How does the level of risk for a company cafeteria's online lunch menu compare to that associated with a cloud-based...
backlog of personal employee information? If you said something along the lines of, "It's blatantly obvious," you have the right mindset for vendor security management, according to experts at the Infosecurity North America conference in New York earlier this month.
Third-party vendor risk management strategies are not universal, and companies are responsible for putting their own spin on third-party security management, according to panelists at a session titled "Two Points of View: Third Party Risk Management." The most essential tool when assessing and monitoring vendor risk is companies' own due diligence.
Frank Roppelt, senior manager of security policy and vendor risk at TD Ameritrade, based in Omaha, Neb., told attendees that due diligence begins with assessing the level of vendor-associated risks by understanding what business process the vendor improves, what information they're handling and the threat implications created by their access to your data.
"We all know that two companies that are doing two completely different things, their threats don't mean the same thing," Roppelt said.
Consider two different third-party vendors: One hosts your lunch menu on its platform, and the other hosts personal information of clients or other restricted information. If both of those vendors were breached or shut down, the impact would be wildly different.
It's up to the company to determine, assess and manage each individual third-party vendor's risk profile. Companies that treat third-party vendor management as a one-size-fits-all approach may end up spending too much -- or not enough -- resources protecting vendors with vastly different risk profiles, panelists added.
Critical vs. high risk
If you need a starting point for this due diligence, Roppelt suggested sorting your vendors into two categories: high-risk and critical vendors. High-risk vendors include those who bring inherent risk into an enterprise simply because of the data they collect, their regulatory impact or connectivity vulnerabilities. Critical vendors are those who are essential to a business process, or that support a core function of service.
Roppelt recommended a twofold solution that begins by giving vendors a questionnaire that covers the following factors:
- Network connectivity. Are they cloud-based? What controls does the vendor have?
- Essentiality. Are they handling data you could be handling yourself?
- Business impact. If the vendor was shut down for a day, what impact would the shutdown have on your operations?
- Financial, reputational, compliance. What regulatory and legal risks does the vendor potentially pose to the organization?
Once you've assessed what data the vendor will be handling when its services are implemented into your framework, sort the vendors into high-risk or critical vendors. Then, come up with a heat map of risk that organizes vendors into low, medium and high risk based on their answers to the previous questionnaire. Once vendors are sorted based on their risk profile, you can effectively distribute resources to the appropriate vendors.
"You need to have an objective approach, and it has to be standardized. You can't go into an engagement thinking, 'We think it's high risk,' without knowing why," Roppelt said.
Michael Beckhead of global supplier assurance at Barclays
Michael Beck, head of global supplier assurance at Barclays, based in London, noted that shadow IT and fourth-party risk further complicate third-party vendor management. Here, due diligence requires extending oversight to several outside parties.
"You need to think about, where is my data? Is my data going to reside in any of those 30 companies?" Roppelt said.
The panelists noted that fourth- and fifth-party vendor management is a new reality. Most companies do business with other companies and must now think about the extended business network the enterprise enters when using third-party vendor services.
These extended networks are basically granted access to your enterprise, with no ability to oversee or hold them accountable, because "that fourth or fifth party doesn't sign a contract with you," Roppelt added.
Create an exit strategy
Once you've organized vendors into risk categories, mapped their extended reach and analyzed their importance in your network, next up is to consider the worst-case scenario. The panelists noted that you can't figure out how a vendor failure will affect you in the midst of an incident; you need to have a plan.
This is especially true for vendors deemed critical to your business operations, Roppelt said.
"If they fail to provide their service, it would create an operational, financial, reputational or systemic risks. Then, you need to think about what your exit strategy is," Roppelt said.
This exit strategy could include replacing the vendor, learning to do the business in-house, creating a backup system or using a rival vendor.
Above all, being selfish -- and proactive -- in third-party vendor risk management is key, panelists said. These exit strategies should be designed to react to a vendor failure or breach quickly to protect your corporation -- not the vendor -- from further security and operational threats.
"Third-party risk management is a combination of all your other risks -- you just make a decision to outsource it," Beck said.