Organizations today aren’t single entities—they are interconnected networks of third parties. While third party relations are critical for success in the majority of businesses, they also leave data more vulnerable to exposure. In today’s threat landscape, vendor risk management (VRM) is absolutely critical and should be carefully considered across all business relationships.
Unfortunately, many companies make the same mistakes repeatedly when it comes to cybersecurity and their vendor relationships. We want to help you put a stop to this negative cycle—this article will explain how.
We’ll start by looking at a handful of scenarios that increase your vendor risk, and then will discuss the dangers inherent in relying on a simplistic vendor management template for better understanding your vendor’s security posture. We’ll conclude by explaining four of the most critical VRM principles for security managers to remember.
6 Scenarios That Increase Your Vendor Risk
1. “We don’t let our vendors know how important cybersecurity is to us.”
From the beginning of a relationship, your vendors need to understand that you are concerned about cybersecurity and take the matter very seriously. Consider how you’d discuss other aspects of a business deal, like the scope of the business relationship, the financial terms, and the time frame—you’d never be vague about these details! Treat cybersecurity with the same importance.
2. “We’ve hired a contractor to handle our sensitive data, but we haven’t asked them which specific employees have access to it.”
In addition, you should also know where your information will be physically located or how access to it will be managed. What happens if someone breaks into your vendor’s office and can easily access your hard-copy trade secrets or hack your vendor’s server? Consider every possibility while crafting your vendor contract. (See our next scenario.)
3. “We don’t build out contractual requirements for our vendors to meet with respect to cybersecurity.”
If you aren’t contractually specific in your legal agreement with your third party, you’re acting heedlessly. It’s as simple as that. You absolutely must be clear with your third parties about your security expectations for them—without leaving anything to the imagination. Be specific and spell out everything you require clearly; this is your only chance to dictate and negotiate terms.
4. “We don’t ask to review documentation and results of previous audits.”
Trusting implicitly what your third party tells you about their cybersecurity is simply not enough. In this day and age, the mantra is “trust but verify.” Even if you feel comfortable with a vendor, having documentation and proof to back up their claims is critical. This should allow you to glean what the company has been doing for several years prior with their cybersecurity program, which should help you determine whether a business relationship is worth pursuing.
5. “We hired a third party without knowing how they manage their own third party relationships.”
Supply chain risk management is a critical component in the vendor risk management process. You need to be able to understand what your vendor does to secure their organization and how they ensure that their vendors are properly handling their data. Ask: Do they audit their vendors regularly? How is their supply chain managed?
6. “We trust a snapshot in time instead of relying on continuous monitoring.”
Relying solely on annual assessments rather than continuously monitoring your critical vendors creates more vendor risk. It’s common knowledge that an organization’s security posture can change every hour of every day. Thus, it’d be foolish to trust an annual assessment. Organizations can improve their supply chain security by continuously monitoring their vendors to detect changes in their network and remediating any issues immediately.
At this point, you may either be thinking “We’re making a few of these mistakes!” or “Oh good, I’m in the clear!”
Either way, there’s another thing that could increase your risk: relying solely on a vendor risk assessment template to evaluate the security posture of a third party.
But is the template alone really enough to figure out how secure your vendor is? Not at all.
There are several problems with relying solely on a vendor risk assessment template. For one, the questions themselves often illicit simple “yes” and “no” answers—which don’t tell you much at all.
Perhaps you’ve structured your questionnaires so they allow for essay responses. This might give you more confidence in your vendor, but it’s still only showing you a snapshot in time.
Cybersecurity is constantly moving and evolving as new threats and vulnerabilities emerge, and questionnaires are only able to capture what the vendor believes to be true in that moment. Consider your health status; just because you’re in good shape today doesn’t mean that you aren’t harboring a condition that is undiagnosed, or won’t get sick in the future. The same holds true for your vendors—even if a vendor hasn’t been breached before and is following all best practices, they could still be vulnerable down the road.
Want some details? We’ve laid those out below.
3 Ways Using A Vendor Risk Assessment Template Alone Can Fail You
1. Vendor risk assessment templates are subjective.
The thing is, nearly every vendor has completed a risk assessment template. Most have completed tens or hundreds—maybe more. For instance, one question might be, “Have you participated in a cybersecurity exercise with your senior executives?” By asking that question, what your organization really wants to know is if the vendor has engaged in drills that can help them nail down a quick incident response time. But what your vendor may think of is the one time they reviewed what they might do for about 15 minutes—last year. Thus, they can answer “yes” with a clean conscience, and you are both left with entirely different beliefs about the situation.
2. Vendor risk assessment templates aren’t verifiable.
It is difficult to verify a vendor’s responses to a template or a questionnaire because most vendors think that once they answer your initial questionnaire, their job is done. They don’t expect to spend the next eight months responding to additional questions based on your reactions to their answers—that in and of itself is a major flaw with questionnaires. Your vendor’s responses remain unverifiable for the most part, so you hope their responses are true—a concept sometimes referred to as “aspirational security.”
