their security infrastructure , that relationship may warrant investigation or reassessment.

Overall, third party vendor risk management is about knowing the vulnerabilities of your outside vendors and finding ways to mitigate these data security concerns.

To learn more about how third party risk management impacts IT teams, download our ebook.

third-party vendor risk management program

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.