Organizations today aren’t single entities—they are interconnected networks of third parties. While third party relations are critical for success in the majority of businesses, they also leave data more vulnerable to exposure. In today’s threat landscape, vendor risk management (VRM) is absolutely critical and should be carefully considered across all business relationships with solidified risk management principles.
Unfortunately, many companies make the same mistakes repeatedly when it comes to cybersecurity and their vendor relationships. We want to help you put a stop to this negative cycle—this article will explain how.
We’ll start by looking at a handful of scenarios that increase your vendor risk, and then will discuss the dangers inherent in relying on a simplistic vendor management template for better understanding your vendor’s security posture. We’ll conclude by explaining four of the most critical VRM risk management principles for security managers to remember.
6 Scenarios That Increase Your Vendor Risk
1. “We don’t let our vendors know how important cybersecurity is to us.”
From the beginning of a relationship, your vendors need to understand that you are concerned about cybersecurity and take the matter very seriously. Consider how you’d discuss other aspects of a business deal, like the scope of the business relationship, the financial terms, and the time frame— both of which you would never be vague about. Treat cybersecurity with the same importance.
2. “We’ve hired a contractor to handle our sensitive data, but we haven’t asked them which specific employees have access to it.”
In addition, you should also know where your information will be physically located or how access to it will be managed. What happens if someone breaks into your vendor’s office and can easily access your hard-copy trade secrets or hack your vendor’s server? Consider every possibility while crafting your risk management principles. (See our next scenario.)
3. “We don’t build out contractual requirements for our vendors to meet with respect to cybersecurity.”
If you aren’t contractually specific in your legal agreement with your third party, you’re acting heedlessly. It’s as simple as that. You absolutely must be clear with your third parties about your expected risk management principles for them—without leaving anything to the imagination. Be specific and spell out everything you require clearly; this is your only chance to dictate and negotiate terms.
4. “We don’t ask to review documentation and results of previous audits.”
Trusting implicitly what your third party tells you about their cybersecurity is simply not enough. In this day and age, including the mantra “trust but verify” is necessary in your risk management principles. Even if you feel comfortable with a vendor, having documentation and proof to back up their claims is critical. This should allow you to glean what the company has been doing for several years prior with their cybersecurity program, which should help you determine whether a business relationship is worth pursuing. With BitSight’s objective, risk-based cybersecurity ratings, you can verify your third-party assessments with an external viewpoint.
5. “We hired a third party without knowing how they manage their own third party relationships.”
Supply chain risk management is a critical component in the vendor risk management process. You need to be able to understand what your vendor does to secure their organization and how they ensure that their vendors are properly handling their data. Ask: Do they audit their vendors regularly? How is their supply chain managed?
6. “We trust a snapshot in time instead of relying on continuous monitoring.”
Relying solely on annual assessments rather than continuously monitoring your critical vendors creates more vendor risk. It’s common knowledge that an organization’s security posture can change every hour of every day. Thus, it’d be foolish to trust an annual assessment as enough. Organizations can improve their risk management principles by continuously monitoring their vendors to detect changes in their network and remediating any issues immediately.
Cybersecurity is constantly moving and evolving as new threats and vulnerabilities emerge, and questionnaires are only able to capture what the vendor believes to be true in that moment. Comparable to your personal health potentially being at risk for new viruses at any time even if you are healthy now, even if a vendor hasn’t been breached before and is following all best practices, they could still be vulnerable down the road.
3 Ways Using A Vendor Risk Assessment Template Alone Can Fail You
1. Vendor risk assessment templates are subjective.
Nearly every vendor has completed a cyber risk assessment template. Most have completed tens or hundreds—maybe more. What your organization really wants to know might not be what your vendor may think of because they are comparing the question to a previous vendor risk assessment. Your risk management principles leave you both with entirely different beliefs about the situation.
2. Vendor risk assessment templates aren’t verifiable.
It is difficult to verify a vendor’s responses to a template or a questionnaire because most vendors think that once they answer your initial questionnaire, their job is done. Your vendor’s responses remain unverifiable, so you hope their responses are true.
Traditional vendor risk management principles are inadequate for understanding your vendor’s cybersecurity posture; new technologies and methods are changing the game.
3. Vendor risk assessment templates aren’t actionable.
Creating a vendor risk assessment template is only part of the job. The real work begins when your vendor completes the template and returns it to you. You then have to figure out how to turn their responses into actionable items.
To dig deeper, incorporate more objective, verifiable, actionable data so your vendor risk management process isn’t just about pushing papers, but about protecting your organization. With that goal in mind, we’ve outlined four critical risk management principles all security managers should keep in mind when it comes to VRM.
The 4 Most Important Vendor Risk Management Principles For Security Managers
1. Know which vendors have your critical data.
The cornerstone of managing third parties with proper risk management principles is placing as much effort as possible into the vendors that are managing, processing, or storing your most critical data. Which vendors are handling the most valuable data in your organization? Which vendors host a critical service for you that isn’t protected or regulated well? Once you evaluate these questions, you should be able to determine where you want to spend the majority of your time and which vendors to prioritize in terms of vendor risk management.
2. Verify that the security posture of the vendor is equal to or better than your own.
Most organizations begin their vendor evaluation processes by reviewing compliance reports from governing bodies like ISO, NIST, or SOC2. These reports are simple communication vehicles that give you a glimpse into the vendor’s current cybersecurity posture, but are often subjective, unverifiable, and unactionable—a triple threat against vendor risk management principles.
Many modern organizations are turning to publicly observable metrics, which identify and verify a vendor’s technical controls. Solutions like BitSight Security Ratings allow first party organizations to quickly and easily review their vendors without having to request anything from the third party. These solutions take a time-consuming data collection process and make it as easy as logging into a portal and reviewing a security rating.
3. Ensure that you review each third party holistically.
When contracting with a new vendor, be sure you have the business’s best interests in mind—and this means including collaborating across departments and internal groups as part of your risk management principles.
Keep in mind that information security and data privacy aren’t the only things a vendor is evaluated on—legal, finance, and human resources are also important areas of supplier onboarding. A vendor may perform very highly in information security, but legal or finance is unwilling to accept a particular contractual term. In this instance, it’s important for all parties to look at the business as a whole—not just at their individual disciplines—for the betterment of the company.
4. Trust but verify.
This age-old adage still rings true. Vendor risk management is an evaluation of a continual relationship, not an evaluation of a specific point in time. But without the proper tools, there’s no way to know how the posture of a vendor changes after you’ve signed a contract. With continuous risk monitoring solutions like BitSight Security Ratings, you’re able to:
- Identify whether there’s an issue with a third party quickly.
- Keep a constant line of dialogue open with your vendors to discuss any security issues that come up over the course of your vendor relationship.
- Manage all of your vendors at scale.
Vendor risk management must be a priority for all security managers. If you don’t do your due diligence on a vendor before signing on the dotted line, you may be setting yourself up for an information security disaster.
Traditional VRM tactics aren’t enough to keep your data safe. That’s why we created this free ebook on creating efficiencies in VRM. Download it today to learn how vendor risk management is typically handled, what makes those strategies inadequate, and how you can more effectively mitigate cyber risk in your organization.