Security Experts:

Considerations For Evaluating Vendor Risk Management Solutions

The Vendor Risk Management (VRM) space has quickly become a hot topic this year.  It seems like everywhere you turn, new companies offering VRM solutions are popping up.  As we’ve seen with other markets in security, most vendors in the space use the same marketing buzzwords.  Each vendor seems to claim that it provides all of the same features and capabilities as the next vendor.  It can be quite difficult to make sense of the various players and what differentiates one from the next.

It’s not difficult to see why Vendor Risk Management is an important function. The risk that third parties introduce into an organization needs to be understood and managed as an integral part of any strategic, holistic approach to risk management. Most organizations understand that point and are looking to address this critical business need in the near future.  So with all the confusion around the players in the VRM space, how can organizations make sense of the space and understand how to evaluate and differentiate between the different offerings?

In the spirit of trying to help bring clarity to the fog that has settled over the VRM market, I offer 7 points to consider when evaluating Vendor Risk Management solutions:

1. One size does not fit all:  While there is significant overlap of controls across various different regulations, standards, and industries, the overlap is far from complete.  Enterprises look at a variety of different concerns dependent on industry, company size, geography, type of data handled, type of electronic access to the enterprise, and many other parameters when evaluating the risk that third parties introduce.  Some of the concerns that enterprises have in the semiconductor industry will be different from those that enterprises in the financial sector have.  As will the concerns be different in the energy sector, healthcare, government, and other sectors.  If you’re looking at a VRM option that offers only a one-size-fits-all assessment with no ability to import your own custom assessment that addresses exactly the concerns that you are looking to evaluate, that should be a red flag.

2. Scans are insufficient:  Can scanning a vendor’s perimeter from the outside provide useful insight as to a portion of their overall security posture?  Absolutely.  But it is woefully inefficient in and of itself.  Scans tell us nothing about the people, process, and policy of the vendor.  They tell us nothing about what life is like on the “inside” day in and day out.  They offer nothing around how the vendor does or does not protect sensitive information.  And those are all important parts of what truly defines how effective a vendor’s security program is at managing and mitigating risk.

3. Metrics: It should come as no surprise that in the spreadsheet, phone call, and interview driven VRM world, metrics were very hard to come by.  Perhaps we could collect data on a few vendors and make individual assessments around their security postures.  But comparing between vendors?  Forget about it.  Tracking issues/gaps identified and working toward their resolution in a timely manner?  No way.  Managing a well-documented, organized communication with the vendor from inside a centralized management platform?  Nope.  Understanding the progress of each vendor and across various different groups and sets of vendors year over year?  Never happened.  An overall risk snapshot with the ability to slice and dice different reports across a series of parameters?  Not with the old way of doing things.  Looking at a VRM vendor that doesn’t provide you with all of these capabilities?  Move on.

4. Benchmarks: Knowing the risk that a vendor or vendors introduce into our enterprise is great.  But what about knowing how our risk or the risk of the vendors in our portfolio compares to others in our geography, industry, company size, or other parameters?  In my experience, this is an extremely important part of any VRM solution.  If your VRM provider doesn’t offer benchmarking, that should signal to you that it is time to move on.

5. Process is king: Automated VRM seeks to automate and replace the spreadsheet, phone call, and interview driven world of vendor risk assessment past.  Any viable VRM candidate needs to be able to provide an end-to-end automated process that can be quickly and easily managed from one centralized interface.  Anything else is simply prehistoric in this day and age.

6. Don’t just tell me what is wrong:  Pointing out what is wrong is a start.  But suggesting how to address what is wrong and providing a seamless way to manage that process from start to finish is where the true value is in automated VRM.  Advice around addressing issues/gaps and the wherewithal to see it through from start to finish is a true differentiating feature across VRM solutions.

7. Enable a decision: In the end, enterprises need to understand their risk, and use that information to make actionable decisions on what remediation is necessary.  Any serious VRM player needs to be able to facilitate, rather than fight, that process.

It is true that there are a relatively large number of players in the VRM space, and that the space has become quite noisy and confusing in a short amount of time. That being said, there are still quite a few ways in which enterprises can look to properly evaluate various VRM offerings and differentiate between them.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA and also serves as Security Advisor to ExtraHop. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.