Vendor Management—It’s a Risky Business!
By John Brady, CISO, Secure-24
Just like flossing, exercise, and getting enough sleep, we talk about managing our vendors better, but industry surveys continue to show a lack of attention to the assessment and management of vendors who have access to our company’s data.
Alarming Vendor Breach Statistics
Vendor actions are causing serious breaches, exposing millions of private records across industries, literally from soup to nuts. In fact, breaches caused by third parties are rising at such a rate that a major consulting firm ranks third party action as the number one cybersecurity risk in the financial services industry. The public is well aware of major breaches to companies like Target and Home Depot that occurred because of exploits of vulnerabilities at third parties. Incidents such as these, have gotten attention from regulators from a variety of three letter agencies, including the FTC, SEC, and HHS.
We all know that breaches cause significant reputation and financial loss to data owners more than the third party. Our company name is attached to the headline and we have to notify our customers. So why isn’t more attention paid to vendor management?
Out of Sight, Out of Mind?
There are several reasons why organizations do not examine their vendor management practices as well as, assess and improve the information security and technology components that they manage themselves:
- Processes handled by vendors are not seen by executives, so they are not visible for scrutiny.
- Outsourcing is often viewed by management as a way to eliminate worrying about a process. Management feels they are outsourcing a process, and are paying for peace of mind. They forget that the liability cannot be outsourced.
- Vendor Risk Management is an additional expense that does not reduce cost or increase revenue. It does not introduce new innovation. The best outcome of a vendor management policy is smooth operations, and not security breaches.
- Organizations are not sure how to start because they do not have a good asset management program. They do not know what data is being held, where it is being held and by whom. No one has time to work on this, since everyone is busy finishing projects that implement new systems, thus making the problem even worse. It gets even worse—vendors often pass the data to their subcontractors who pass it along to their subcontractors and so on. The original enterprise is not even aware of the handoffs.
- Organizations do not have the expertise for vendor risk management and they don’t know who to turn to. If they do find a resource, they find that the consultants who do this well are extremely expensive and cannot afford the program.
- There is a lack of awareness of the cost of a breach, which far outweighs the cost of a vendor risk management program.
- Management feels their vendors would never allow exposure of the data and since it has not happened yet, it will never happen.
- The responsibility for vendor management is not clear. Who is responsible? IT? Purchasing? Compliance? Legal? Operations? Internal Audit? Risk Management? It is really a collaborative effort among ALL of these departments and requires dealing with complexity, entrenched practices, different incentives, and many other challenges.
1. Do the work to find where the enterprise data is located.
- Engage C-levels first to explain that this is critical to operations. Knowing where your data is located
is NOT an IT problem rather, it is a business problem.
- Hire a contractor with the expertise to get this done. If you need to save costs, hire local college
students who are working on an Information Technology or IT Audit degree who want to become business analysts or IT auditors.
- Ask Purchasing for a list of vendors and review it to determine which ones might hold data.
- While obtaining the data, also collect information on how the data is used, classify it according to
confidentiality standards and get copies of the contracts and statements of work.
- Assign a vendor risk rating based on what the data classification and the importance of the
function to the enterprise.
- Compile the results.
2. Assess the Vendor
- There are numerous tools available often found under Governance, Risk and Compliance tools. Most of
these require that you map your information security controls. (These are a pre-requisite, and should
include controls that are relevant for your industry, especially for health care or financial services
- If you cannot hire the expert reviewers to conduct the assessments, there are many firms that can do this for you.
- Set a schedule for vendor assessments based on the risk rating. For example, you many decide to do High risk vendors every year, Medium risk every other year and Low risk every third year.
- Be sure to assess new vendors when they are still under consideration.
- Review the most recent Service Organization Controls (SOC) assessment. This should be provided by the vendor upon request. Most will require that an NDA be in place before submitting it to you. In a future article, I will provide details on how to review the SOC report.
- For items for which the vendor does not meet your requirements, keep a risk register that is published to the relevant business unit, so that they are aware of and have authorized the risk the vendor is exposing the enterprise to. Ensure, in writing, that the vendor is also aware of the deficiencies.
In Part 2 of this two part blog, I will discuss:
- Contract Checklists
- And don’t forget the SLAs!
- Reviewing SOC reports and other third party assessments
- Overlooked Complementary Controls
- On Site Reviews—What, Why, When, and How?
- How to reduce the expense
- When are penetration tests needed?
- Who should perform the pen test?
Stay tuned….more to come!
Author, John Brady, CISSP is Chief Information Security Officer of Secure 24. He provides information security advisory services to clients. in addition to his leadership role in the company.