Vendor Risk Management: What to Address
What is a vendor risk management program? Vendor risk management, also referred to as third-party risk management is a common component of many organizations, but many of the problems that organizations and security teams encounter haven’t changed.
The hurdles organizations face can commonly be broken down into three categories: the current approach for third-party risk, technology associated with these processes, and the resources or people performing them. Our team has identified 10 issues across these areas that teams need to consider in their third-party risk management.
Current Approach to Third-Party Vendor Risk Management
Many CISOs Have Bigger Fish to Fry
Perhaps it might be better to say that third-party risk is such a large task with so many moving parts, CISOs don’t have the teams required to address it fully.
The metrics surrounding the breaches caused by third party risk are immense, and most CISOs have a team that’s too small and too over-worked to address every aspect of vendor risk management. This leads to CISOs focusing instead on fish that are easier to fry and provide a high impact on the environment, such as hardening an environment’s borders.
Third-Party Risk Hardly Focuses on Risk
Although everyone’s always talking about risk in third-party risk management, organizations that have a product or a service (the organization being assessed) is selling a service that their clients want to use (the organizations performing the assessments).
Risk might be something that these organizations have to consider, but it doesn’t override the business drivers of the relationship. The organization being assessed wants to sell this product or service and will try to do everything in their power to do so. Of course, the organization conducting the assessment will want to use the product or the service, so both sides have an interest in assessing the third party or vendor for the sake of passing.
Assessments Focus on Finding Issues Instead of Fixing Them
Most organizations are aware that their security could be improved, so why spend so much time going through a long process to prove what they already know?
Rather than spending time on assessments and a long list of findings, a better use of time would be to find fixes for these issues and establish a strategic way of executing them.
Despite their prevalence, nobody likes answering questionnaires.
Ask ten different people about their opinions on security questionnaires and you’ll likely get forty reasons why they dislike them. They’re often time consuming, inefficient, and require security expertise on the part of the respondent.
Technology Won’t Replace Processes
It’s something we’ve talked about before, and something we’ll go into more detail on later, but it’s common for organizations to buy a GRC platform before designing a process flow for performing third-party assessments.
Technology will only take an organization so far without the processes the technology needs to align with.
Technology is Built for Experts
This often occurs because of the use of questionnaires, which by design requires experts to complete them and review the assessment once completed.
This is also one of the issues beneath the entire security discipline, where we only consider senior-level resources for executing roles in our programs. This is problematic, especially given the shortage of available resources with senior-level skills.
Technology Built Without Efficiency in Mind
Many larger GRC technologies don’t focus on efficiency in their designs, workflows, or other aspects of their solutions. Even newcomers to developing GRC technology still use questionnaires, which leads to the same inefficiencies we mentioned previously.
The biggest flaw with these solutions often comes in the way they try to do everything. They can rarely successfully automate all the common functions of a vendor risk management program, which means they bite off more than they can chew.
Organizations sometimes try to design processes within the interface and design of a technology, but many of these solutions are too complex to configure and keep updated, especially as designs change which leaves organizations where they started.
If an organization’s vendor risk management processes aren’t designed with repeatability in mind, or the technology they use is inefficient, this only compounds the workload that many security programs already face.
Organizations might already have a large number of third parties to assess, further making third-party vendor risk management too resource-intensive a task, regardless of the long-term benefits it might provide.
As we mentioned previously, there aren’t enough assessors with the requisite skills to perform third-party assessments. Organizations are already facing a cyber security resource shortage, meaning there aren’t enough people to perform or respond to the assessments on either side.
Given these issues, effective third-party risk management isn’t just a matter of addressing one or two of these and hoping to see a drastic change. If security teams are going to be able to take on the task of frying the whole third-party risk management fish, there needs to be a shift in the way organizations approach risk management.