The VC View: Vendor Risk Management

Unlike other areas of security, the COVID-19 pandemic has not made a big impact on the Vendor risk management (VRM) sector. This space would have been a Top 10 security project even without a pandemic, as it has been going down this path for years: moving away from security questionnaires to finding something more predictable, useful and scalable.

Security incidents have only helped to shine spotlights on third-party risk: SolarWinds for example, only fanned the fears of letting third parties impact your hard-built and well-understood security program. Add in the fact that so much more business is digital, purchasing software is at an all-time high and almost every new innova-tive company delivers their solution via SaaS… technology is continuing to scale im-pact and also risk.

As a result, I do think we’ve seen VRM projects get additional interest this year. While there still isn’t a clear industry-accepted answer to VRM, there has been more interest in staying on top of and learning about the latest in this space.

Ranging from vendors wanting to improve the data collection process, to out-sourcing the work as a managed service, to data/report providers proactively scanning the internet, conducting standardized assessments, etc. 

[ READ: Third-Party Attacks Are Increasing, But Third-Party Risk Management Is Failing ]

The latest has been a crop of companies interested in helping the 3rd parties themselves get their various certifications (most notably SOC2). The draw to this category isn’t to actually “solve” vendor risk, but to instead help the vendors themselves build confidence that they are worthy stewards of their customers’ data.

What do I see happening in this space? I can’t help but keep on comparing it to the CFO’s evolution over time with GAAP accounting/auditors/regulators. This space is likely never going to be “solved” but it may at least standardize. Cybersecurity controls now feel like an impossible mix of solutions with too much diversity and options; and that is somewhat true.

As we go through another market cycle, consolidation in cybersecurity is inevitable and once again this industry will rally around a recognizable set of controls that “just work” and “make sense”. Right now, there is so much innovation and with multi-ple organizations going down multiple paths: DevSecOps, Open Source, Public Cloud, SaaS, Zero Trust, SOC/MDR/XDR, etc., it’s no surprise the security startup ecosystem has created so many new categories and companies to solve problems for multiple security paths.

In the end, we’ll see more technology homogeneity leading to security homogeneity leading to frameworks, more reasonable security audits/checks/etc. 

Why does this all matter? Business between companies happens because of problems, needs & solutions. While it’s good business judgement to resolve needs, so many decisions require time to realize ROI. And in the time from making the decision to actually receiving/realizing the ROI, that time requires trust.

Not only do we need to trust that we’ll get our ROI, we also have to trust every-one involved to manage each other’s information correctly. No amount of legal, negotiation, security audits and fines is going to replace to build trust than alignment.

Yes, there will be increased interest in this space this year. The most successful projects, however, won’t be because of the best data, the best projects will have helped build trust with third parties, not alienate them.

Related: Third-Party Attacks Are Increasing, But Third-Party Risk Management Is Failing