Ask the Experts: Vendor Risk Management

When people think of IT Security and Vulnerability, they imagine internal database breaches and hackers stealing employee credentials. They’re usually not thinking about the risks introduced by vendors and other third parties—but some of the biggest data breaches result from poorly managed external access to data. To ensure access to your company’s data is controlled, proper Vendor Risk Management is needed.

I spoke to Aeritae Vendor Risk experts, Phil Holmer and Greg Handrick, to get their insight and advice on setting up and managing Vendor Risk.


For companies looking to start managing Vendor Risk, what’s a good entry point or way to get started?

Greg: Just decide to start! Create a list of your vendors (include what service(s) or product(s) you get from them, which department uses them, and contact names). Use the SIG (Standard Information Gathering) questionnaire or create a list of questions that will help you understand how this vendor adds or removes riskiness to your own business.

Phil: Start a dialogue with your internal business areas to answer this question: What are the ways in which we are vulnerable, or have been vulnerable? What are the pieces that could be exploited through our vendors? Create a story from this answer. Be able to paint a picture for leadership, and the organization as a whole, as to the overwhelming importance of what could happen or what has happened. Once this story is articulated, a use case or business case focusing on which vendors or verticals are most critical can begin to form.


What factors should companies be looking into when assessing their Vendors?

Greg: First, understanding what “risk” means to your company. Is it regulatory or legal liability risk? Audit risk? Reputational, or maybe just business risk? Then you need to ask the right questions to make sure you understand how each vendor contributes to that risk and what the impact might be if a vendor stops supplying you or suffers a data breach.

Phil: Yes, this boils down to the company’s strategy. For instance, a hospital is concerned with saving lives, so access to life support systems can carry a large burden on the vendor risk assessment, whereas a financial company may care more about data safety.


If a Vendor is deemed “High Risk,” how should companies go about addressing that?

Greg: When you’ve clarified what type of risk the vendor presents, and what the impact might be to you, then a number of options present themselves. It might mean identifying alternate suppliers of a product. It might meaning adding contract language that defines the vendor’s responsibilities. Some companies provide personnel to suppliers to help them improve their processes and reduce risk. It really depends on the situation, but often solutions are fairly easy to implement once you are aware of the problems.

Phil: For this answer, let’s assume that “high risk” is the most critical tier an organization is tracking. The vendor is not immediately disqualified from working with the organization, but an extensive CBA (Cost/Benefit Analysis) should be taken into consideration, less an Equifax situation should arise. If the benefit still outweighs the cost, then a reoccurring auditing process using organizational governance risk and controls should be followed.


Any final words of wisdom on Vendor Risk?

Phil: Start! Much like Vulnerability Management, Vendor Risk can prevent what is a known source of the most debilitating data leaks worldwide.

Greg: The concepts around Vendor Risk Management have really matured over the past 10 years or so, and regulations have driven more companies to need a formal VRM program. If you’re still in the mode of assessing risk by emailing spreadsheets around, it’s time to look into a software tool that will save time, improve assessment accuracy, and really give the executive team the information they need to make good decisions.


Ultimately, managing vendor risk plays a major part in Vulnerability Management as a whole and should be an ongoing part of security Operations. Companies can lower risk by engaging with a partner to help implement solutions like the ServiceNow Vendor Risk tool.

If you’re looking to get started, or need advice on where to go next, please reach out!

mm
Ben DeYoung

Consultant, AERITAE