<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

Why Vendor Management Best Practices Should Be A Little More Risky

Melissa Stevens | August 27, 2015

Prioritizing vendors based on risk is considered a vendor risk management best practice. But how do you do this? To start, let’s look at a commonly referred-to equation:

Risk = Threat x Vulnerability x Consequence

While this risk equation may be helpful in some ways, it’s also tough to use. Why? Because it’s extremely difficult—if not impossible—to assign a value to threat and vulnerability. Most organizations should assume a high level of threat and vulnerability, no matter what. (So, if you are assuming each variable in this equation is assigned a value between zero and one, threat and vulnerability would both have a value of one.) Simply put, there will always be individuals with malicious intentions who may target your organization, who can exploit common vulnerabilities in your IT systems. It’s hard to do much to change this reality.

That leaves the final part of the equation: consequence. The difference here is that you know the consequence to you if a vendor is knocked offline for a number of days, or if your data is somehow compromised or stolen due in part to one of your vendors. Because of this, you can assign a value to consequence. By understanding the consequence of a cyber incident affecting your vendors, you can truly begin to focus your vendor risk management program on those organizations that are most critical to you and adopt vendor management best practices.

All of this begs a simple question: “What should I be doing to make my vendor management practices a little more focused on risk?”. Below, we’ve outlined five critical best practices that your organization can get started with today.

4 Important Vendor Management Best Practices

  1. Perform a risk assessment. A risk assessment helps organizations understand what kind of data is valuable to them—whether that is pricing information, R&D, customer data, financial data, or something else. This information should be identified and located - does it all live in-house, or do we trust some third and even fourth parties to keep and store that data? Past that, it’s vital to then understand who has access to that data and limit privileges as much as possible. It’s pretty obvious that third-party vendor risk management plays a huge role here because it’s very important for you to know what is happening to your data when it’s outside of your organization.

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark

  1. Develop a strategy. Once you’ve assessed what kind of data you have, what is important, where it is located, and who has access to it, you need a strategy to keep your data secure. You should focus on creating a governance program that explains to both employees and third parties how to use and interact with the data. This program may lay out how the data is encrypted, who (or how many people) can access it, what will happen with new data, where it is stored and more. The strategy should include your security expectations for your vendors so they know what standards they are expected to meet to secure your data.
  1. Decide on technology. Now that you have a plan of action in place, it’s important to determine which technologies you’ll use to be able to monitor who is interacting with your data, whether or not there are any security issues, and how to be alerted if there are any new issues that arise. Having a strategy in place without the right technical controls is only half the battle. Just as you would continuously monitor your own internal network for security incidents, there are now continuous monitoring solutions to observe your vendors in real-time.
  1. Prepare for a crisis. You’ve taken the appropriate measures to help reduce the likelihood that a breach will occur. But bad things can happen even to those who have planned well in advance. You need to be prepared to respond immediately if your data is breached, particularly if it involves a third party provider or business associate. This requires working with your third parties to make sure they understand their obligations to notify you in the event of an incident, because believe it or not, vendors are not always legally required to notify you in many cases. Do they have the right plans in place in place? Do they have relationships with forensics teams and law enforcement? Are there notification procedures that you and your third parties have practiced and agreed to ahead of time? All of these questions need to be dealt with.

Takeaway

Building a successful vendor risk management (VRM) program requires you to focus your resources and energy on the third parties who are truly consequential to your organization. To find these vendors, think about where your most important data and technology dependence resides. By following these steps, you can be prepared for whatever comes your way.

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark We've drilled down into areas that vendor risk management programs leave a little vague. 

Download the guide to see if you've considered these critical areas of vendor risk management.

  

Suggested Posts

New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.

READ MORE »

Eradicate Cyber Threats: Launch Your Third-Party Risk Management Program

When launching a third-party risk management (TPRM) program, one of the best places to begin to be proactive about mitigating cyber risk from your third parties is by examining the vulnerabilities present on their network. Despite global...

READ MORE »

3 Software Tools Transforming the Vendor Selection Process

The world of procurement has been fundamentally changed by the introduction of technology. Source-to-pay software has brought digital workflows and automation to time-consuming processes like creating RFPs, managing contracts, and...

READ MORE »

Subscribe to get security news and updates in your inbox.