Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

eVRM: A New Dimension in Risk Management

With cyber criminals increasingly targeting third-party vendors to gain backdoor access to data at large, well-protected global organizations, security professionals need to rethink their vendor risk management practices. While performing questionnaire-based vendor risk assessments is a popular practice, this method is no longer sufficient to identify emerging risks associated with third-parties.

With cyber criminals increasingly targeting third-party vendors to gain backdoor access to data at large, well-protected global organizations, security professionals need to rethink their vendor risk management practices. While performing questionnaire-based vendor risk assessments is a popular practice, this method is no longer sufficient to identify emerging risks associated with third-parties. Regulatory changes and an evolving threat landscape are driving the need for a new approach – called enterprise-wide vendor risk management (eVRM).

Data breaches at Target and Home Depot have proven that systems and process failures by third parties can have catastrophic reputational and operational consequences for an organization. As a result, it is no longer sufficient to simply implement procedures for managing vendors and the risk they may expose to the organization. We also need to safeguard against third-party related control failures.

vendor risk management On paper this sounds straight forward. Until, that is, we tally the number of vendors an organization uses to run its business. Even midsized companies easily exceed one hundred third-party vendors, including technology vendors, electricity, hosting, facilities, payment, and collection services providers. In response, most organizations only focus on a small subset of their vendors, typically based on contract size.

Supply chain threats are creating increased operational, compliance, reputation, strategic, and credit risks when it comes to third-party relationships. These risks are being compounded by the growing volume, diversity, and complexity of these outsourcing arrangements. Recognizing this, regulators and standards bodies (e.g., MAS, OCC, BaFin, FCA, FedRAMP, BITS, NERC, NEI, ISO, PCI Security Council, AICPA, and Cloud Security Alliance) are enforcing stricter guidelines for managing third-party suppliers. For example, some are requiring regular risk assessments of all suppliers, and – if possible – even supplier’s suppliers.

The threat of data breaches, public scrutiny, and regulatory fines have put vendor risk management in the spotlight. Without proper oversight, and a framework to systemically capture, assess, and mitigate third-party supplier risks, an organization can be exposed.

In the past, organizations often applied lower risk assessment standards to the onboarding of new vendors than those imposed on consumers applying for a home lease, mortgage, or job. Instead, a simple W-9 form was all that was needed to set up a vendor relationship. Assessing the risk associated with the partnership was managed as an afterthought. Sometimes, years passed before a survey was sent to the third-party to assess if they would abide by expected security controls.

To address this emerging problem, organizations should operationalize and extend their traditional vendor risk management processes by taking the following four steps:

1. Create the Organizational Foundation

A fundamental success factor is to clearly define roles and responsibilities for who is accountable for managing outsourcing relationships. Following best practices, business units / divisions should be accountable for all vendor risk associated with the services they procure or manage. However, to assure standardization, they should be supported by a centrally operated services organization, which is responsible for maintaining policies, storing data, generating management information, and driving global adoption. More and more organizations are establishing so-called Vendor Management Offices (VMO) to facilitate the process. In this scenario, the business owns the risk identification and mitigation, whereas the VMO provides the necessary logistical support and metrics.

2. Emphasize End-to-End Process

As mentioned earlier, organizations often separate vendor onboarding from the vendor control assessment process. This is unique to the B2B environment and driven by the immense amount of vendors that typical organizations do business with. Following traditional methods it would simply take too long to conduct risk assessments as part of the onboarding process which would paralyze business operations and efficiency. However, as the most recent third-party originated data breaches have shown, organizations need to put special emphasis on and end-to-end process, assuring that vendors are already assessed as part of the onboarding process.

This preliminary risk assessment should entail the evaluation of continuity risks, information security risks, service risks, and regulatory risks and trigger a deeper analysis if initial findings generate red flags. Should a vendor require further analysis, a more detailed review of their financial stability, integrity, capabilities, and security controls should be conducted. Once the vendor has been on-boarded, organizations should conduct frequent vendor control assessments to assure compliance with the expected standards and guidelines. The scope of the depth of risk assessment can vary based on the compliance level the vendor presents to the organization.

3. Classify by Vendor Service, Not Vendor

Instead of assessing risks associated with individual vendors, a better approach is to apply classifications by vendor service, with dynamic workflows tied to appropriate business stakeholders. This is necessary since a vendor might provide several services to an organization, with each of them posing different risks. Obviously, taking this kind of approach only multiplies the number of engagements that need to be monitored and assessed. However, it assures the necessary granularity that mitigates the risk of third-party originated attacks.

4. Augment Survey-Based Approaches

Organizations should also augment their traditional survey-based approach of vendor risk management by taking real-time data (e.g., from ERP systems, contracts, legal entity systems) into account. For instance, if multiple IP infringement judgments have been reported against a vendor, the likelihood that the organization’s own IP might be compromised in the future is very high. Data adds a more objective element in the overall risk assessment process, as survey results solely rely on the honesty of the respondent.

The threat of data breaches, public scrutiny, and regulatory fines have put vendor risk management in the spotlight. Without proper oversight, and a framework to systemically capture, assess, and mitigate third-party supplier risks, an organization can easily be exposed. Using the steps outlined above will help reduce the risk of third-party originated compromises. New eVRM tools can assist in dealing with the challenges related to scale, workflow management, data connectivity, and time efficiency.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...