The Importance of Vendor Risk Management for CISOs
If a company deals with even one third-party vendor, then vendor risk management should be at the forefront of the CISO’s mind.
What is vendor risk management? Vendor risk management (VRM) is the process a company takes to verify that their suppliers and providers comply with specific regulations and standards so as not to negatively impact their company.
Why Is Vendor Risk Management Important for My Business Operations and Logistics?
A fact of modern business is that we are increasingly relying on vendors to take over traditional in-house operations. Cloud productivity applications, marketing, storage, analytics, payment processing, and cybersecurity have all, in part or in whole, been effectively remodeled into outsourced services provided by vendors who are experts in their field.
And that’s not surprising. Some of the benefits many of us leverage while working with vendors include reducing costs by not having to field or maintain complex or specialized IT staff to handle or maintain niche functions. Additionally, you can bring much higher levels of specialized expertise to your organization, whether that applies to security, machine learning, cloud support, or any other important business function. Finally, the combined benefits of support, expertise, and efficiency contribute significantly to the resiliency and scalability of your business and IT infrastructure.
Since vendors fill these necessary niches for our businesses, they understandably come into contact with critical business operations and information. This is why you’ll see industries like healthcare, with strict HIPAA regulations, maintain well-defined rules on the obligations and requirements for vendors handling patient information.
However, this kind of attention to detail, security, and procedure should apply to your business beyond the demands of regulatory compliance. Working with vendors, even vendors that have the best operational and logistical support, introduces risk into your business: risk of breach, inefficiency, or loss or damage to data.
These risks emerge in several key areas, including the following:
- Security: You rely on the security infrastructure of a vendor. While this is cost-effective when done right, it also means that a security threat to a vendor (or the client of a vendor) can impact your operations or data security.
- Compliance: Depending on your industry, you must work with compliant vendors. If they aren’t compliant or aren’t maintaining compliance, you could face severe penalties, loss of operating capabilities, and a negative impact on your reputation.
- Reliance on External Infrastructure: If a vendor you depend on goes down, it can disrupt your entire business. Bugs, errors, or infrastructural issues can have a massive ripple effect on productivity, and fixing the problem is often out of your control.
- Lack of Strategic Agility: Vendors are their own entity with their own business goals and operational priorities, and they may make decisions that don’t align with your goals or needs. If this happens, your organization could be caught unprepared and scramble to fill the gap.
VRM calls on your organization to take stock of the players managing functions in your business. Unlike supplier risk management (where you have to keep track of products and supply chains), many vendors will either work intimately with your company or provide technology that will become an integral part of your business and require more in-depth analysis to manage.
Implementing Vendor Risk Management as a Business Strategy
Vendor risk management forces your organization to develop plans to evaluate the amount of risk you take when working with one vendor or multiple vendors. As a strategy and policy, VRM prioritizes analyzing vendor relationships and business goals to shape how vendors are selected, how vendor relationships evolve, and when to make decisions about breaking off or switching vendor relationships.
A VRM policy will include a clear strategic direction on how your organization incorporates risk in vendor relationships. Some of the steps you may take in crafting a VRM policy include the following:
- Developing a risk appetite statement to define what level of risk is acceptable to your company
- Cataloging compliance or industry standards that impact vendor services and how you work with vendors handling protected data
- Using risk appetite, compliance, and internal operations to define a control and assessment standard that will shape metrics applied to vendors
- Inventorying individual products or services offered by vendors against that established assessment standard
- Categorizing vendors and services on how necessary they are to your operations and how that impacts acceptable risk
- Requiring regular internal risk assessments and contractual reporting from vendors to maintain informed risk-based decision-making
- Evaluating vendor contracts regularly and determining required updates based on evolving regulations, technologies, and vulnerabilities
- Continuously monitoring vendors’ performance (such as security, efficiency, and responsiveness), and reassessing relationships regularly
With those steps in mind, you may see a path or journey emerge. More concisely put, the VRM life cycle includes the following steps:
- Identifying appropriate vendors to work with based on your needs
- Evaluating vendors for their applicability to your job, which includes creating a catalog of services, products, compliance reporting, and so on
- Assessing any risk accompanying these vendors and their products
- Establishing contracts with the vendors, including language for regular reviews, reporting, and any other requirements you have identified in your VRM strategy
- Requiring and acquiring documentation and reporting on critical aspects of their operations both before signing a contract and at regular intervals afterwards
- Continuously monitoring operations, changes to vendor operations, and effectiveness of controls to determine any necessary adjustments or remediation steps required
How Does a CISO Drive VRM?
As CISO, your role is to guide technology, infrastructure, and employees under IT for maximum security, efficiency, and service to your company. As such, you will find yourself directly working with vendors and crafting VRM to ensure that those vendors serve your company as needed. Additionally, you’ll have to answer for vendors in front of investors, business leaders, and peers. If a vendor is unsecured, rapidly changes services, or regularly appears negatively in industry conversations or in the press, business leaders will look to you for answers.
The most crucial fact you must remember is that vendor vulnerabilities are becoming more widespread in modern business, even for established service providers working with the largest companies in the world. Therefore, if you’re working with a network of vendors, you have to own any negative experience with a vendor. Obviously, then, VRM becomes a vital practice.
Your first step should always be to vet a vendor extensively. Some steps to take in evaluating potential vendors as a CISO include gathering client references, determining liability and insurance, and conducting background checks. You should always look for documentation into compliance, both for industry standards and any additional frameworks like SOC 2. Finally, a clear and rigorous review process should always be in place for any contracts between you and a vendor.
As a CISO, you’re responsible for implementing, in the most meaningful sense, your VRM strategy. If you’re starting without any management model, you can use the VRM Maturity Model (VRMMM) to gauge where you are and how you can develop as an organization.
The six levels of VRMMM are the following:
- No VRM: You are, perhaps, a start-up or new company with no active VRM policy in place.
- Ad Hoc VRM: You’ve started implementing review and management procedures on an as-needed basis.
- Road Map With Ad Hoc: After working with vendors, you have developed an actual VRM plan based on previous insights from ad hoc activities. You are also moving to full implementation of VRM.
- Established VRM: You have a complete, established, and defined VRM infrastructure that you are preparing to implement in your organization.
- Implemented and Operational: Your VRM is now in effect, and your vendor relationships are operating within that blueprint.
- Continuous Improvement: You’re optimizing your VRM over time, using data pulled from vendor performance, continuous monitoring, and internal risk review.
Finally, VRM software does exist, and it can help manage vendor risk. VRM tools from third-party risk management providers automate critical tasks like assessing and monitoring risk, and control implementation and reporting. Additionally, third-party vendor risk management software can include solutions to assess contracts and changes to policies, procedures, and correspondence between your organization and the vendor. And, more often than not, VRM software can help you assess risk over a complex set of vendor relationships.
Make Vendor Risk Management a Key Component of Your Job Description
Vendor services are the present and future of doing business in a data-driven world. However, vendors come with significant risks. That’s why, as CISO of your organization, you should treat that risk as any other metric. Define, measure, monitor, and act upon vendor risk and your organization’s needs so that you can maintain the security and compliance of your data and your systems.