You’re responsible for information security at your organization. You dedicate yourself every day to identifying weaknesses and patching vulnerabilities in your network. You’ve developed policies to protect employees from cyber threats. You’ve designed procedures for responding in the event of a data breach, and you’ve practiced those procedures with company stakeholders.
You feel confident that your organization is adhering to best practices for cybersecurity in your industry, and that’s a good thing, because your job can be on the line if an incident occurs.
It’s likely that your executive team is on board with your department’s cybersecurity and incident response activities. After all, they’ve seen the headlines and data breach statistics, and nobody wants to be the next big news story. But there’s another layer to information security that’s a little more difficult to communicate — the security of your third-party vendors.
You’ve taken every reasonable measure to protect your organization from cyber attacks — the last thing you want is for hackers to gain access to your network or sensitive data via a less-diligent vendor. How can you convince your C-suite that vendor security needs to be taken seriously?
Let’s take a look at some possible objections, and how to respond to each one.
Does anyone really get hacked through their vendors?
The rise of cybersecurity as a top concern for corporations has produced some “solutions” that might be considered excessive. Bad actors pushing scare tactics have been successful in tricking people into buying unnecessary consultations, managed services, and software before, so savvy CEOs will be on the lookout for bad deals. It’s possible that your executive team will view vendor risk management through this lens.
Thankfully, it’s easy enough to prove that vendor security threats are very real and very costly. For example, a 2014 data breach at Home Depot exposed 56 million consumer credit and debit card numbers, in addition to email addresses. The hackers in that breach used the credentials of a third-party vendor to gain access to Home Depot’s network. A smarter vendor risk management strategy could have saved the company millions.
We have long-standing relationships with our vendors.
Of course, replacing every vendor that has less-than-ideal cybersecurity practices is easier said than done. Large companies can have hundreds of individual vendors, and some of those relationships could extend back years or decades.
It’s important to make clear that calling for increased vendor security isn’t necessarily calling for the replacement of valuable vendors. Those vendors may already have good cybersecurity practices in place, or at least might be receptive to adjusting policies to meet your standards.
If neither of those outcomes turns out to be the case, however, then replacing the vendor is likely the best course of action. While it will be costly to find and build a relationship with a new vendor, it’s highly improbable the cost would outweigh the cost of a potential data breach.
We can’t control what vendors do at their own companies.
It’s expensive and difficult enough to manage cybersecurity for one organization, not to mention having to continuously monitor the security of your third-party vendors.
This objection operates on the false assumption that increasing cybersecurity requires you to be hands-on with every vendor. In fact, a good vendor security policy only requires four actions on the part of your in-house team.
- Put together a complete list of the vendors your company does business with, especially those with access to your network or sensitive data.
- Develop a set of minimum cybersecurity standards that you will require from all of your vendors.
- Continually assess the risk of these vendors with a proven framework.
- Remediate risks by changing vendors or enforcing your standards.
There’s no two ways about it — vendor security is a crucial component of an comprehensive cybersecurity strategy. Armed with actionable metrics and effective communication, it should be simple to convince your C-suite that this is the case. If all else fails, remind them that if a data breach is severe enough, it won’t just be your job on the line — the entire leadership team may become victims of the backlash.