Relationships with vendors are important (or even vital) for many organizations, but unfortunately, there’s a trade-off—the more data you share, the more risk you acquire.
You probably already know all of that. And, maybe, in order to identify and mitigate these risks, you’ve begun to consider creating a vendor risk management (VRM) program; it seems like the logical next step. Perhaps you’re already past this step, and have begun creating one. But, even with a program in place, are you actually able to get a really solid idea of the security position of your vendors? Probably not. Unfortunately, current risk assessment methods don’t paint a complete picture, and they are often biased and insufficient when used alone. Within these pages, we’re going to explore how VRM programs often leave you in the dark, and what you can do about it.
Whether you have already established a vendor risk management program or you’re just getting started, you’re probably well aware of how much effort it takes to establish one. If you’re in the beginning steps, here’s a look at some of the phases that you’d most likely go through if you were to create a VRM program:
First, you’d identify who your vendors are, what they’re doing with your data, what level of access they have to your network, and what risk they pose to you. (This, of course, is much easier said than done.)
Next, you’d be ready to assemble your team. This typically requires someone from the IT department, someone from the legal department (as lawyers have to incorporate defined security requirements into your vendor contracts), and a few members of the business team (who directly manage the vendors). It’s quite a task to assemble everyone who needs to be in the room at the same time.
From there, you’d build your vendor risk management strategy by prioritizing your vendors—typically organized in 3 or 4 tiers, e.g. by low, medium, high, or critical—depending on their access to your network.
During this process, you would need to figure out what kind of data they have access to. This process can be challenging, but it is essential.
After you formulated the strategy, the next step would be to decide what you’re going to ask your vendors to do. The sector you’re in dictates a great deal of the security measures that you impose on your vendors. For example, retail organizations have to comply with payment card industry (PCI) data security standards, ensuring that their clients are PCI compliant. Those in the health care industry identify and label many of their vendors as “business associates,” for legal matters. These business associates are required to have certain security measures and protocols—like data encryption—in order to be compliant with HIPAA.
If an industry isn’t highly regulated, they may not be sure what security measures to even require! These organizations typically end up asking for “reasonable” security protocols… but what does that even mean? There is no standard for “reasonable” security, so this could be as much or as little as your company feels is important. (You can see how this ambiguity could be problematic.)
At this stage in the game, things start to get rather tricky. The security requirements would have been already laid out and imposed on the vendors, but now you’d have to figure out if your vendors are actually complying. But how is it possible to do that?