The Importance of Vendor Risk Management for CISOs
By Frank Balonis, CISO and Senior Vice President, Operations at Kiteworks
If a company deals with even one third-party vendor, then vendor risk management should be at the forefront of the CISO’s mind.
What is vendor risk management? Vendor risk management (VRM) is the process a company takes to verify that their suppliers and providers comply with specific regulations and standards so as not to negatively impact their company.
Why Is Vendor Risk Management Important for My Business Operations and Logistics?
A fact of modern business is that we are increasingly relying on vendors to take over traditional in-house operations. Cloud productivity applications, marketing, storage, analytics, payment processing, and cybersecurity have all, in part or in whole, been effectively remodeled into outsourced services provided by vendors who are experts in their field.
And that’s not surprising. Some of the benefits many of us leverage while working with vendors include reducing costs by not having to field or maintain complex or specialized IT staff to handle or maintain niche functions. Additionally, you can bring much higher levels of specialized expertise to your organization, whether that applies to security, machine learning, cloud support, or any other important business function. Finally, the combined benefits of support, expertise, and efficiency contribute significantly to the resiliency and scalability of your business and IT infrastructure.
Since vendors fill these necessary niches for our businesses, they understandably come into contact with critical business operations and information. This is why you’ll see industries like healthcare, with strict HIPAA regulations, maintain well-defined rules on the obligations and requirements for vendors handling patient information.
However, this kind of attention to detail, security, and procedure should apply to your business beyond the demands of compliance. Working with vendors, even vendors that have the best operational and logistical support, introduces risk into your business: risk of breach, inefficiency, or loss or damage to data.
These risks emerge in several key areas, including the following:
- Security: You rely on the security infrastructure of a vendor. While this is cost-effective when done right, it also means that a security threat to a vendor (or the client of a vendor) can impact your operations or data security.
- Compliance: Depending on your industry, you must work with compliant vendors. If they aren’t compliant or aren’t maintaining compliance, you could face severe penalties, loss of operating capabilities, and a negative impact on your reputation.
- Reliance on External Infrastructure: If a vendor you depend on goes down, it can disrupt your entire business. Bugs, errors, or infrastructural issues can have a massive ripple effect on productivity, and fixing the problem is often out of your control.
- Lack of Strategic Agility: Vendors are their own entity with their own business goals and operational priorities, and they may make decisions that don’t align with your goals or needs. If this happens, your organization could be caught unprepared and scramble to fill the gap.
VRM calls on your organization to take stock of the players managing functions in your business. Unlike supplier risk management (where you have to keep track of products and supply chains), many vendors will either work intimately with your company or provide technology that will become an integral part of your business and require more in-depth analysis to manage.
Implementing Vendor Risk Management as a Business Strategy
Vendor Risk Management forces your organization to develop plans to evaluate the amount of risk you take when working with one vendor or multiple vendors. As a strategy and policy, VRM prioritizes analyzing vendor relationships and business goals to shape how vendors are selected, how vendor relationships evolve, and when to make decisions about breaking off or switching vendor relationships.
A VRM policy will include a clear strategic direction on how your organization incorporates risk in vendor relationships. Some of the steps you may take in crafting a VRM policy include the following:
- Developing a risk appetite statement to define what level of risk is acceptable to your company.
- Cataloging compliance or industry standards that impact vendor services and how you work with vendors handling protected data.
- Using risk appetite, compliance, and internal operations to define a control and assessment standard that will shape metrics applied to vendors.
- Inventorying individual products or services offered by vendors against that established assessment standard.
- Categorizing vendors and services on how necessary they are to your operations and how that impacts acceptable risk.
- Requiring regular internal risk assessments and contractual reporting from vendors to maintain informed risk-based decision-making.
- Evaluating vendor contracts regularly and determining required updates based on evolving regulations, technologies, and vulnerabilities.
- Continuously monitoring vendors’ performance (such as security, efficiency, and responsiveness), and reassessing relationships regularly.
With those steps in mind, you may see a path or journey emerge. More concisely put, the VRM life cycle includes the following steps:
- Identifying appropriate vendors to work with based on your needs.
- Evaluating vendors for their applicability to your job, which includes creating a catalog of services, products, compliance reporting and so on.
- Assessing any risk accompanying these vendors and their products.
- Establishing contracts with the vendors, including language for regular reviews, reporting and any other requirements you have identified in your VRM strategy.
