Product News

Find out about our new product features, the latest platform changes, and discover company announcements before anyone else.

Risk Management

Stay up to date on third-party risk management best practices and techniques, and learn about new regulations for third party risk.

Security Research

Keep up with research around the biggest data breaches, malware infections, IoT risks and all the latest news in cybersecurity.

New Technology Can Solve Your Vendor Risk Management Problems

 

Vendor Risk Management (VRM) is stuck in tradition, leaving it far behind when it comes to the security risks and challenges of today. While organizations are using using more vendors and exposing themselves to higher risk, they’re largely still using periodic onsite assessments, questionnaires, and point-in-time penetration tests to assess their vendor’s risk. While these methods are still useful, there have been new developments in vendor risk management technologies that can stand up to the modern challenges of vendor risk management. In this blog post, we’ll show you how new technologies can dramatically improve a VRM program.

New Challenges in Vendor Risk Management

Over 50% of professionals surveyed in the Ponemon’s Institute ‘Tone at the Top’ study on Third Party Risk Management believe that big data analytics and mobile devices will have significant impact on third party risk. And over 70% believe the same for the Internet of Things (IoT) and cloud computing. PWC’s 2016 Global State of Information Security Survey also noted that attacks have increased on mobile devices, embedded systems, consumer technologies, and operational systems.

With this increase in attack surface, device usage, and new areas of risk to keep track of, vendor risk management has a lot of room left for improvement. From the previously mentioned Ponemon Institute survey, only 29% of respondents have a formal program in place, only 21% would rate their ability to mitigate third party risk at a 7 or higher on a 10-point scale, and only 17% know what high value assets are in hands of third parties.

New technologies are being taken advantage of by hackers but vendor risk managers can also utilize technologies to their own benefit to engage in accurate and more reliable vendor risk management.

Vendor Risk Management Programs Are Being Placed Under Closer Scrutiny

As more time passes, the board of directors and c-level executives will continue to see cybersecurity as an increasing priority and look to the VRM department for answers. PWC’s Global Economic Crime Survey of 2016 reports that 88% of CEOs are concerned about cybersecurity and 45% of boards are participating in the overall security strategy, a number that is increasing year over year. A Deloitte 2016 Study on Vendor Risk Management also noted that the finance and healthcare industry were the most likely to consistently and periodically feature third party risk on the Board Agenda.

The issues with common vendor risk management programs are clear. They aren’t very effective in mitigating risk, they don’t provide enough of the right kind of information, and stakeholders are expecting better results from these programs. But leveraging new technologies and tools is one of the major ways vendor risk managers can improve their program in a variety of ways.

How new technologies dramatically improve a vendor risk management program

There are a number of technologies aimed to improve a vendor risk program (including ours), and many come with a number of benefits including:

Establishing Metrics

Many VRM technologies offer a variety of different data points that VRM teams can use to assess potential or incoming vendors. Depending on the data and metrics, KPIs and KRIs can be set in place for specific vendors, varied by how risk-critical vendors are and what specific services they are providing.

Standardizing the VRM Process

Having consistent standards in place for critical, high-risk, moderate-risk, and low-risk vendors becomes possible with new technologies being used for vendor risk management. This benefit pays off in the long run as any new vendors can be held to the same standards, allowing for a stronger standardized risk assessment process to take place.

Providing Ongoing Monitoring Capabilities

Continuous security monitoring complementing regularly implemented assessment methods is becoming an increasing priority for most security standards, including the OCC. New technologies allow you to monitor and assess your most critical and high-risk vendors, allowing you to assess vendor security at any time and giving you more information should a vendor fall to a data breach.

Increasing Efficiency Over Time

While new technologies require an onboarding and training period for any new users, the automated processes technologies provide provide a huge time and potentially cost-saving benefit in the long run.

Validating Security and Remediation

VRM teams also have the capability to engage in a ‘trust but verify’ security model, allowing you to validate the security posture reported by a vendor or a returned questionnaire. And if any high-risk issues pop up, you can validate efforts made by your vendor to know they’ve improved their security.

Increases Reach

The efficiency and cost-saving benefits of using various tools and technologies allow VRM teams to further their vendor risk assessment reach. Security assessments won’t have to be limited to critical vendors only and stronger due diligence can take place when potential vendors come into a discussion. Other departments can also take advantage of these security assessments like supply chain managers and the M&A department.

Executive Communication

CEOs and the board of directors interested in the performance and results of a VRM program can receive reports and metrics that can easily communicate how effective the VRM department is.

New technologies should not be ignored when it comes to improving vendor risk management. If you’re interested in the other ways technology is changing the way vendors are assess, register for our live webinar co-hosted with Forrester here.

Forrester_Webinar

Featured image was licensed through the Creative Commons License 4.0 and provided by Rachel Johnson on Flickr.

Third Party Vendor Breaches Still A Major Cybersecurity Issue in 2016
Part 2: Replace Point-In-Time Vendor Risk Assessments with Continuous Monitoring