Vendor Management: It’s a Risky Business

By John Brady, CISO, Secure-24

Just like exercising and getting sufficient sleep, we often discuss managing our vendors, suppliers and partners better. However, industry surveys continue to show a lack of attention to the assessment and management of vendors who have access to company data. Third-party vendor management is a tall order to fill due to the complexities of managing those who are not directly in the organization.

Alarming Vendor Breach Statistics
Vendor actions are causing serious breaches, exposing millions of private records across industries, literally from soup to nuts. In fact, breaches caused by third parties are rising at such a rate that a major consulting firm ranks third party action as the number one cybersecurity risk in the financial services industry. The public is well aware of major breaches to companies like Target and Home Depot that occurred because of exploits of vulnerabilities at third parties. Incidents such as these, have received attention from regulators from a variety of three letter agencies, including the FTC, SEC, and HHS.
We all know that breaches cause significant reputation and financial loss to data owners more than the third party. Company names are attached to the headline and clients must be notified of the breach.

So why isn’t more attention paid to vendor management?

Out of Sight, Out of Mind?
There are several reasons why organizations do not examine their vendor management practices as well as, assess and improve the information security and technology components that they manage themselves:

  • Processes handled by vendors are not viewed by executives, so they are not visible for scrutiny.
  • Management views outsourcing as a means to eliminate worrying about a process. Management feels they are outsourcing a process, and are paying for peace of mind. What they forge is that the liability cannot be outsourced.
  • Vendor risk management is an additional expense that does not reduce cost or increase revenue. It does not introduce new innovation. The best outcome of a vendor management policy is smooth operations, and not security breaches.
  • Organizations are unsure about how to start because they do not have a good asset management program. They do not know what data is held, where it is held and by whom. No one has time to work on this, since everyone is busy implementing new systems, thus making the problem even worse. It gets even worse—vendors often pass the data to their subcontractors who pass it along to their subcontractors and so on. The original enterprise is not even aware of the handoffs.
  • Organizations do not have the expertise for vendor risk management and they don’t know who to consult. If they find a resource, they find that the consultants who do this well, are extremely expensive and cannot afford the program.
  • There is a lack of awareness of the cost of a breach, which far outweighs the cost of a vendor risk management program.
  • Management feels their vendors would never allow exposure of the data and since it has not happened yet, it will never happen.
  • The responsibility for vendor management is not clear. Who is responsible? IT? Purchasing? Compliance? Legal? Operations? Internal Audit? Risk Management? It is a collaborative effort among ALL of these departments and requires dealing with complexity, entrenched practices, different incentives, and many other challenges.

Getting Started

Enterprises must first take the steps necessary to determine where the enterprise data is located.

  • Engage C-levels immediately to explain that data management is critical to efficient business and technology operations. Knowing where your data is located is NOT an IT problem rather, it is a business problem.
  • Hire a contractor with the expertise to locate your data. If you need to reduce costs, hire local college students who are working on an Information Technology or an IT Audit degree, who want to become business analysts or IT auditors.
  • Ask your Purchasing department for a list of vendors and review it to determine who might hold data.
  • While obtaining the data, also collect information on how the data is used, classify it according to confidentiality standards and get copies of the contracts and statements of work.
  • Assign a vendor risk rating based on what the data classification and the importance of the function is to the enterprise.
  • Compile the results.

Assess the Vendor

  • There are numerous tools available often found under Governance, Risk and Compliance tools. Most of these require that you map your information security controls. (These are a pre-requisite, and should include controls that are relevant for your industry, especially for health care or financial services enterprises.)
  • If you cannot hire the expert reviewers to conduct the assessments, there are several firms that can accomplish this for you.
  • Set a schedule for vendor assessments based on the risk rating. For example, you many decide to do High risk vendors every year, Medium risk every other year and Low risk every third year.
  • Ensures that you assess new vendors when they are still under consideration. Assign risks to all third parties which can range from high risk to low risk.
  • Review the most recent Service Organization Controls (SOC) assessment. This should be provided by vendors upon request. Most will require that an NDA is in place prior to submission.
  • For items for which the vendor does not meet your requirements, maintain a risk register and publish to relevant business units, so that they are aware of and have authorized the risk the vendor is exposing the enterprise to. Ensure, in writing, that vendors are also aware of the deficiencies.

Third-party vendor management consisting of a strong risk management program, is essential to avoiding incidents like the Target breach and many others. As the year of the data breach spirals on, third-party management, which includes proactive monitoring to ensure compliance, must be at the top of enterprise priority lists.