How Strong Is Your Vendor Management Program?
Vendor Management: You Need a Strategy
Like the game of chess, vendor management requires understanding all the moves of all the pieces of vendors themselves. The more vendors differ in what and how they supply your company, the more challenging your vendor management (VM) program will be. Vendor management processes for companies with minimal vendor diversity and few variables to manage can often appear to be straight forward.
However, with the rise of third party data breaches that are originating from third party vendors, and the rise in the number and variety of vendor types large global companies are managing, risk is increasing and becoming more difficult to assess.
Vendor manager: You think you have done all you can to meet the challenge. You’ve identified risk and criticality. You’ve tiered and matrixed your vendors. Processes manage contract terms, service level agreements, and performance tracking. Documentation is mostly up-to-date. You’re absolutely doing the best you can with what you’ve got, and what you have in place is working.
So that leaves only one question: How strong is your vendor risk management program?
Your Vendor Management Works, But How Effectively?
Highly regulated industries, such as banking or insurance, know which of their controls are effective, and which need improvement. Regular audits by customers, federal regulators, and state agencies keep them well informed.
But what if you’re not in one of these industries?
You can still do as they did, and start with a set of standards such as NIST, ISO, or COBIT. So let’s say you’ve picked the standard that best fits your business model, reviewed and interpreted the controls, and implemented those that apply to your circumstances.
But what if you’ve missed a few controls, or didn’t quite interpret some as stringently as you should have? That brings us back to the question about the effectiveness of your VM process.
Why Being Audited Is a Good Thing
When playing checkers or chess, you want the skill levels to be pretty even between you and the other person. For a VM controls audit, you want an expert. You need to know the following information:
- Which standards and controls are applicable to your business
- How to interpret controls and apply them for maximum effect
- When the maximum implementation of a control is over-kill
- How any control or set of controls can be disabled by an improperly controlled upstream/downstream
- Which controls need to be tested on a regular basis
Tip for SecurityScorecard Customers: Type in a website address into the platform to perform an instant security audit and retrieve detailed security-risk information, without intruding on a vendor’s system.
Why Spend the Money Making Sure Your VM Controls Are Effective?
Businesses focus on what needs to be done to keep the business profitable. Few businesses have a controls mindset, and most businesses do not like that controls add a level of difficulty in their efforts to generate. While controls can be a pain in your processes, effective VM controls are necessary for:
- Mitigating the effect your suppliers’ security incidents have on your business
- Preventing disgruntled employees and ex-employees from selling you out (or non-malicious employees from doing so by accident)
- Making it increasingly difficult for people to steal, embezzle, or cheat
Or, you could simply look at it this way: Who would you rather do business with: A company whose controls kept safe the details of your business dealings with them or one that was only about their own bottom line?
However you look at it, effective vendor management controls are good business.