Traditional VRM tactics are inadequate for understanding your vendor’s cybersecurity posture; find out how new technologies and methods are changing the game.
For example, let’s say you ask your vendor how frequently they train their employees on IT security policies, because you know that employees who have been properly trained are much more likely to avoid downloading malware that could affect your data. our vendor responds that they are trained every quarter and gives some details on the training. That answer may put your mind somewhat at ease, but do you have a way to verify this claim? The answer is likely no.
3. Vendor risk assessment templates aren’t actionable.
Creating a vendor risk assessment template is only part of the job. The real work begins when your vendor completes the template and returns it to you. You then have to figure out how to turn their responses into actionable items. For example, if you ask about the kinds of cybersecurity policies in place within their organization and their response is insufficient, do you know what to do? Is there an agreed-upon course of action that both parties can take to remedy the problem? Remember that the template itself is useless without responses driving and furthering actions.
Even with these drawbacks, vendor risk assessment templates and questionnaires aren’t useless!
In fact, we think they’re an important part of the IT risk assessment process. They help you form an opinion of an organization’s security risk—and that’s worth something—but it cannot be your only investigative tool.
To dig deeper, incorporate more objective, verifiable, actionable data so your vendor risk management process isn’t just about pushing papers, but about protecting your organization.
With that goal in mind, we’ve outlined four critical principles all security managers should keep in mind when it comes to VRM.
The 4 Most Important Vendor Risk Management Principles For Security Managers
1. Know which vendors have your critical data.
Fact: You cannot treat all your vendors equally. Your organization doesn’t have unlimited resources or the ability to scale infinitely, so you need a solid process for vendor evaluations. The cornerstone of managing third parties is placing as much effort as possible into the vendors that are managing, processing, or storing your most critical data.
First, consider your data criticality: Which vendors are handling the most valuable data in your organization? Second, consider your critical services: Which vendors host a critical service for you that isn’t protected or regulated well? Once you evaluate these questions, you should be able to determine where you want to spend the majority of your time and which vendors to prioritize in terms of vendor risk management.
2. Verify that the security posture of the vendor is equal to or better than your own.
Most organizations begin their vendor evaluation processes by reviewing compliance reports from governing bodies like ISO, NIST, or SOC2. These reports are simple communication vehicles that give you a glimpse into the vendor’s current cybersecurity posture.
The problem is, these reports are often subjective, unverifiable, and unactionable—a triple threat against vendor risk management principles. What’s more, the reports are subject to human fallibility, misunderstanding, misinterpretation, and error, and they can eat away at time from both parties involved.
Therefore, many modern organizations are turning to publicly observable metrics, which identify and verify a vendor’s technical controls. These metrics are typically mapped to public IP addresses. Signs like poor configurations or a vendor’s public IP address base talking to known malicious sites are indicators that the vendor’s security posture may not be up to par. Think of it like home security: A home with no locks and broken windows is easier to break into than one that is meticulously maintained and updated with security tools.
Solutions like BitSight Security Ratings allow first party organizations to quickly and easily review their vendors without having to request anything from the third party. These solutions take a time-consuming data collection process and make it as easy as logging into a portal and reviewing a security rating.
3. Ensure that you review each third party holistically.
When contracting with a new vendor, be sure you have the business’s best interests in mind—and this means collaborating across departments and internal groups.
Keep in mind that information security and data privacy aren’t the only things a vendor is evaluated on—legal, finance, and human resources are also important areas of supplier onboarding. For example, if a vendor performs poorly in information security but well in all other categories, you may still choose to work with them. Why? Perhaps they don’t house any critical data or perform critical services, and a partnership would be mutually beneficial. Conversely, a vendor may perform very highly in information security, but legal or finance is unwilling to accept a particular contractual term. In this instance, it’s important for all parties to look at the business as a whole—not just at their individual disciplines—for the betterment of the company.
4. Trust but verify.
This age-old adage still rings true. Vendor risk management is an evaluation of a continual relationship, not an evaluation of a specific point in time. But without the proper tools, there’s no way to know how the posture of a vendor changes after you’ve signed a contract. With continuous risk monitoring solutions like BitSight Security Ratings, you’re able to:
- Identify whether there’s an issue with a third party quickly.
- Keep a constant line of dialogue open with your vendors to discuss any security issues that come up over the course of your vendor relationship.
- Manage all of your vendors at scale.
Vendor risk management must be a priority for all security managers. If you don’t do your due diligence on a vendor before signing on the dotted line, you may be setting yourself up for an information security disaster.
But as you’ve seen, traditional VRM tactics aren’t enough to keep your data safe. That’s why we created this free ebook on creating efficiencies in VRM. Download it today to learn how vendor risk management is typically handled, what makes those strategies inadequate, and how you can more effectively mitigate cyber risk in your organization.