Why is Vendor Risk Management a 'tick the box' process for most companies?

[5 min read]

There is much confusion around Vendor Risk Management (VRM), what it is and how to handle it properly for all sizes of business. Too often it is mistakenly confused with a Vendor Risk Assessment, a single point in time component of an effective VRM program.  To get on the same page, a good place to begin is the Gartner definition: 

“Vendor risk management (VRM) is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.” 

The key word here is “Process” as VRM is not something that is done once, or even infrequently.  It must be continual and frequent.  So why do so many companies handle vendor risk management so poorly and what can be done to turn that trend around?

The growing use of vendors

We know that most companies use vendors for their business operations. Whether they are a small business with just a few vendors or a large organization with hundreds of vendors they all carry risk when allowing them access to your organization's data.  With the increase in third party SaaS and cloud based providers it is increasingly more cost effective for organizations to outsource specialist services to Saas providers for operations such as payroll, HR, sales, marketing etc.  Even core internal operations like email and document storage are outsourced to IaaS services such as Office 360 and Google Workplace. As more organizations begin to store increasingly more information in the cloud, the importance of the security around vendors handling that information or data has become critical. 

But it is not just core services where organizations are outsourcing to third parties.  For many companies, core elements of their products and services have third party elements embedded within them. Recently, Tech Republic raised the issue of vendor risk management as part of a discussion on the well documented SolarWinds hack and the vendor breaches that are still surfacing from it adding, “A number of cybersecurity experts expressed fears that attacks on companies like Accellion and SolarWinds were yet another example of the fraught situation facing organizations that rely on vendors and third-party systems to manage vital personal information.” But the situation would not be “fraught” if companies didn’t handle it so poorly. 

How is vendor risk management handled today?

Both the customer and the vendor often have conflicting priorities and the established tools and processes don’t make it easy.  A vendor’s primary objective is to close or keep the contract with security as a secondary consideration.  On the customer side, they often have the objective of meeting a compliance requirement rather than to actually ensure their vendors are secure, so the temptation to simply “check the box” is high.  While many organizations do send out comprehensive vendor risk questionnaires, or insist that their vendor has completed some type of independent audit, like a SOC 2, it is still too easy for the vendor to manipulate their response by narrowing the scope of an audit or being deliberately vague with their responses to a questionnaire. In most cases, the effort required to validate survey responses or verify scope, across dozens or  possibly even  hundreds of vendors, can be significant and most organizations do not have the time or resources to do this effectively. There is too much opportunity and incentive for both parties to game the system.  In fact, a recent survey of Third Party Risk Management professionals showed “81% of respondents admit they rarely require remediation from third parties after an assessment” and to make matters worse “a slim 14% of these professionals are highly confident that their vendors are performing security requirements.”

So it is clear that to handle vendor risk management properly requires effort but it is not impossible if you are using the right tools.

How to handle vendor risk management the right way

Let’s not assume that your vendors have the same data security standards that you have in your own organization. Instead, take the following 5 steps to handle vendor risk management:

1. Add appropriate security language to vendor contracts.  Ensure all new vendor contracts have language ensuring they are obligated to operate securely and that you have the right to information about their data security program -  always add a security addendum to your vendor agreement when possible.
2. Be organized and keep track of your vendors and their access. Keep track of all vendors and related documents using a tool like Ostendio MyVCM.  Link the vendors to the systems they have access to so you know what data may be at risk should there be an issue e.g. SolarWinds
3. Run a vendor risk assessment. By running a Vendor Risk Assessment you can see where there are gaps with vendor security and then require remediation of those risks - remember to follow up on the topics that need to be remediated. Rate your vendors by risk level, ensuring those with the highest risk rating undergo more scrutiny.
4. Require third party audits.  Require vendors with higher risk levels to go through a third party audit such as SOC 2.  This will provide you with an independent report of a vendor’s security program.
5. Talk to the vendor about the importance of security.  If in doubt, always do your own due diligence by speaking to the vendor’s CTO or CSO to understand how they are managing their security program.

By following these steps you will be able to have a better understanding of your vendor management policies and understand the risk that your vendors pose to your business.

What the future holds

The ultimate answer to vendor risk management is to create a trust ecosystem for all businesses that makes it easy and fast to share data securely on a continuous basis. By joining a security network community, where we can share information showing we are all playing a part in data security, would change the way that companies approach vendor risk management.  In my experience, the number one driver for companies to invest in a cybersecurity program is because their customers demand it. This is the way forward for all organizations as they sign contracts with new vendors. We need to hold each other accountable in a way that is manageable by demanding security standards are met from all vendors. To meet that need, Ostendio has created the MyVCM Trust Network.  

The MyVCM Trust Network™ connects organizations with their vendors to help them safely share security information.

The MyVCM Trust Network™ connects organizations with their vendors to help them safely share security information. MyVCM Trust Network members can invite their vendors to complete custom risk assessments and share information easily and in real-time.  This allows vendors to demonstrate compliance to their customers in a real-time, always-on fashion, easing sales processes and reducing compliance burdens. Companies can mandate that vendors provide their compliance information directly with them, via the Ostendio MyVCM platform.  This dramatically reduces the risk of vendor-related data breaches.

In the future, I believe the answer to handling vendor risk management for the benefit of all organizations is for more companies to share real time, always-on, perpetually secure information using the MyVCM Trust Network. Learn more about how Ostendio’s innovative solution can help your organization.