Considering vendor security as part of your own risk program is an accepted best practice. But what exactly does it mean to do so? How do you determine which vendors merit the most attention? What data do you need? What roles should your legal, compliance, purchasing, IT, and operations resources play? What access might they need? How do you organize all these moving parts into an efficient, flexible service that scales diligence to the risk of the relationship, yet offers a rational set of processes and rules your suppliers can understand and embrace?
Why Integrating Vendors into your Risk Program is Important
While some suppliers are large companies with significant risk and security management resources, many more are not. Small businesses are a prime target for cyberattacks:
- Forty-three percent of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves, according to Accenture.[1]
- These incidents now cost small businesses $200,000 on average, reveals insurance carrier Hiscox, with 60% of them going out of business within six months of being victimized.
- More than half of all small businesses suffered a breach within the last year.
This means it’s likely the interaction of your small service providers, as well as the large ones, represents a clear and present risk to your operations. Depending upon what and where your vendors participate in the delivery of your business to your clients and customers, this risk passes on to you, and may even be amplified by their relationship to your customers.
And this is just the consideration for cyber risk. That may translate into operational, financial, regulatory, and reputational risks for your firm. Are they reliable partners? Do they have legal challenges? Are they financially sound? If you do not have a solid process for managing the risks associated to the interactions and services provided by your vendors and suppliers, you have not established a comprehensive foundation for risk management.
Assigning Attention
Your biggest vendor may not require the most attention. Nor may your smallest be necessarily ignored. You need a methodology for simply scoring and identifying vendor risk. This methodology might best be served through the data gathered through answers to a simple series of questions about scope, data, financial and regulatory exposure. Using a scale numeric scale to answer each of these “questions” could allow you to establish a preliminary risk score; one that may be used to direct your vendor through specific process steps of diligence, depending upon that score. This practice also allows you to create a simple questionnaire that’s easy for vendors, regardless of size and sophistication to complete and submit. Such a questionnaire lends itself to web enablement, further simplifying the first steps of proscribed risk management workflow for your vendor.
The Data You Really Need
Building a vendor risk management program requires an efficient, repeatable, but easy to understand process workflow. This workflow should contain subordinate trees to address vendor engagement complexity and associated high risk scores. The workflow should also enable low risk vendors and those lacking a complex service relationship to flow easily through without undue bureaucracy. Responses to questions about access to internal networks, data stores, and processes can lead to more granular detail about the specific nature of technical integration their service employs. Further details about regulatory obligations and compliance, legal commitments, and financial stability can further illuminate complex relationships, or if not relevant, pass through to simpler oversight controls and practices. This helps your vendor compliance process focus upon the data needed to manage risk related to their service to your customers and operations, while tailoring that requirement tightly to the specifics of those relationships. It will also help you identify, clarify and monitor legal and regulatory obligations, helping your procurement teams to include appropriate contract language where needed.
Establishing a scheme that customizes data collection based upon risk is important to promoting vendor participation and cooperation throughout the relationship. Compliance for most vendors is viewed as overhead, and making it as simple as possible is positive for all. Another convenience attribute that’s useful is offline data collection. While having online forms is one way to gather information, for some small vendors, or ones with simple low risk relationships, having the ability to complete an electronic form, such as a spreadsheet-based questionnaire, or even a paper one that can be scanned is a valuable convenience. Simple upload and import services are helpful tools to support these services.
One last point. These vendor accessible services should all be separate from your core internal infrastructure. So, establishing a vendor-accessible portal to engage your vendor management system is an important architectural consideration. You want and need to capture and store this information safely, but you also want to protect your vital internal operations. Consider cloud solutions as well as ones you can operate within a DMZ where you can retrieve/exchange data without open necessitating access to sensitive infrastructure.
Responding to Incidents and Remediation
One area that is often neglected in managing vendor risk is one of incident management and response. There are two aspects to this that are critical points to manage; establishing the communications flow in the event of an incident, to and from your vendor, regardless of the source point of the incident, and second, coordinating remediation once an incident is identified. There need to be clear points of contact, escalation paths, primary and subordinate, to assure critical stakeholders have the information they need in a timely manner. This is an area where integration with Finance, Legal, and Procurement, as well as Security and Risk are key integration points for you to consider.
There is also the matter of documenting root cause, determining the scope of impact, and addressing remediation or corrective actions. Repositories for documenting and tracking remediation efforts, project status, and residual risk will be useful to re-assessing post incident risk. Integration with internal risk programs, procurement, legal, compliance and operations will be important to determining future contracts and operating practices with a vendor after an incident has occurred.
Documents, Registers, Risk Ratings, and Inventories
Vendor management processes generate document requests. These include financial reports, vendor policies and procedures, possibly audit or regulatory findings, to name a few. A simple means of gathering, labeling, and storing these for easy retrieval will add efficiency to your procurement, legal, and compliance practices. Historical storage of current and past risk ratings, correspondence, or other material content supporting risk, contract and ongoing relationship management will also be useful to inventory in a single repository which may be segmented for access based upon the sensitivity of its contents. Also, if your vendor risk management processes have created risk registers for each vendor, these benefit from year over year storage, becoming useful input to contract renegotiations and terms considerations. As you schedule and perform updates to vendor profiles and risk scoring, the results often lead to additional storage and inventory needs.
Flexibility For An Uncertain Tomorrow
Flexibility for vendor risk management is like flexibility in Governance, Risk and Compliance (GRC) software. First, it must be easily adjusted to changing requirements. Second, it must allow you to tailor functions and content to the specifics of your own company culture, terminology, and business. Too often companies make sacrifices in one or both of these regards, leading to limited utilization post implementation, or expensive overhead to maintain and keep pace with changing business needs. Software offering rich configuration features is essential to accomplish and sustain flexibility of both kinds in lieu of expensive code customizations which are challenging to manage across software releases and version upgrades. A configuration approach also improves response times to implement change when business or external needs require nimble behavior. Doing so can become a competitive advantage.
The Role A GRC Platform Can Serve; Conducting The Orchestra
To this point we’ve explored a program supported by software doing a lot of related but different things. There are vendor portals, risk assessments, questionnaires, document repositories, incident management and reporting, assessments and tracking of all sorts. There would clearly need to be an ability to generate custom and ad hoc reports as the needs arise too. Implicit in all this is facile integration of vendor management with procurement, risk, legal, security, IT, and finance systems (accounts payable and receivable, to be sure).
These requirements are well beyond the reasonable efforts of spreadsheets, despite the frequency of their deployment against such tasks. Ad hoc, home grown “tools” are not the most reliable nor efficient solution, though, I’ve seen many attempts to do so under the guise of “saving money”. That works so long as the business operates in a stable “vacuum”. The missed opportunities, losses due to mishaps or incidents that escaped attention often yielded losses far in excess of the purported “saves” made by well intentioned but short-sighted efforts.
GRC platforms are well equipped in their architectures and feature sets to handle the functions and services discussed here, as well as in the previous blog on “Why Vendor Management Is Critical To Cyber Risk and Security”. As noted earlier, vendor management is overhead, for all. But, done with thoughtful care and attention to the detailed needs of key stakeholders for the start, it can become an efficient process that reduces expensive and confusing duplication elsewhere, while offering reduced implementation and operational overhead for your organization and the suppliers who support it.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.
[1] Cyberattacks now cost small companies $200,000 on average, putting many out of business; CNBC Small Business Playbook; PUBLISHED SUN, OCT 13 201910:30 AM EDT; https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html