By Ben Kast   /   Apr 13th, 2021

Top 3 Reasons Third-Party Vendor Risk Management is Not Easy

Cybersecurity is not easy and is becoming more complex as organizations increasingly entrust their sensitive data to third parties; in fact, many consider third-party vendor risk management to be one of the top cybersecurity risks of 2021. While there are no silver bullets, there are plenty of hucksters selling them to desperate business leaders in search of “quick win” solutions. This is not something many business leaders want to hear, but it is an important truth to accept and own.

Some business leaders see cybersecurity as an expense that can get in the way of business, and they don’t see third-party vendor risk management as their organization’s responsibility. They fail to see that we live in an increasingly interconnected business environment full of shared responsibilities. This approach does little more than push security teams to the back of their heels and into an insecure organizational position.

Business leaders need to recognize security as a business enabler. There are plenty of recent third-party data breaches (i.e., SolarWinds, Verkada, Ubiquiti, etc.) that clearly show that one of the biggest business inhibitors is losing the trust of your customers and employees because you were a poor steward of their information.

This brings me to my case in point: the growing complexity of third-party vendor risk management. In a world increasingly dependent on software and cloud infrastructure, the risks that third parties present to organizations have never been greater. Moreover, third-party vendor risk management is an area of cybersecurity that is frequently understaffed in many organizations and often uses an informal, ad hoc approach. The intersection of these two factors places organizations at an even greater risk of third-party negligence. Not to forget, third-party vendor risk management adds additional costs to the process of procurement. However, since it can also protect your organization from a third-party breach, the cost is money well spent. As they say in security, pay now, or pay later – but it is always more expensive to pay later.

Why Third-Party Vendor Risk Management is Not Easy

What follows are three reasons third-party vendor risk management is not easy. Let’s explore some of the most important challenges and considerations organizations should be aware of when managing third-party cybersecurity risk.

Policies and Procedures

You cannot successfully manage vendor risk without a formal third-party vendor risk management policy. It must be a top-down effort working from the general to the specific. For the policy to be relevant, it must logically fit with and complement your other cybersecurity policies. For example, for all vendors to be risk rated accurately, the types of data and areas of operations impacted by the vendor relationship must be understood and correlated to a data classification scheme that can be used to assign a criticality rating to the vendor. Considerations include:

  • Does the vendor provide mission critical services to a particular area of operations and how easily could they be replaced if needed?
  • For asset management, where is the data stored and what controls are in place to protect that data? This must be understood and risk rated.
  • Data and system owners must be factored into the process and criteria.
  • Logging and auditing capabilities, as well as access controls must be factored and assessed based on requirements defined by internal policies.

In this way, the relevant operational cybersecurity policies that govern your organization’s cybersecurity program will act as the foundation of your third-party vendor risk management policy. Any chinks in your overall cybersecurity program armor will also impact your third-party vendor risk management.

Time and Resources

Anyone who has had to perform any kind of “vendor vetting” activities will attest to the fact that the process presents certain difficulties and pitfalls. Traditionally, the process has involved providing questionnaires to vendors about their cybersecurity control environment. Creating and evaluating these responses can be time consuming. Which party holds more power, and the size and complexity of the organization also plays a role. If you are a small company vetting a larger, more prominent company, it may take longer to get answers. Or you sometimes receive a pre-prepared package of materials that may not answer all your questions. Alternatively, if you are a big enterprise requesting information from a small company, it may take more time. Many smaller companies don’t have the time and resources to answer these questionnaires in a timely manner (read our blog on tips for being assessed by an enterprise client for advice).

Once the information has been collected from the vendor, the staff must evaluate and risk rate the responses, as well as follow up on any information that is missing or needs clarification. This requires staff members with sufficient time and expertise to appropriately evaluate the information. There are industry-accepted questionnaires that can be employed, like the Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire (CAIQ), California Consumer Privacy Act (CCPA) Questionnaire, General Data Protection Regulation (GDPR) Questionnaire, Higher Education Community Vendor Assessment Tool (HECVAT), Vendor Security Alliance (VSA) Questionnaire, and the Standard Information Gathering Questionnaire (SIG), to name a few.

Regardless of how your organization approaches it, there will be staffing overhead involved with reviewing and risk rating the responses. If this work is spread across several employees who only focus on vendor vetting as time allows, the quality and consistency of this process can suffer, especially if the vendor management policy is not well designed.

Technology

If you search Google for “vendor risk management software”, you will see no shortages of options. In fact, in the last five years a lot of new companies have sprouted up with various solutions. In the next few years some clear industry leaders will emerge, especially in the SaaS space. Until then, finding the best option can be daunting and requires careful vetting. The goal for most of these solutions is to streamline the overall process and reduce the time commitment for internal teams. The software features fall into three primary categories:

  • Centralizing and automating your third-party vendor risk management program, as well as simplifying data collection, risk rating, and the ongoing tracking of results.
  • Risk rating services that allow users to pull company risk ratings from proprietary exchanges, and/or automated services.
  • Vendor response management features that help vendors simplify their questionnaire response process and provides vendor profiles that substantiate the security controls they have in place.

Finding the right solution that compliments your third-party vendor management policy and needs is the difficult part, but certainly the effort involved can pay dividends if it streamlines and improves your third-party vendor risk management program.

Make sure to develop your vendor management policy and approach before you look for a software solution. This will help you make the best possible decision. As for the risk rating services that are out there, it is in your best interest to validate the quality of the risk ratings they provide. The costs vary widely, so it is best to qualify these firms by talking to their customers and reviewing sample results.

If you decide to use third-party vendor risk management software, remember to dedicate the appropriate amount of time and resources to its implementation. This will ensure the software is fully leveraged and produces meaningful results. Also, if you already use other GRC software, check if the third-party vendor risk management software can integrate with your current solutions. Many GRC software vendors also have third-party vendor risk management features, but you must spend the appropriate time and resources on implementation for them to become effective operationally.

Third-party vendor risk management is complex for all organizations – whether you are vetting others or being vetted. By becoming as intentional as possible with third-party vendor risk management and cybersecurity in general, you can reduce risk. Contact us if you need guidance developing your third-party vendor risk management program. We can help you develop a vendor vetting program or outsource your vetting requests.

About the Author

Ben Kast

Ben Kast is a Senior Security Consultant at LMG Security. He has conducted penetration testing engagements for companies ranging in size from multi-billion dollar publicly traded companies to small and medium sized organizations. He has over 20 years of IT experience that includes software product development, project management, implementation and consulting. He has a degree from the University of Montana, and is a GIAC-certified penetration tester (GPEN).