- Requiring and acquiring documentation and reporting on critical aspects of their operations both before signing a contract and at regular intervals afterwards.
- Continuously monitoring operations, changes to vendor operations and effectiveness of controls to determine any necessary adjustments or remediation steps required.
How Does a CISO Drive VRM?
As CISO, your role is to guide technology, infrastructure, and employees under IT for maximum security, efficiency, and service to your company. As such, you will find yourself directly working with vendors and crafting VRM to ensure that those vendors serve your company as needed. Additionally, you’ll have to answer for vendors in front of investors, business leaders, and peers. If a vendor is unsecured, rapidly changes services, or regularly appears negatively in industry conversations or in the press, business leaders will look to you for answers.
The most crucial fact you must remember is that vendor vulnerabilities are becoming more widespread in modern business, even for established service providers working with the largest companies in the world. Therefore, if you’re working with a network of vendors, you have to own any negative experience with a vendor. Obviously, then, VRM becomes a vital practice.
Your first step should always be to vet a vendor extensively. Some steps to take in evaluating potential vendors as a CISO include gathering client references, determining liability and insurance, and conducting background checks. You should always look for documentation into compliance, both for industry standards and any additional frameworks like SOC 2. Finally, a clear and rigorous review process should always be in place for any contracts between you and a vendor.
As a CISO, you’re responsible for implementing, in the most meaningful sense, your VRM strategy. If you’re starting without any management model, you can use the VRM Maturity Model (VRMMM) to gauge where you are and how you can develop as an organization.
The six levels of VRMMM are the following:
- No VRM: You are, perhaps, a start-up or new company with no active VRM policy in place.
- Ad Hoc VRM: You’ve started implementing review and management procedures on an as-needed basis.
- Road Map with Ad Hoc: After working with vendors, you have developed an actual VRM plan based on previous insights from ad hoc activities. You are also moving to full implementation of VRM.
- Established VRM: You have a complete, established, and defined VRM infrastructure that you are preparing to implement in your organization.
- Implemented and Operational: Your VRM is now in effect, and your vendor relationships are operating within that blueprint.
- Continuous Improvement: You’re optimizing your VRM over time, using data pulled from vendor performance, continuous monitoring, and internal risk review.
Finally, VRM software does exist, and it can help manage vendor risk. VRM tools from third party risk management providers automate critical tasks like assessing and monitoring risk, and control implementation and reporting. Additionally, third party vendor risk management software can include solutions to assess contracts and changes to policies, procedures, and correspondence between your organization and the vendor. And, more often than not, VRM software can help you assess risk over a complex set of vendor relationships.
Make Vendor Risk Management a Key Component of Your Job Description
Vendor services are the present and future of doing business in a data-driven world. However, vendors come with significant risks. That’s why, as CISO of your organization, you should treat that risk as any other metric. Define, measure, monitor, and act upon vendor risk and your organization’s needs so that you can maintain the security and compliance of your data and your systems.
Frank Balonis is CISO and Senior Vice President, Operations at Kiteworks. Connect with Frank on LinkedIn.
Want to stay up to date with the latest news and opinions of CISOs from around the world? Subscribe to our newsletter to gain insights and updates from CISO Street.
The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...
Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...
Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...
An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...
Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...
The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability. In light of these increasing challenges, our cyber defenses...
In our final installment, we are going to discuss how you roll all the concepts previously covered into a plan of action. The difference between the success and failure of a data classification program is a lack of action. I have reviewed over 10 programs in my...
Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...
Previously, we discussed the requirements of a mature data classification program. In this post, we are going to review the administrative mechanics of such a program. Data classification, you’ll recall, usually includes a three- or four-layer system akin to the...
Supply chain attacks aren’t new. In fact, The National Institute of Standards and Technology (NIST) published their initial report on supply chain risk back in 2015. One of the most well-known supply chain attacks happened shortly after in 2017. NotPetya corrupted...
Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel...
Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the...
I just came off a big Zoom call with traditional bankers where they discussed changes in client behaviors, and the impact which new technologies bring, that fundamentally challenge today’s traditional European banking models. At the end of 2019, Boston...
Know Your Board If you’re a CISO, your Board generally knows who you are and what you do. But do you know who they are? No Board is monolithic. Each Board member brings unique value to the Board. Each is selected for what they add to the Board’s perspective, vision,...
Data classification can help secure your data for compliance and company policy. But where should you even begin in the classification process? To start, let’s go through the main data classification types. The four main classifications for data are: restricted...