Part 1: Stop Spending Your Vendor Risk Management Resources on the Wrong Security Assessments
The vendor risk management (VRM) process is broken. Most companies don’t have a comprehensive process in place and if they do, it doesn’t hold up to the current rate of threats and exploits being discovered. A Deloitte study found that 20.6% of respondents have experienced a breach of sensitive customer data from third party actions.
Seventy-eight percent of respondents from a Ponemon Institute study on Third Party Risk say that cyber attacks will have a significant impact on a third party’s risk profile, and 76% percent say that IoT will also have a significant impact. Because of new technologies, current vendor risk management processes are not equipped to handle the growing demand of security risk assessments for new and existing vendors.
The same Deloitte study referenced earlier reports that 45% of respondents identify flexibility and scalability as the strongest value-driver for VRM. Having a process is essential for mitigating third party risk, and ensures you’re not exposed to unknown risks through your vendors.
However, one of the major challenges for vendor risk management is being able to differentiate the various levels of risk among vendors when delegating assessments. In the Shared Assessment’s 2015 Vendor Risk Management Benchmark Study measurement of the Vendor Risk Identification and Analysis Maturity sector, there was no improvement from 2014 to 2015. The grade remained the same – a 2.7 out of a 5.0 scale.
In this 3-part series, we’ll show you how to improve your VRM process, starting with identifying the level of risk for each vendor and accurately prioritizing vendor supplier verification audits such as on-site assessments and penetration tests.
Step 1: Identify and Analyze your Specific Risk Factors
In a PWC viewpoint report on Third Party Risk Management, it’s recommended to understand ‘which vendors and services are within scope from an active risk management perspective’ to more efficiently assign risk assessment methods by necessity.
Not all risks are critical to your company. Depending on your industry, you need to first identify potential risks specific to your company and then tier them into low, medium, or critical risk buckets. This will help you prioritize vital security risks, ensuring you assess vendors based on the most important criteria to your organization.
A good framework is to consider the following:
If a third party breach occurs, what discovered information can cause the most harm?
- Proprietary information
- Customer’s financial information
- Employee’s PII
- Other third party data
- Financially and strategically relevant information
These risk factors need to be specific to the kinds of interactions and dependencies your vendors have. In order to properly tier these risks, think of potential consequences. Will there be:
- Reputational damages?
- Financial penalties or costs?
- Litigation possibilities?
- Negative shareholder reactions?
This risk identification and analysis will give you a comprehensive look into your own risk factors.
Now you can move onto vendors.
Step 2: Assign Tiered Risk Factors to Your Vendors
In the same way that you defined risks specific to your company, you should define vendor service risks in terms of the type of relationship between your organization and the vendor.
- Do they have access to your employee or customer data?
- Will they implement systems within your networks?
- Will their third parties or subcontractors interact with your information?
- If they’re interacting with credit card transactions, PCI compliance is necessary.
After defining your vendor’s service risks, rank those risks by criticality. The Deloitte study we mentioned earlier provides a 5-factor scale – minor, low, moderate, high, critical. Having tiers gives you a standardized method for assessing existing vendors and any incoming vendors in the future.
Understanding how vendor service risks align with your pre-defined risk factors is a major step in improving and updating your vendor risk management process. By differentiating the risks critical to your company and your vendor’s risks, you’re now able to confidently define your high, medium, and low-risk vendors. This will allow you to make the most impact with your supplier verification budget by delegating assessments to the most critical vendors first.
Step 3: Map Assessments to Your High Risk Vendors
First take your assessment methods and segment them by the amount of resources necessary to perform the assessment. The three most important resources to consider are:
- Financial costs
- Time invested
- Employees needed
High-resource methods such as onsite assessments are costly, need multiple employees to be onsite, and take time to produce results. You should only reserve these methods for high-risk vendors. For other vendors, you can delegate assessments that require fewer resources, such as questionnaires or vendor self-assessments.
After you’ve tiered your vendors and critical risks, you can begin mapping assessments to your vendors.This ensures you’re paying the right amount of attention to the vendors that are most relevant and most likely to impact you negatively should a breach occur.
This flexible and scalable framework can be applied to all existing and incoming vendors, optimizing your resources while mitigating your vendor risk.
Tip for SecurityScorecard customers – To help prioritize assessments and dedicate resources to high risk and critical vendors in your ecosystem, sort your vendor portfolio by security rating to see vendors with an F, D or C grade.
Next >>> Part 2: Moving Past Point-In-Time Assessments
Now you have the capabilities to assess vendors from a comprehensive, risk-first perspective. However, this is only the first step towards establishing a strong Vendor Risk Management program. Traditional VRM programs only assess vendors yearly or obtain point-in-time information that is quickly outdated. New vulnerabilities and threats arise everyday in your vendor ecosystem but without continuous insight, companies cannot react in time to a compromised vendor.
In part 2 of our blog series, we’ll show you how to incorporate a continuous monitoring process into your VRM program, allowing you to manage risk on an ongoing basis.