Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

The VC View: Vendor Risk Management

Unlike other areas of security, the COVID-19 pandemic has not made a big impact on the Vendor risk management (VRM) sector. This space would have been a Top 10 security project even without a pandemic, as it has been going down this path for years: moving away from security questionnaires to finding something more predictable, useful and scalable.

Unlike other areas of security, the COVID-19 pandemic has not made a big impact on the Vendor risk management (VRM) sector. This space would have been a Top 10 security project even without a pandemic, as it has been going down this path for years: moving away from security questionnaires to finding something more predictable, useful and scalable.

Security incidents have only helped to shine spotlights on third-party risk: SolarWinds for example, only fanned the fears of letting third parties impact your hard-built and well-understood security program. Add in the fact that so much more business is digital, purchasing software is at an all-time high and almost every new innova-tive company delivers their solution via SaaS… technology is continuing to scale im-pact and also risk.

As a result, I do think we’ve seen VRM projects get additional interest this year. While there still isn’t a clear industry-accepted answer to VRM, there has been more interest in staying on top of and learning about the latest in this space.

Ranging from vendors wanting to improve the data collection process, to out-sourcing the work as a managed service, to data/report providers proactively scanning the internet, conducting standardized assessments, etc. 

[ READThird-Party Attacks Are Increasing, But Third-Party Risk Management Is Failing ]

The latest has been a crop of companies interested in helping the 3rd parties themselves get their various certifications (most notably SOC2). The draw to this category isn’t to actually “solve” vendor risk, but to instead help the vendors themselves build confidence that they are worthy stewards of their customers’ data.

What do I see happening in this space? I can’t help but keep on comparing it to the CFO’s evolution over time with GAAP accounting/auditors/regulators. This space is likely never going to be “solved” but it may at least standardize. Cybersecurity controls now feel like an impossible mix of solutions with too much diversity and options; and that is somewhat true.

As we go through another market cycle, consolidation in cybersecurity is inevitable and once again this industry will rally around a recognizable set of controls that “just work” and “make sense”. Right now, there is so much innovation and with multi-ple organizations going down multiple paths: DevSecOps, Open Source, Public Cloud, SaaS, Zero Trust, SOC/MDR/XDR, etc., it’s no surprise the security startup ecosystem has created so many new categories and companies to solve problems for multiple security paths.

Advertisement. Scroll to continue reading.

In the end, we’ll see more technology homogeneity leading to security homogeneity leading to frameworks, more reasonable security audits/checks/etc. 

Why does this all matter? Business between companies happens because of problems, needs & solutions. While it’s good business judgement to resolve needs, so many decisions require time to realize ROI. And in the time from making the decision to actually receiving/realizing the ROI, that time requires trust.

Not only do we need to trust that we’ll get our ROI, we also have to trust every-one involved to manage each other’s information correctly. No amount of legal, negotiation, security audits and fines is going to replace to build trust than alignment.

Yes, there will be increased interest in this space this year. The most successful projects, however, won’t be because of the best data, the best projects will have helped build trust with third parties, not alienate them.

RelatedThird-Party Attacks Are Increasing, But Third-Party Risk Management Is Failing

Written By

Will is a Managing Director and a founding team member at ForgePoint Capital. He has been an avid technology enthusiast for decades: building his first computer in elementary school and starting online businesses while completing his bachelor’s degree from the University of California, Berkeley. Focusing on security startups for a decade, he has worked with more than 20 cybersecurity companies to date. In his spare time he’s a foodie with friends, enabling serendipity and building communities.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...